- Microsoft Defender 365 raw data/all tables schema (streaming export API overview)
- Splunk Add-on for Microsoft Cloud Services improved field aliases for Azure Eventhub data containing Microsoft 365 Defender events
Microsoft Defender 365
SIGMA
- Cmd.exe CommandLine Path Traversal
- Suspicious LDAP-Attributes Used
- Suspicious PROCEXP152.sys File Created In TMP
- Suspicious ADSI-Cache Usage By Unknown Tool
- Suspicious Service Installed
- Suspicious Driver Loaded By User
- Detecting LDAPFragger — A newly released Cobalt Strike Beacon using LDAP for C2 communication (blueteamers approach)
- Windows Event ID 4649 “A replay attack was detected“ — Oh really? Are we under ATTACK? Should we do Incident Response?
- Assembly (1)
- Batchfile (7)
- Bicep (1)
- Boo (1)
- C (61)
- C# (101)
- C++ (29)
- CSS (5)
- Dockerfile (1)
- Go (17)
- HCL (1)
- HTML (14)
- Haskell (1)
- Inno Setup (1)
- Java (4)
- JavaScript (18)
- Jinja (1)
- Jupyter Notebook (5)
- Lua (3)
- Others (116)
- PHP (3)
- Perl (2)
- PowerShell (101)
- Python (153)
- Rich Text Format (1)
- Roff (1)
- Ruby (2)
- Rust (3)
- Scala (1)
- Shell (21)
- TeX (1)
- TypeScript (3)
- VBA (1)
- XSLT (1)
- YARA (7)
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | inceptor | Template-Driven AV/EDR Evasion Framework | klezVirus | 478 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | KMS_VL_ALL_AIO | Smart Activation Script | abbodi1406 | 1898 |
| 2 | Powerless | Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind | gladiatx0r | 427 |
| 3 | SystemNightmare | Gives you instant SYSTEM command prompt on all supported and legacy versions of Windows | GossiTheDog | 350 |
| 4 | BatUtil | Collection of batch scripts utilities for Windows | abbodi1406 | 313 |
| 5 | wifi-passview | An open source batch script based WiFi Passview for Windows! | WarenGonzaga | 179 |
| 6 | EDR-Testing-Script | Test the accuracy of Endpoint Detection and Response (EDR) software with simple script which executes various ATT&CK/LOLBAS/Invoke-CradleCrafter/Invoke-DOSfuscation payloads | op7ic | 153 |
| 7 | TA-Sysmon-deploy | Deploy and maintain Symon through the Splunk Deployment Sever | olafhartong | 28 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | Enterprise-Scale | The Enterprise-Scale architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture | Azure | 819 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | SILENTTRINITY | An asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR | byt3bl33d3r | 1715 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | netdata | Real-time performance monitoring, done right! https://www.netdata.cloud | netdata | 56150 |
| 2 | masscan | TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes. | robertdavidgraham | 15953 |
| 3 | mimikatz | A little tool to play with Windows security | gentilkiwi | 14170 |
| 4 | hashcat | World's fastest and most advanced password recovery utility | hashcat | 10549 |
| 5 | borg | Deduplicating archiver with compression and authenticated encryption. | borgbackup | 7601 |
| 6 | exploitdb | The official Exploit Database repository | offensive-security | 6499 |
| 7 | windows-kernel-exploits | windows-kernel-exploits Windows平台提权漏洞集合 | SecWiki | 5750 |
| 8 | yara | The pattern matching swiss knife | VirusTotal | 5013 |
| 9 | linux-kernel-exploits | linux-kernel-exploits Linux平台提权漏洞集合 | SecWiki | 4103 |
| 10 | iodine | Official git repo for iodine dns tunnel | yarrick | 3885 |
| 11 | UACME | Defeating Windows User Account Control | hfiref0x | 3732 |
| 12 | mimipenguin | A tool to dump the login password from the current linux user | huntergregal | 3101 |
| 13 | nDPI | Open Source Deep Packet Inspection Software Toolkit | ntop | 2627 |
| 14 | ProcDump-for-Linux | A Linux version of the ProcDump Sysinternals tool | Sysinternals | 2454 |
| 15 | pcileech | Direct Memory Access (DMA) Attack Software | ufrisk | 2356 |
| 16 | AFLplusplus | The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more! | AFLplusplus | 2075 |
| 17 | pafish | Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do. | a0rtega | 1944 |
| 18 | OSCPRepo | A list of commands, scripts, resources, and more that I have gathered and attempted to consolidate for use as OSCP (and more) study material. Commands in 'Usefulcommands' Keepnote. Bookmarks and reading material in 'BookmarkList' CherryTree. Reconscan Py2 and Py3. Custom ISO building. | rewardone | 1861 |
| 19 | donut | Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters | TheWover | 1712 |
| 20 | Reptile | LKM Linux rootkit | f0rb1dd3n | 1705 |
| 21 | passivedns | A network sniffer that logs all DNS server replies for use in a passive DNS setup | gamelinux | 1479 |
| 22 | shad0w | A post exploitation framework designed to operate covertly on heavily monitored environments | bats3c | 1427 |
| 23 | headers-more-nginx-module | Set, add, and clear arbitrary output headers in NGINX http servers | openresty | 1311 |
| 24 | hollows_hunter | Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches). | hasherezade | 1001 |
| 25 | PetitPotam | PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions. | topotam | 979 |
| 26 | PEzor | Open-Source Shellcode & PE Packer | phra | 959 |
| 27 | WinObjEx64 | Windows Object Explorer 64-bit | hfiref0x | 954 |
| 28 | RemotePotato0 | Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin. | antonioCoco | 912 |
| 29 | kekeo | A little toolbox to play with Microsoft Kerberos in C | gentilkiwi | 894 |
| 30 | EDRs | Mr-Un1k0d3r | 824 | |
| 31 | Dumpert | LSASS memory dumper using direct system calls and API unhooking. | outflanknl | 787 |
| 32 | KDU | Kernel Driver Utility | hfiref0x | 690 |
| 33 | Backstab | A tool to kill antimalware protected processes | Yaxser | 552 |
| 34 | SyscallTables | Windows NT x64 Syscall tables | hfiref0x | 549 |
| 35 | RoguePotato | Another Windows Local Privilege Escalation from Service Account to System | antonioCoco | 525 |
| 36 | Ghost-In-The-Logs | Evade sysmon and windows event logging | bats3c | 505 |
| 37 | DarkLoadLibrary | LoadLibrary for offensive operations | bats3c | 488 |
| 38 | CS-Situational-Awareness-BOF | Situational Awareness commands implemented using Beacon Object Files | trustedsec | 460 |
| 39 | adversary_emulation_library | An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs. | center-for-threat-informed-defense | 442 |
| 40 | PPLdump | Dump the memory of a PPL with a userland exploit | itm4n | 367 |
| 41 | CobaltStrikeReflectiveLoader | Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. | boku7 | 361 |
| 42 | RedTeamCCode | Red Team C code repo | Mr-Un1k0d3r | 358 |
| 43 | BOFs | Collection of Beacon Object Files | ajpc500 | 315 |
| 44 | linikatz | linikatz is a tool to attack AD on UNIX | CiscoCXSecurity | 303 |
| 45 | spawn | Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing. | boku7 | 278 |
| 46 | PR0CESS | some gadgets about windows process and ready to use :) | aaaddress1 | 222 |
| 47 | ATPMiniDump | Evading WinDefender ATP credential-theft | b4rtik | 199 |
| 48 | awesome-csirt | Awesome CSIRT is an curated list of links and resources in security and CSIRT daily activities. | Spacial | 198 |
| 49 | PrintNightmare | outflanknl | 194 | |
| 50 | SCDBG | note: current build is VS_LIBEMU project. This cross platform gcc build is for Linux users but is no longer updated. modification of the libemu sctest project to add basic debugger capabilities and more output useful for manual RE. The newer version will run under WINE | dzzie | 190 |
| 51 | InlineExecute-Assembly | InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module | anthemtotheego | 179 |
| 52 | WdToggle | A Beacon Object File (BOF) for Cobalt Strike which uses direct system calls to enable WDigest credential caching. | outflanknl | 166 |
| 53 | azureOutlookC2 | Azure Outlook Command & Control (C2) - Remotely control a compromised Windows Device from your Outlook mailbox. Threat Emulation Tool for North Korean APT InkySquid / ScarCruft / APT37. TTP: Use Microsoft Graph API for C2 Operations. | boku7 | 158 |
| 54 | NTDSDumpEx | NTDS.dit offline dumper with non-elevated | zcgonvh | 154 |
| 55 | injectEtwBypass | CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) | boku7 | 123 |
| 56 | DLLPasswordFilterImplant | DLL Password Filter Implant with Exfiltration Capabilities | GoSecure | 116 |
| 57 | RpcSsImpersonator | Privilege Escalation Via RpcSs svc | sailay1996 | 114 |
| 58 | BOFs | Cobalt Strike Beacon Object Files | guervild | 111 |
| 59 | HellsGatePPID | Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process | boku7 | 81 |
| 60 | ditsnap | An inspection tool for Active Directory database | yosqueoy | 72 |
| 61 | PPLDump_BOF | A faithful transposition of the key features/functionality of @itm4n's PPLDump project as a BOF. | EspressoCake | 68 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | PowerShell | PowerShell for every system! | PowerShell | 29629 |
| 2 | ILSpy | .NET Decompiler with support for PDB generation, ReadyToRun, Metadata (&more) - cross-platform! | icsharpcode | 13493 |
| 3 | CefSharp | .NET (WPF and Windows Forms) bindings for the Chromium Embedded Framework | cefsharp | 8269 |
| 4 | PEASS-ng | PEASS - Privilege Escalation Awesome Scripts SUITE (with colors) | carlospolop | 6434 |
| 5 | mRemoteNG | mRemoteNG is the next generation of mRemote, open source, tabbed, multi-protocol, remote connections manager. | mRemoteNG | 5689 |
| 6 | Covenant | Covenant is a collaborative .NET C2 framework for red teamers. | cobbr | 2613 |
| 7 | Seatbelt | Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. | GhostPack | 1885 |
| 8 | ysoserial.net | Deserialization payload generator for a variety of .NET formatters | pwntester | 1868 |
| 9 | Rubeus | Trying to tame the three-headed dog. | GhostPack | 1828 |
| 10 | BruteShark | Network Analysis Tool | odedshimon | 1796 |
| 11 | CVE-2021-1675 | C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527 | cube0x0 | 1390 |
| 12 | SharpSploit | SharpSploit is a .NET post-exploitation library written in C# | cobbr | 1323 |
| 13 | DefenderCheck | Identifies the bytes that Microsoft Defender flags on. | matterpreter | 1267 |
| 14 | PowerShdll | Run PowerShell with rundll32. Bypass software restrictions. | p3nt4 | 1207 |
| 15 | AggressorScripts | Collection of Aggressor scripts for Cobalt Strike 3.0+ pulled from multiple sources | harleyQu1nn | 1123 |
| 16 | ConfuserEx | An open-source, free protector for .NET applications | mkaring | 1079 |
| 17 | pingcastle | PingCastle - Get Active Directory Security at 80% in 20% of the time | vletoux | 1043 |
| 18 | AsyncRAT-C-Sharp | Open-Source Remote Administration Tool For Windows C# (RAT) | NYAN-x-CAT | 1013 |
| 19 | Internal-Monologue | Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS | eladshamir | 986 |
| 20 | DSInternals | Directory Services Internals (DSInternals) PowerShell Module and Framework | MichaelGrafnetter | 917 |
| 21 | passcore | A self-service password management tool for Active Directory | unosquare | 847 |
| 22 | OffensiveCSharp | Collection of Offensive C# Tooling | matterpreter | 817 |
| 23 | Sharp-Suite | Also known by Microsoft as Knifecoat 🌶️ | FuzzySecurity | 790 |
| 24 | Tokenvator | A tool to elevate privilege with Windows Tokens | 0xbadjuju | 783 |
| 25 | InveighZero | .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers | Kevin-Robertson | 657 |
| 26 | defcon27_csharp_workshop | Writing custom backdoor payloads with C# - Defcon 27 Workshop | mvelazc0 | 641 |
| 27 | KeeThief | Methods for attacking KeePass 2.X databases, including extracting of encryption key material from memory. | GhostPack | 617 |
| 28 | SharpRDP | Remote Desktop Protocol .NET Console Application for Authenticated Command Execution | 0xthirteen | 610 |
| 29 | CobaltStrikeScan | Scan files or process memory for CobaltStrike beacons and parse their configuration | Apr4h | 595 |
| 30 | SharpBlock | A method of bypassing EDR's active projection DLL's by preventing entry point exection | CCob | 593 |
| 31 | SharpLocker | Pickfordmatt | 574 | |
| 32 | TikiTorch | Process Injection | rasta-mouse | 570 |
| 33 | BetterSafetyKatz | Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory. | Flangvik | 564 |
| 34 | Grouper2 | Find vulnerabilities in AD Group Policy | l0ss | 554 |
| 35 | ADCSPwn | A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service. | bats3c | 547 |
| 36 | RedTeamCSharpScripts | C# Script used for Red Team | Mr-Un1k0d3r | 542 |
| 37 | SharpWMI | SharpWMI is a C# implementation of various WMI functionality. | GhostPack | 538 |
| 38 | SharpKatz | Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands | b4rtik | 531 |
| 39 | ProcessInjection | This program is designed to demonstrate various process injection techniques | 3xpl01tc0d3r | 529 |
| 40 | dnSpy | Revival of the well known .NET debugger and assembly editor, dnSpy | dnSpyEx | 514 |
| 41 | CheeseTools | Self-developed tools for Lateral Movement/Code Execution | klezVirus | 503 |
| 42 | SigFlip | SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature. | med0x2e | 491 |
| 43 | SharpDump | SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality. | GhostPack | 479 |
| 44 | PurpleSharp | PurpleSharp is a C# adversary simulation tool that executes adversary techniques with the purpose of generating attack telemetry in monitored Windows environments | mvelazc0 | 467 |
| 45 | SharpNoPSExec | Get file less command execution for lateral movement. | juliourena | 454 |
| 46 | OffensivePipeline | OffensivePipeline allows to download, compile (without Visual Studio) and obfuscate C# tools for Red Team exercises. | Aetsu | 441 |
| 47 | SilkETW | mandiant | 431 | |
| 48 | Lunar | A lightweight native DLL mapping library that supports mapping directly from memory | Dewera | 428 |
| 49 | NetLoader | Loads any C# binary in mem, patching AMSI + ETW. | Flangvik | 425 |
| 50 | BeaconEye | Hunts out CobaltStrike beacons and logs operator command output | CCob | 420 |
| 51 | Certify | Active Directory certificate abuse. | GhostPack | 415 |
| 52 | AMSITrigger | The Hunt for Malicious Strings | RythmStick | 404 |
| 53 | WindowsProtocolTestSuites | ⭐⭐Join us at SNIA EMEA SDC SMB3 IO Lab 2021 (6/7-6/9): | microsoft | 392 |
| 54 | SharpHound3 | C# Data Collector for the BloodHound Project, Version 3 | BloodHoundAD | 390 |
| 55 | SharpSecDump | .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py | G0ldenGunSec | 370 |
| 56 | SharpSphere | .NET Project for Attacking vCenter | JamesCooteUK | 369 |
| 57 | SharpEDRChecker | Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools. | PwnDexter | 343 |
| 58 | BeaconHunter | Detect and respond to Cobalt Strike beacons using ETW. | 3lp4tr0n | 335 |
| 59 | ipnetwork | IPNetwork command line and C# library take care of complex network, IP, IPv4, IPv6, netmask, CIDR, subnet, subnetting, supernet, and supernetting calculation for .NET developers. It works with IPv4 as well as IPv6, is written in C#, has a light and clean API, and is fully unit-tested | lduchosal | 312 |
| 60 | ThreatCheck | Identifies the bytes that Microsoft Defender / AMSI Consumer flags on. | rasta-mouse | 300 |
| 61 | ForgeCert | "Golden" certificates | GhostPack | 277 |
| 62 | SharpExec | anthemtotheego | 263 | |
| 63 | LoGiC.NET | A more advanced free and open .NET obfuscator using dnlib. | AnErrupTion | 261 |
| 64 | physmem2profit | Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely | FSecureLABS | 261 |
| 65 | SharpRDPHijack | A POC Remote Desktop (RDP) session hijack utility for disconnected sessions | bohops | 258 |
| 66 | RunasCs | RunasCs - Csharp and open version of windows builtin runas.exe | antonioCoco | 255 |
| 67 | MiscTools | Miscellaneous Tools | rasta-mouse | 238 |
| 68 | LiquidSnake | LiquidSnake is a tool that allows operators to perform fileless lateral movement using WMI Event Subscriptions and GadgetToJScript | RiccardoAncarani | 228 |
| 69 | SharpMiniDump | Create a minidump of the LSASS process from memory | b4rtik | 207 |
| 70 | EvtMute | Apply a filter to the events being reported by windows event logging | bats3c | 196 |
| 71 | CSExec | An implementation of PSExec in C# | malcomvetter | 194 |
| 72 | EDD | Enumerate Domain Data | FortyNorthSecurity | 168 |
| 73 | DeployPrinterNightmare | C# tool for installing a shared network printer abusing the PrinterNightmare bug to allow other network machines easy privesc! | Flangvik | 165 |
| 74 | MirrorDump | Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory | CCob | 163 |
| 75 | LittleCorporal | LittleCorporal: A C# Automated Maldoc Generator | connormcgarr | 161 |
| 76 | SharpUnhooker | C# Based Universal API Unhooker | GetRektBoy724 | 160 |
| 77 | RunPE | C# Reflective loader for unmanaged binaries. | nettitude | 157 |
| 78 | SharpImpersonation | A User Impersonation tool - via Token or Shellcode injection | S3cur3Th1sSh1t | 153 |
| 79 | LDAPFragger | fox-it | 150 | |
| 80 | ADFSDump | mandiant | 149 | |
| 81 | EtwExplorer | View ETW Provider manifest | zodiacon | 138 |
| 82 | SyscallAmsiScanBufferBypass | AmsiScanBufferBypass using D/Invoke | S3cur3Th1sSh1t | 119 |
| 83 | SafetyDump | Dump stuff without touching disk | m0rv4i | 119 |
| 84 | SharpRDPThief | A C# implementation of RDPThief to steal credentials from RDP. | passthehashbrowns | 118 |
| 85 | ImproHound | Identify the attack paths in BloodHound breaking your AD tiering | improsec | 113 |
| 86 | AllTheThingsExec | Executes Blended Managed/Unmanged Exports | secdev-01 | 109 |
| 87 | SharpNukeEventLog | nuke that event log using some epic dinvoke fu | jfmaes | 101 |
| 88 | RunDLL.Net | Execute .Net assemblies using Rundll32.exe | p3nt4 | 99 |
| 89 | SharpRDPDump | Create a minidump of TermService for clear text pw extraction | jfmaes | 86 |
| 90 | Reg1c1de | Registry permission scanner written in C# for finding potential privesc avenues within registry | deadjakk | 85 |
| 91 | AzureADLateralMovement | Lateral Movement graph for Azure Active Directory | talmaor | 82 |
| 92 | SharpExfiltrate | Modular C# framework to exfiltrate loot over secure and trusted channels. | Flangvik | 76 |
| 93 | CopyCat | Simple rapper for Mimikatz, bypass Defender | mobdk | 72 |
| 94 | NamedPipes | A pattern for client/server communication via Named Pipes via C# | malcomvetter | 72 |
| 95 | RDPThiefInject | RDPThief donut shellcode inject into mstsc | S3cur3Th1sSh1t | 57 |
| 96 | UnstoppableService | A pattern for a self-installing Windows service in C# with the unstoppable attributes in C#. | malcomvetter | 51 |
| 97 | ETWProcessMon2 | ETWProcessMon2 is for Monitoring Process/Thread/Memory/Imageloads/TCPIP via ETW + Detection for Remote-Thread-Injection & Payload Detection by VirtualMemAlloc Events (in-memory) etc. | DamonMohammadbagher | 50 |
| 98 | SysmonConfigPusher | Pushes Sysmon Configs | LaresLLC | 37 |
| 99 | ETWNetMonv3 | ETWNetMonv3 is simple C# code for Monitoring TCP Network Connection via ETW & ETWProcessMon/2 is for Monitoring Process/Thread/Memory/Imageloads/TCPIP via ETW + Detection for Remote-Thread-Injection & Payload Detection by VirtualMemAlloc Events (in-memory) etc. | DamonMohammadbagher | 14 |
| 100 | Microsoft-ADFS-Info | I created a small project to get the private keys and token-signing certificate from an AD FS server to create forged tokens. | thalpius | 8 |
| 101 | Microsoft-Kerberos | I have created a small C# project that requests a Ticket Granting Service (TGS) ticket using KerberosSecurityTokenProvider to use for Kerberoasting and an option to request an Azure AD SSO TGS. | thalpius | 8 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | osquery | SQL powered operating system instrumentation, monitoring, and analytics. | osquery | 18272 |
| 2 | zeek | Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. | zeek | 4025 |
| 3 | al-khaser | Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection. | LordNoteworthy | 3397 |
| 4 | ProcMon-for-Linux | Procmon is a Linux reimagining of the classic Procmon tool from the Sysinternals suite of tools for Windows. Procmon provides a convenient and efficient way for Linux developers to trace the syscall activity on the system. | Sysinternals | 3144 |
| 5 | pe-sieve | Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches). | hasherezade | 1708 |
| 6 | BLUESPAWN | An Active Defense and EDR software to empower Blue Teams | ION28 | 837 |
| 7 | herpaderping | Process Herpaderping proof of concept, tool, and technical deep dive. Process Herpaderping bypasses security products by obscuring the intentions of a process. | jxy-s | 733 |
| 8 | SocksOverRDP | Socks5/4/4a Proxy support for Remote Desktop Protocol / Terminal Services / Citrix / XenApp / XenDesktop | nccgroup | 609 |
| 9 | HiveNightmare | Exploit allowing you to read registry hives as non-admin on Windows 10 and 11 | GossiTheDog | 527 |
| 10 | TelemetrySourcerer | Enumerate and disable common sources of telemetry used by AV/EDR. | jthuraisamy | 458 |
| 11 | spectre | A Windows kernel-mode rootkit that abuses legitimate communication channels to control a machine. | D4stiny | 378 |
| 12 | krabsetw | KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions. | microsoft | 362 |
| 13 | procfilter | A YARA-integrated process denial framework for Windows | godaddy | 358 |
| 14 | Perfusion | Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012) | itm4n | 357 |
| 15 | PPLKiller | Tool to bypass LSA Protection (aka Protected Process Light) | RedCursorSecurityConsulting | 327 |
| 16 | AndrewSpecial | AndrewSpecial, dumping lsass' memory stealthily and bypassing "Cilence" since 2019. | hoangprod | 321 |
| 17 | PDBRipper | PDBRipper is a utility for extract an information from PDB-files. | horsicq | 316 |
| 18 | Spray-AD | A Cobalt Strike tool to audit Active Directory user accounts for weak, well known or easy guessable passwords. | outflanknl | 313 |
| 19 | LsassSilentProcessExit | Command line interface to dump LSASS memory to disk via SilentProcessExit | deepinstinct | 310 |
| 20 | serpentine | C++/Win32/Boost Windows RAT (Remote Administration Tool) with a multiplatform Java/Spring RESTful C2 server and Go, C++/Qt5 frontends | jafarlihi | 276 |
| 21 | FalconEye | rajiv2790 | 219 | |
| 22 | KernelForge | A library to develop kernel level Windows payloads for post HVCI era | Cr4sh | 203 |
| 23 | unDefender | Killing your preferred antimalware by abusing native symbolic links and NT paths. | APTortellini | 193 |
| 24 | Probatorum-EDR-Userland-Hook-Checker | Project to check which Nt/Zw functions your local EDR is hooking | asaurusrex | 117 |
| 25 | PrimaryTokenTheft | Steal a primary token and spawn cmd.exe using the stolen token | slyd0g | 104 |
| 26 | winrmdll | C++ WinRM API via Reflective DLL | mez-0 | 96 |
| 27 | STFUEDR | Silence EDRs by removing kernel callbacks | lawiet47 | 92 |
| 28 | MiniDumpWriteDumpPoC | MiniDumpWriteDump behavior modification hook | Adepts-Of-0xCC | 47 |
| 29 | Introduction-to-Process-Hollowing | comosedice2012 | 10 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | source-code-pro | Monospaced font family for user interface and coding environments | adobe-fonts | 17548 |
| 2 | public-pentesting-reports | Curated list of public penetration test reports released by several consulting firms and academic security groups | juliocesarfort | 4959 |
| 3 | security | Stuff about it-security that might be good to know | xapax | 765 |
| 4 | SysmonCommunityGuide | TrustedSec Sysinternals Sysmon Community Guide | trustedsec | 690 |
| 5 | security | Notes and Commands for CTFs | D00MFist | 13 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | Docker-Security | Getting a handle on container security | OWASP | 442 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | rclone | "rsync for cloud storage" - Google Drive, S3, Dropbox, Backblaze B2, One Drive, Swift, Hubic, Wasabi, Google Cloud Storage, Yandex Files | rclone | 28922 |
| 2 | sops | Simple and flexible tool for managing secrets | mozilla | 8284 |
| 3 | evilginx2 | Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication | kgretzky | 4586 |
| 4 | Modlishka | Modlishka. Reverse Proxy. | drk1wi | 3562 |
| 5 | merlin | Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. | Ne0nd0g | 3425 |
| 6 | tfsec | Security scanner for your Terraform code | aquasecurity | 3351 |
| 7 | pspy | Monitor linux processes without root permissions | DominicBreuker | 2342 |
| 8 | ruler | A tool to abuse Exchange services | sensepost | 1633 |
| 9 | ScareCrow | ScareCrow - Payload creation framework designed around EDR bypass. | optiv | 1392 |
| 10 | kerbrute | A tool to perform Kerberos pre-auth bruteforcing | ropnop | 1096 |
| 11 | velociraptor | Digging Deeper.... | Velocidex | 914 |
| 12 | Limelighter | A tool for generating fake code signing certificates or signing real ones | Tylous | 493 |
| 13 | respounder | Respounder detects presence of responder in the network. | codeexpress | 264 |
| 14 | Dent | A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors. | optiv | 259 |
| 15 | Go365 | An Office365 User Attack Tool | optiv | 235 |
| 16 | Git-Secret | Go scripts for finding an API key / some keywords in repository | daffainfo | 122 |
| 17 | sgCheckup | sgCheckup generates nmap output based on scanning your AWS Security Groups for unexpected open ports. | goldfiglabs | 61 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | sentinel-attack | Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK | BlueTeamLabs | 755 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | GTFOBins.github.io | GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems | GTFOBins | 5296 |
| 2 | Cerberus | A few simple, but solid patterns for responsive HTML email templates and newsletters. Even in Outlook and Gmail. | TedGoas | 4315 |
| 3 | elasticsearch-definitive-guide | The Definitive Guide to Elasticsearch | elastic | 3425 |
| 4 | DetectionLab | Automate the creation of a lab environment complete with security tooling and logging best practices | clong | 3081 |
| 5 | EVTX-ATTACK-SAMPLES | Windows Events Attack Samples | sbousseaden | 1463 |
| 6 | windows-syscalls | Windows System Call Tables (NT/2000/XP/2003/Vista/2008/7/2012/8/10) | j00ru | 1316 |
| 7 | Licensing | Microsoft 365 licensing diagrams | AaronDinnage | 1019 |
| 8 | nmap-bootstrap-xsl | A Nmap XSL implementation with Bootstrap. | honze-net | 706 |
| 9 | pwnwiki.github.io | PwnWiki - The notes section of the pentesters mind. | pwnwiki | 530 |
| 10 | mihari | A framework for continuous OSINT based threat hunting | ninoseki | 453 |
| 11 | CVE-2021-40444 | CVE-2021-40444 - Fully Weaponized Microsoft Office Word RCE Exploit | klezVirus | 396 |
| 12 | CSSG | Cobalt Strike Shellcode Generator | RCStep | 358 |
| 13 | APT06202001 | Applied Purple Teaming - (ITOCI4hr) - Infrastructure, Threat Optics, and Continuous Improvement - June 6, 2020 | DefensiveOrigins | 287 |
| 14 | ToolAnalysisResultSheet | Tool Analysis Result Sheet | JPCERTCC | 276 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | shellcheck | ShellCheck, a static analysis tool for shell scripts | koalaman | 26158 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | retoolkit | Reverse Engineer's Toolkit | mentebinaria | 2160 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | ysoserial | A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. | frohoff | 4529 |
| 2 | Brida | The new bridge between Burp Suite and Frida! | federicodotta | 1044 |
| 3 | labs_campaigns | guardicore | 319 | |
| 4 | godofwar | GodOfWar - Malicious Java WAR builder with built-in payloads | KINGSABRI | 114 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | vue | 🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web. | vuejs | 188612 |
| 2 | bootstrap | The most popular HTML, CSS, and JavaScript framework for developing responsive, mobile first projects on the web. | twbs | 153098 |
| 3 | awesome-selfhosted | A list of Free Software network services and web applications which can be hosted on your own servers | awesome-selfhosted | 64326 |
| 4 | html5-boilerplate | A professional front-end template for building fast, robust, and adaptable web apps or sites. | h5bp | 51553 |
| 5 | video.js | Video.js - open source HTML5 & Flash video player | videojs | 32061 |
| 6 | sweetalert2 | A beautiful, responsive, highly customizable and accessible (WAI-ARIA) replacement for JavaScript's popup boxes. Zero dependencies. | sweetalert2 | 13521 |
| 7 | CyberChef | The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis | gchq | 12971 |
| 8 | awesome-wpo | 📝 A curated list of Web Performance Optimization. Everyone can contribute here! | davidsonfellipe | 7240 |
| 9 | Font-Awesome-Pro | The internet's most popular icon has been redesigned and built from scratch. | FortAwesome | 6062 |
| 10 | current-device | The easiest way to write conditional CSS and/or JavaScript based on device operating system (iOS, Android, Blackberry, Windows, Firefox OS, MeeGo), orientation (Portrait vs. Landscape), and type (Tablet vs. Mobile). | matthewhudson | 3724 |
| 11 | shhgit | Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories: www.shhgit.com | eth0izzle | 3267 |
| 12 | pwndrop | Self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV. | kgretzky | 1130 |
| 13 | npk | A mostly-serverless distributed hash cracking platform | Coalfire-Research | 728 |
| 14 | Fermion | Fermion, an electron wrapper for Frida & Monaco. | FuzzySecurity | 384 |
| 15 | google-cloudevents | Types for CloudEvents issued by Google | googleapis | 49 |
| 16 | SerializedPayloadGenerator | NotSoSecure | 33 | |
| 17 | DA-ESS-MitreContent | MITRE ATT&CK Framework compliance dashboard and correlation searches that works with Splunk Enterprise Security and ES Content Update | seynur | 16 |
| 18 | BastionBox | A simple bastion host setup designed for cloud-hosted lab environments. | snaplabsio | 14 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | attack_range | A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk | splunk | 895 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | python3-in-one-pic | Learn python3 in one picture. | coodict | 4477 |
| 2 | Azure-Sentinel | Cloud-native SIEM for intelligent security analytics for your entire enterprise. | Azure | 1589 |
| 3 | Microsoft-365-Defender-Hunting-Queries | Sample queries for Advanced hunting in Microsoft 365 Defender | microsoft | 1227 |
| 4 | security-api-solutions | Microsoft Graph Security API applications and services. | microsoftgraph | 159 |
| 5 | ASDET | microsoft | 13 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | ntopng | Web-based Traffic and Security Network Traffic Monitoring | ntop | 4185 |
| 2 | grab_beacon_config | whickey-r7 | 328 | |
| 3 | Winshark | A wireshark plugin to instrument ETW | airbus-cert | 288 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | learn-regex | Learn regex the easy way | ziishaned | 38895 |
| 2 | awesome-shell | A curated list of awesome command-line frameworks, toolkits, guides and gizmos. Inspired by awesome-php. | alebcay | 22187 |
| 3 | awesome-docker | 🐳 A curated list of Docker resources and projects | veggiemonk | 20433 |
| 4 | docker-cheat-sheet | Docker Cheat Sheet | wsargent | 20309 |
| 5 | API-Security-Checklist | Checklist of the most important security countermeasures when designing, testing, and releasing your API | shieldfy | 16007 |
| 6 | awesome-pentest | A collection of awesome penetration testing resources, tools and other shiny things | enaqx | 14821 |
| 7 | awesome-macOS | A curated list of awesome applications, softwares, tools and shiny things for macOS. | iCHAIT | 12299 |
| 8 | htaccess | ✂A collection of useful .htaccess snippets. | phanan | 11784 |
| 9 | How-To-Secure-A-Linux-Server | An evolving how-to guide for securing a Linux server. | imthenachoman | 11698 |
| 10 | server-configs-nginx | Nginx HTTP server boilerplate configs | h5bp | 9286 |
| 11 | PENTESTING-BIBLE | Learn ethical hacking.Learn about reconnaissance,windows/linux hacking,attacking web technologies,and pen testing wireless networks.Resources for learning malware analysis and reverse engineering. | blaCCkHatHacEEkr | 8677 |
| 12 | awesome-osint | 😱 A curated list of amazingly awesome OSINT | jivoi | 7391 |
| 13 | reverse-engineering | List of awesome reverse engineering resources | wtsxDev | 6147 |
| 14 | Red-Teaming-Toolkit | This repository contains cutting-edge open-source security tools (OST) for a red teamer and threat hunter. | infosecn1nja | 5371 |
| 15 | awesome-threat-intelligence | A curated list of Awesome Threat Intelligence resources | hslatman | 4587 |
| 16 | awesome-incident-response | A curated list of tools for incident response | meirwah | 4584 |
| 17 | Awesome-Red-Teaming | List of Awesome Red Teaming Resources | yeyintminthuhtut | 4067 |
| 18 | Infosec_Reference | An Information Security Reference That Doesn't Suck; https://rmusser.net/git/admin-2/Infosec_Reference for non-MS Git hosted version. | rmusser01 | 4001 |
| 19 | Cheatsheet-God | Penetration Testing Reference Bank - OSCP / PTP & PTX Cheatsheet | OlivierLaflamme | 3412 |
| 20 | sysmon-config | Sysmon configuration file template with default high-quality event tracing | SwiftOnSecurity | 3150 |
| 21 | server-configs | Boilerplate configurations for various web servers. | h5bp | 3072 |
| 22 | AD-Attack-Defense | Attack and defend active directory using modern post exploitation adversary tradecraft activity | infosecn1nja | 2995 |
| 23 | MobileApp-Pentest-Cheatsheet | The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics. | tanprathan | 2920 |
| 24 | Red-Team-Infrastructure-Wiki | Wiki to collect Red Team infrastructure hardening resources | bluscreenofjeff | 2909 |
| 25 | Active-Directory-Exploitation-Cheat-Sheet | A cheat sheet that contains common enumeration and attack methods for Windows Active Directory. | S1ckB0y1337 | 2220 |
| 26 | awesome-burp-extensions | A curated list of amazingly awesome Burp Extensions | snoopysecurity | 1904 |
| 27 | Awesome-CobaltStrike | cobaltstrike的相关资源汇总 / List of Awesome CobaltStrike Resources | zer0yu | 1786 |
| 28 | awesome-forensics | A curated list of awesome forensic analysis tools and resources | cugu | 1681 |
| 29 | linux-re-101 | A collection of resources for linux reverse engineering | michalmalik | 1574 |
| 30 | pentest-guide | Penetration tests guide based on OWASP including test cases, resources and examples. | Voorivex | 1562 |
| 31 | Bash-Oneliner | A collection of handy Bash One-Liners and terminal tricks for data processing and Linux system maintenance. | onceupon | 1516 |
| 32 | CloudPentestCheatsheets | This repository contains a collection of cheatsheets I have put together for tools related to pentesting organizations that leverage cloud providers. | dafthack | 1465 |
| 33 | Checklists | Red Teaming & Pentesting checklists for various engagements | netbiosX | 1227 |
| 34 | awesome-regex | A curated collection of awesome Regex libraries, tools, frameworks and software | aloisdg | 1125 |
| 35 | cyberchef-recipes | A list of cyber-chef recipes and curated links | mattnotmax | 1061 |
| 36 | SysmonTools | Utilities for Sysmon | nshalabi | 1045 |
| 37 | MSRC-Security-Research | Security Research from the Microsoft Security Response Center (MSRC) | microsoft | 998 |
| 38 | SharpCollection | Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines. | Flangvik | 991 |
| 39 | Pentest-Tools | S3cur3Th1sSh1t | 941 | |
| 40 | AllThingsSSRF | This is a collection of writeups, cheatsheets, videos, books related to SSRF in one single location | jdonsec | 855 |
| 41 | Awesome-CobaltStrike-Defence | Defences against Cobalt Strike | MichaelKoczwara | 840 |
| 42 | MicrosoftWontFixList | A list of vulnerabilities or design flaws that Microsoft does not intend to fix. Since the number is growing, I decided to make a list. This list covers only vulnerabilities that came up in July 2021 (and SpoolSample ;-)) | cfalta | 814 |
| 43 | XSS-Payloads | List of advanced XSS payloads | pgaijin66 | 760 |
| 44 | malleable-c2 | Cobalt Strike Malleable C2 Design and Reference Guide | threatexpress | 716 |
| 45 | sysmon-dfir | Sources, configuration and how to detect evil things utilizing Microsoft Sysmon. | MHaggis | 693 |
| 46 | APT_Digital_Weapon | Indicators of compromise (IOCs) collected from public resources and categorized by Qi-AnXin. | RedDrip7 | 678 |
| 47 | auditd | Best Practice Auditd Configuration | Neo23x0 | 661 |
| 48 | osquery-configuration | A repository for using osquery for incident detection and response | palantir | 643 |
| 49 | Incident-Playbook | GOAL: Incident Response Playbooks Mapped to MITRE Attack Tactics and Techniques. [Contributors Friendly] | austinsonger | 642 |
| 50 | osquery-attck | Mapping the MITRE ATT&CK Matrix with Osquery | teoseller | 581 |
| 51 | Amsi-Bypass-Powershell | This repo contains some Amsi Bypass methods i found on different Blog Posts. | S3cur3Th1sSh1t | 559 |
| 52 | aws-incident-response-playbooks | aws-samples | 485 | |
| 53 | Mind-Maps | Mind-Maps of Several Things | imran-parray | 461 |
| 54 | DomainFrontingLists | A list of Domain Frontable Domains by CDN | vysecurity | 444 |
| 55 | .NET-Deobfuscator | Lists of .NET Deobfuscator and Unpacker (Open Source) | NotPrab | 442 |
| 56 | Bloodhound-Custom-Queries | Custom Query list for the Bloodhound GUI based off my cheatsheet | hausec | 336 |
| 57 | Windows-Hunting | beahunt3r | 311 | |
| 58 | ircapabilities | Incident Response Hierarchy of Needs | swannman | 297 |
| 59 | Awesome-SOAR | A curated Cyber "Security Orchestration, Automation and Response (SOAR)" awesome list. | correlatedsecurity | 285 |
| 60 | microsoftgraph-postman-collections | microsoftgraph | 255 | |
| 61 | KapeFiles | This repository serves as a place for community created Targets and Modules for use with KAPE. | EricZimmerman | 255 |
| 62 | Slides | Misc Threat Hunting Resources | sbousseaden | 244 |
| 63 | FalconFriday | Bi-weekly hunting queries | FalconForceTeam | 225 |
| 64 | what_is_this_c2 | For all these times you're asking yourself "what is this panel again?" | misterch0c | 191 |
| 65 | CrimeBoards | A list of private and public (more or less) blackhat boards | misterch0c | 169 |
| 66 | Threat-Hunting-and-Detection | Repository for threat hunting and detection queries, tools, etc. | Cyb3r-Monk | 161 |
| 67 | threathunting-spl | Splunk code (SPL) for serious threat hunters and detection engineers. | inodee | 155 |
| 68 | MindMaps | #ThreatHunting #DFIR #Malware #Detection Mind Maps | nasbench | 147 |
| 69 | awesome-event-ids | Collection of Event ID ressources useful for Digital Forensics and Incident Response | stuhli | 146 |
| 70 | Detection-Ideas-Rules | Detection Ideas & Rules repository. | vadim-hunter | 143 |
| 71 | AzureAD-Attack-Defense | This publication is a collection of various common attack scenarios on Azure Active Directory and how they can be mitigated or detected. | Cloud-Architekt | 136 |
| 72 | Windows-auditing-mindmap | Set of Mindmaps providing a detailed overview of the different #Windows auditing capacities and event log files. | mdecrevoisier | 125 |
| 73 | DFIRMindMaps | A repository of DFIR-related Mind Maps geared towards the visual learners! | rathbuna | 118 |
| 74 | InlineExecute-Assembly | InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module | xforcered | 115 |
| 75 | KQL | Kusto Query Language | marcusbakker | 114 |
| 76 | HelpColor | Agressor script that lists available Cobalt Strike beacon commands and colors them based on their type | outflanknl | 111 |
| 77 | MS-500-Microsoft-365-Security | MS-500 Microsoft 365 Security Administrator courses | MicrosoftLearning | 111 |
| 78 | botsv3 | Splunk Boss of the SOC version 3 dataset. | splunk | 107 |
| 79 | TweetFeed | Collecting IOCs posted on Twitter | 0xDanielLopez | 104 |
| 80 | awesome-sec-s3 | A collection of awesome AWS S3 tools that collects and enumerates exposed S3 buckets | mxm0z | 103 |
| 81 | Cloud-Pentesting | This repository is in progress, it will keep updating as I come across to new learning materials. Feel free to contribute. | TROUBLE-1 | 98 |
| 82 | sysmon-config | Sysmon configuration file template with default high-quality event tracing | Neo23x0 | 90 |
| 83 | CTI-Lexicon | Dictionary of CTI-related acronyms, terms, and jargon | BushidoUK | 86 |
| 84 | blue-teaming-with-kql | Repository with Sample KQL Query examples for Threat Hunting | ashwin-patil | 83 |
| 85 | awesome-azure-security | A curated list of awesome Microsoft Azure Security tools, guides, blogs, and other resources. | kmcquade | 80 |
| 86 | Windows-API-To-Sysmon-Events | A repository that maps API calls to Sysmon Event ID's. | jsecurity101 | 75 |
| 87 | AdvHuntingCheatSheet | Microsoft Threat Protection Advance Hunting Cheat Sheet | MiladMSFT | 60 |
| 88 | static-files | A collection of static files maintained by the Sublime team, primarily used for phishing defense. | sublime-security | 59 |
| 89 | MicrosoftDefenderForEndpoint-PowerBI | A repo for sample MDATP Power BI Templates | microsoft | 58 |
| 90 | AdvancedHunting | Advanced Hunting Queries for Microsoft Security Products | jangeisbauer | 52 |
| 91 | SC-200T00A-Microsoft-Security-Operations-Analyst | MicrosoftLearning | 50 | |
| 92 | detection-sources | olafhartong | 50 | |
| 93 | HomeLabResources | List of resources for buiding a home lab | reswob10 | 45 |
| 94 | Detect-Hooks | Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR | xforcered | 41 |
| 95 | Useful-BloodHound-Queries | A collection of Neo4j/BloodHound queries to collect interesting information. | xenoscr | 38 |
| 96 | PurpleAD | Active Directory Purple Team Playbook | mvelazc0 | 35 |
| 97 | xknow_infosec | Random Stuff for Cyber Security Incident Response | Iveco | 31 |
| 98 | ossem_modular | OSSEM Modular | secgroundzero | 28 |
| 99 | OSSEM-CDM | OSSEM Common Data Model | OTRF | 22 |
| 100 | splunk-addon-powershell | Splunk Add-on for PowerShell provides field extraction for PowerShell event logs. | swisscom | 17 |
| 101 | Sentinel-Queries | Collection of KQL queries | reprise99 | 14 |
| 102 | spl-to-kql | The idea is simply to save some quick notes that will make it easier for Splunk users to leverage KQL (Kusto), especially giving projects requiring both technologies (Splunk and Azure/Sentinel) or any other hybrid environments. Feel free to add/suggest entries. | inodee | 14 |
| 103 | Azure-Sentinel | DebugPrivilege | 14 | |
| 104 | AWS_EKS_Cluster_Forensics | AWS EKS Cluster Forensics | cado-security | 13 |
| 105 | AzureActiveDirectory | Automation around Azure Active Directory | Kaidja | 12 |
| 106 | PoSH_Teams_Message_Theif | Quick and dirty PoSH code to read teams messages | Xenov-X | 12 |
| 107 | OSSEM-DD | OSSEM Data Dictionaries | OTRF | 12 |
| 108 | Cheat-Sheets | Cheat sheets for threat hunting, detection and other stuff. | Cyb3r-Monk | 11 |
| 109 | M365-Defender | DebugPrivilege | 5 | |
| 110 | TA-powershell_transcript | This app provides knowledge objects for working with Windows PowerShell transcript logs. In addition to field extractions, a number of event types are included to support threat hunting use cases. Additional information on the configuration of this app is available here: www.hurricanelabs.com/splunk-tutorials/splunk-tutorial-powershell-transcription-logging | HurricaneLabs | 3 |
| 111 | TA-microsoft-365-defender-advanced-hunting-add-on | splunk | 3 | |
| 112 | SA_ESS_Windows | Splunk App for Enterprise Security and Windows Security log | aholzel | 3 |
| 113 | VPCFlowTH | Splunk dashboard to support analysis of VPC Flow logs from AWS | chrisdfir | 2 |
| 114 | defender-comparison | ruairidhlc | 2 | |
| 115 | ML_used_in_splunk_and_elk | Splunk Enterprise Security & Elastic SIEM built-in Machine Learning based rules | efi-k | 1 |
| 116 | SysmonVersions | super0xbad1dea | 1 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | SecLists | SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. | danielmiessler | 33739 |
| 2 | fuzzdb | Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery. | fuzzdb-project | 6085 |
| 3 | MISP | MISP (core software) - Open Source Threat Intelligence and Sharing Platform (formely known as Malware Information Sharing Platform) | MISP | 3365 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | MySQLTuner-perl | MySQLTuner is a script written in Perl that will assist you with your MySQL configuration and make recommendations for increased performance and stability. | major | 7091 |
| 2 | RegRipper3.0 | RegRipper3.0 | keydet89 | 180 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | BloodHound | Six Degrees of Domain Admin | BloodHoundAD | 5945 |
| 2 | azure-docs | Open source documentation of Microsoft Azure | MicrosoftDocs | 5938 |
| 3 | nishang | Nishang - Offensive PowerShell for red team, penetration testing and offensive security. | samratashok | 5669 |
| 4 | atomic-red-team | Small and highly portable detection tests based on MITRE's ATT&CK. | redcanaryco | 5077 |
| 5 | Invoke-Obfuscation | PowerShell Obfuscator | danielbohannon | 2256 |
| 6 | Empire | Empire is a PowerShell and Python 3.x post-exploitation framework. | BC-SECURITY | 2127 |
| 7 | RedTeaming-Tactics-and-Techniques | Red Teaming Tactics and Techniques | mantvydasb | 2043 |
| 8 | MailSniper | MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain. | dafthack | 1908 |
| 9 | WinPwn | Automation for internal Windows Penetrationtest / AD-Security | S3cur3Th1sSh1t | 1875 |
| 10 | Invoke-PSImage | Encodes a PowerShell script in the pixels of a PNG file and generates a oneliner to execute | peewpw | 1751 |
| 11 | bashbunny-payloads | The Official Bash Bunny Payload Repository | hak5 | 1741 |
| 12 | PowerUpSQL | PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server | NetSPI | 1606 |
| 13 | Inveigh | .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers | Kevin-Robertson | 1586 |
| 14 | sysmon-modular | A repository of sysmon configuration modules | olafhartong | 1510 |
| 15 | PowerShell | PowerShell functions and scripts (Azure, Active Directory, SCCM, SCSM, Exchange, O365, ...) | lazywinadmin | 1470 |
| 16 | PrivescCheck | Privilege Escalation Enumeration Script for Windows | itm4n | 1373 |
| 17 | AZ-104-MicrosoftAzureAdministrator | AZ-104 Microsoft Azure Administrator | MicrosoftLearning | 1340 |
| 18 | AutomatedLab | AutomatedLab is a provisioning solution and framework that lets you deploy complex labs on HyperV and Azure with simple PowerShell scripts. It supports all Windows operating systems from 2008 R2 to 2019, some Linux distributions and various products like AD, Exchange, PKI, IIS, etc. | AutomatedLab | 1325 |
| 19 | DeepBlueCLI | sans-blue-team | 1210 | |
| 20 | Kansa | A Powershell incident response framework | davehull | 1145 |
| 21 | Phant0m | Windows Event Log Killer | hlldz | 1143 |
| 22 | Active-Directory-Exploitation-Cheat-Sheet | A cheat sheet that contains common enumeration and attack methods for Windows Active Directory. | Integration-IT | 1087 |
| 23 | Invoke-TheHash | PowerShell Pass The Hash Utils | Kevin-Robertson | 1055 |
| 24 | Security-Datasets | Re-play Security Events | OTRF | 1054 |
| 25 | ADAPE-Script | Active Directory Assessment and Privilege Escalation Script | hausec | 934 |
| 26 | BadBlood | BadBlood by @davidprowe, Secframe.com, fills a Microsoft Active Directory Domain with a structure and thousands of objects. The output of the tool is a domain similar to a domain in the real world. After BadBlood is ran on a domain, security analysts and engineers can practice using tools to gain an understanding and prescribe to securing Active Directory. Each time this tool runs, it produces different results. The domain, users, groups, computers and permissions are different. Every. Single. Time. | davidprowe | 888 |
| 27 | PSBits | Simple (relatively) things allowing you to dig a bit deeper than usual. | gtworek | 872 |
| 28 | Random-PowerShell-Work | Random PowerShell Work | adbertram | 787 |
| 29 | PowerShellArsenal | A PowerShell Module Dedicated to Reverse Engineering | mattifestation | 742 |
| 30 | WMImplant | This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based. | FortyNorthSecurity | 700 |
| 31 | Azure-Security-Center | Welcome to the Azure Security Center community repository | Azure | 684 |
| 32 | Invoke-WCMDump | PowerShell Script to Dump Windows Credentials from the Credential Manager | peewpw | 671 |
| 33 | Invoke-CradleCrafter | PowerShell Remote Download Cradle Generator & Obfuscator | danielbohannon | 621 |
| 34 | CVE-2021-1675 | Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare) | calebstewart | 604 |
| 35 | redteam | Red Team Scripts by d0nkeys (ex SnadoTeam) | d0nkeys | 603 |
| 36 | PSWinReporting | This PowerShell Module has multiple functionalities, but one of the signature features of this module is the ability to parse Security logs on Domain Controllers providing easy to use access to AD Events. | EvotecIT | 603 |
| 37 | SimuLand | Understand adversary tradecraft and improve detection strategies | Azure | 567 |
| 38 | Revoke-Obfuscation | PowerShell Obfuscation Detection Framework | danielbohannon | 566 |
| 39 | PowerSharpPack | S3cur3Th1sSh1t | 563 | |
| 40 | Powermad | PowerShell MachineAccountQuota and DNS exploit tools | Kevin-Robertson | 559 |
| 41 | powershell | 🧛🏻♂️ Dark theme for PowerShell and cmd.exe | dracula | 545 |
| 42 | PowerZure | PowerShell framework to assess Azure security | hausec | 534 |
| 43 | OrgKit | Provision a brand-new company with proper defaults in Windows, Offic365, and Azure | SwiftOnSecurity | 508 |
| 44 | Creds | Some usefull Scripts and Executables for Pentest & Forensics | S3cur3Th1sSh1t | 503 |
| 45 | ADACLScanner | Repo for ADACLScan.ps1 - Your number one script for ACL's in Active Directory | canix1 | 486 |
| 46 | adsec | An introduction to Active Directory security | cfalta | 475 |
| 47 | CRT | Contact: [email protected] | CrowdStrike | 472 |
| 48 | NetNTLMtoSilverTicket | SpoolSample -> Responder w/NetNTLM Downgrade -> NetNTLMv1 -> NTLM -> Kerberos Silver Ticket | NotMedic | 445 |
| 49 | MSOLSpray | A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled. | dafthack | 418 |
| 50 | Invoke-ACLPwn | fox-it | 394 | |
| 51 | LazySign | Create fake certs for binaries using windows binaries and the power of bat files | jfmaes | 378 |
| 52 | windows_hardening | Windows Hardening settings and configurations | 0x6d69636b | 372 |
| 53 | Mandiant-Azure-AD-Investigator | mandiant | 368 | |
| 54 | LAPSToolkit | Tool to audit and attack LAPS environments | leoloobeek | 348 |
| 55 | Invoke-CommandAs | Invoke Command As System/Interactive/GMSA/User on Local/Remote machine & returns PSObjects. | mkellerman | 317 |
| 56 | PSPKIAudit | PowerShell toolkit for AD CS auditing based on the PSPKI toolkit. | GhostPack | 308 |
| 57 | invoke-atomicredteam | Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the atomics folder of Red Canary's Atomic Red Team project. | redcanaryco | 289 |
| 58 | ADTimeline | Timeline of Active Directory changes with replication metadata | ANSSI-FR | 286 |
| 59 | Invoke-SharpLoader | S3cur3Th1sSh1t | 276 | |
| 60 | PAW | unassassinable | 259 | |
| 61 | MFASweep | A tool for checking if MFA is enabled on multiple Microsoft Services | dafthack | 256 |
| 62 | PowerShellArmoury | A PowerShell armoury for security guys and girls | cfalta | 250 |
| 63 | DCOMrade | Powershell script for enumerating vulnerable DCOM Applications | sud0woodo | 239 |
| 64 | Azure-Network-Security | Resources for improving Customer Experience with Azure Network Security | Azure | 234 |
| 65 | psgetsystem | getsystem via parent process using ps1 & embeded c# | decoder-it | 222 |
| 66 | RiskySPN | Detect and abuse risky SPNs | cyberark | 219 |
| 67 | Minimalistic-offensive-security-tools | A repository of tools for pentesting of restricted and isolated environments. | InfosecMatter | 213 |
| 68 | AADInternals | AADInternals PowerShell module for administering Azure AD and Office 365 | Gerenios | 209 |
| 69 | PowerShell | NetSPI PowerShell Scripts | NetSPI | 197 |
| 70 | TokenTactics | Azure JWT Token Manipulation Toolset | rvrsh3ll | 195 |
| 71 | MDATP | Microsoft 365 Defender - Resource Hub | alexverboon | 175 |
| 72 | Cloud-Katana | Unlocking Serverless Computing to Assess Security Controls | Azure | 159 |
| 73 | Microsoft-Blue-Forest | Creating a hardened "Blue Forest" with Server 2016/2019 Domain Controllers | rootsecdev | 155 |
| 74 | Invoke-BuildAnonymousSMBServer | Use to build an anonymous SMB file server. | 3gstudent | 149 |
| 75 | WT64 | A Commodore 64 Skin for Windows Terminal | PowerFeature | 141 |
| 76 | PowerSploit | PowerSploit - A PowerShell Post-Exploitation Framework | ZeroDayLab | 136 |
| 77 | New-KrbtgtKeys.ps1 | This script will enable you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation. | microsoft | 136 |
| 78 | Office-365-Extractor | The Office 365 Extractor is a tool that allows for complete and reliable extraction of the Unified Audit Log (UAL) | JoeyRentenaar | 136 |
| 79 | SpoolerScanner | Check if MS-RPRN is remotely available with powershell/c# | vletoux | 134 |
| 80 | AtomicTestHarnesses | Public Repo for Atomic Test Harness | redcanaryco | 131 |
| 81 | Invoke-DLLClone | Koppeling x Metatwin x LazySign | jfmaes | 129 |
| 82 | UncoverDCShadow | A PowerShell utility to dynamically uncover a DCShadow attack | AlsidOfficial | 111 |
| 83 | NamedPipePTH | Pass the Hash to a named pipe for token Impersonation | S3cur3Th1sSh1t | 110 |
| 84 | AzureHunter | A Cloud Forensics Powershell module to run threat hunting playbooks on data from Azure and O365 | darkquasar | 109 |
| 85 | dfirt | Collect information of Windows PC when doing incident response | mamun-sec | 105 |
| 86 | AzureHound | BloodHoundAD | 103 | |
| 87 | ppid-spoofing | Scripts for performing and detecting parent PID spoofing | countercept | 100 |
| 88 | Update-Sysmon | This repository was created to aid in the deployment/maintenance of the Sysmon service on a large number of computers. | jokezone | 69 |
| 89 | Microsoft-Cloud-App-Security | Additional Resources to improve Customer Experience with Microsoft Cloud App Security | microsoft | 40 |
| 90 | Invoke-WordThief | This script runs multithreading module that connects to a remote TCP server, monitors active (opened) Microsoft Word documents (.doc,.docx,etc') and extracting their text using Word application's COM Object. The script adds HKCU registry (no admin needed) Run key, so this script runs persistently. | danielwolfmann | 33 |
| 91 | LiveDiffAD | AD Live changes viewer | commial | 28 |
| 92 | phish_oauth | POC code to explore phishing attacks using OAuth 2.0 authorization flows, such as the device authorization grant. | netskopeoss | 24 |
| 93 | PowerShellManager | Little PowerShell module to extract PowerShell scripts that no longer exists on disk but were run and are still in Event Logs. | EvotecIT | 24 |
| 94 | MDATP_PoSh_Scripts | anthonws | 21 | |
| 95 | Optimized.Mga | PowerShell module for Microsoft Graph REST API. To optimize, speed, and bulk use Microsoft Graph API in PowerShell. You can can enter your own URL so you aren't restricted to the limitations of the official Microsoft Module. Includes ways to speed up the process, handle throttling, and re-authenticate after the token expires. | baswijdenes | 15 |
| 96 | SplunkTools | A collection of scripts useful in management of Splunk deployment | dstaulcu | 11 |
| 97 | burmatscripts | Scripts and One-Liners | burmat | 11 |
| 98 | Microsoft-Defender-for-Identity-Check-Instance | thalpius | 9 | |
| 99 | Azure-Security-Center | Azure Security Center resources and community knowledge hub | akudrati | 7 |
| 100 | HybridDevicesHealthChecker | HybridDevicesHealthChecker PowerShell script checks the health status of hybrid Azure AD joined devices. This PowerShell script performs various tests on selected devices and shows the result on the Shell screen, grid view and generates HTML report. | mzmaili | 6 |
| 101 | PowerShellCode | PowerShell stuff I work on | alexverboon | 5 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | PayloadsAllTheThings | A list of useful payloads and bypass for Web Application Security and Pentest/CTF | swisskyrepo | 30316 |
| 2 | mitmproxy | An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers. | mitmproxy | 24741 |
| 3 | sqlmap | Automatic SQL injection and database takeover tool | sqlmapproject | 21211 |
| 4 | Depix | Recovers passwords from pixelized screenshots | beurtschipper | 20045 |
| 5 | CheatSheetSeries | The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. | OWASP | 18412 |
| 6 | wifiphisher | The Rogue Access Point Framework | wifiphisher | 10107 |
| 7 | routersploit | Exploitation Framework for Embedded Devices | threat9 | 9686 |
| 8 | frida | Clone this repo to build Frida | frida | 8401 |
| 9 | binwalk | Firmware Analysis Tool | ReFirmLabs | 7746 |
| 10 | impacket | Impacket is a collection of Python classes for working with network protocols. | SecureAuthCorp | 7604 |
| 11 | social-engineer-toolkit | The Social-Engineer Toolkit (SET) repository from TrustedSec - All new versions of SET will be deployed here. | trustedsec | 6891 |
| 12 | dirsearch | Web path scanner | maurosoria | 6849 |
| 13 | scapy | Scapy: the Python-based interactive packet manipulation program & library. Supports Python 2 & Python 3. | secdev | 6704 |
| 14 | spiderfoot | SpiderFoot automates OSINT for threat intelligence and mapping your attack surface. | smicallef | 6580 |
| 15 | fail2ban | Daemon to ban hosts that cause multiple authentication errors | fail2ban | 6424 |
| 16 | CrackMapExec | A swiss army knife for pentesting networks | byt3bl33d3r | 5234 |
| 17 | volatility | An advanced memory forensics framework | volatilityfoundation | 4868 |
| 18 | sigma | Generic Signature Format for SIEM Systems | SigmaHQ | 4124 |
| 19 | wfuzz | Web application fuzzer | xmendez | 3967 |
| 20 | grr | GRR Rapid Response: remote live forensics for incident response | 3896 | |
| 21 | Awesome-WAF | 🔥 Everything about web-application firewalls (WAF). | 0xInfection | 3855 |
| 22 | w3af | w3af: web application attack and audit framework, the open source web vulnerability scanner. | andresriancho | 3723 |
| 23 | ScoutSuite | Multi-Cloud Security Auditing Tool | nccgroup | 3557 |
| 24 | hacktricks | Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps, and reading researches and news. | carlospolop | 3310 |
| 25 | EyeWitness | EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible. | FortyNorthSecurity | 3189 |
| 26 | dispatch | All of the ad-hoc things you're doing to manage incidents today, done for you, and much more! | Netflix | 3064 |
| 27 | dnstwist | Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation | elceef | 3037 |
| 28 | Responder | Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. | lgandx | 3017 |
| 29 | unicorn | Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18. | trustedsec | 3004 |
| 30 | caldera | Scalable Automated Adversary Emulation Platform | mitre | 2919 |
| 31 | Veil | Veil 3.1.X (Check version info in Veil at runtime) | Veil-Framework | 2859 |
| 32 | ROPgadget | This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget supports ELF, PE and Mach-O format on x86, x64, ARM, ARM64, PowerPC, SPARC and MIPS architectures. | JonathanSalwan | 2810 |
| 33 | ThreatHunter-Playbook | A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns. | OTRF | 2777 |
| 34 | wesng | Windows Exploit Suggester - Next Generation | bitsadmin | 2505 |
| 35 | pentest-tools | Custom pentesting tools | gwen001 | 2327 |
| 36 | jwt_tool | 🐍 A toolkit for testing, tweaking and cracking JSON Web Tokens | ticarpi | 2263 |
| 37 | Loki | Loki - Simple IOC and Incident Response Scanner | Neo23x0 | 2145 |
| 38 | WinPwnage | UAC bypass, Elevate, Persistence methods | rootm0s | 2131 |
| 39 | diaphora | Diaphora, the most advanced Free and Open Source program diffing tool. | joxeankoret | 2118 |
| 40 | koadic | Koadic C3 COM Command & Control - JScript RAT | zerosum0x0 | 2035 |
| 41 | IntelOwl | Intel Owl: analyze files, domains, IPs in multiple ways from a single API at scale | intelowlproject | 2029 |
| 42 | flare-floss | FireEye Labs Obfuscated String Solver - Automatically extract obfuscated strings from malware. | mandiant | 1959 |
| 43 | BeRoot | Privilege Escalation Project - Windows / Linux / Mac | AlessandroZ | 1851 |
| 44 | capa | The FLARE team's open-source tool to identify capabilities in executable files. | mandiant | 1841 |
| 45 | LogonTracer | Investigate malicious Windows logon by visualizing and analyzing Windows event log | JPCERTCC | 1824 |
| 46 | cve-search | cve-search - a tool to perform local searches for known vulnerabilities | cve-search | 1728 |
| 47 | timesketch | Collaborative forensic timeline analysis | 1710 | |
| 48 | pypykatz | Mimikatz implementation in pure Python | skelsec | 1640 |
| 49 | malwoverview | Malwoverview is a first response tool used for threat hunting and offers intel information from Virus Total, Hybrid Analysis, URLHaus, Polyswarm, Malshare, Alien Vault, Malpedia, ThreatCrowd, Valhalla, Malware Bazaar, ThreatFox, Triage and it is able to scan Android devices against VT and HA. | alexandreborges | 1540 |
| 50 | SSRFmap | Automatic SSRF fuzzer and exploitation tool | swisskyrepo | 1536 |
| 51 | S3Scanner | Scan for open S3 buckets and dump the contents | sa7mon | 1507 |
| 52 | inception | Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces. | carmaa | 1440 |
| 53 | ja3 | JA3 is a standard for creating SSL client fingerprints in an easy to produce and shareable way. | salesforce | 1355 |
| 54 | brutespray | Brute-Forcing from Nmap output - Automatically attempts default creds on found services. | x90skysn3k | 1343 |
| 55 | flare-fakenet-ng | [Suspended] FakeNet-NG - Next Generation Dynamic Network Analysis Tool | mandiant | 1276 |
| 56 | plaso | Super timeline all the things | log2timeline | 1155 |
| 57 | DeTTECT | Detect Tactics, Techniques & Combat Threats | rabobank-cdc | 1141 |
| 58 | Phantom-Evasion | Python antivirus evasion tool | oddcod3 | 1111 |
| 59 | APT_REPORT | Interesting apt report collection and some special ioc express | blackorbird | 1059 |
| 60 | odat | ODAT: Oracle Database Attacking Tool | quentinhardy | 1041 |
| 61 | mitm6 | pwning IPv4 via IPv6 | dirkjanm | 1008 |
| 62 | SigThief | Stealing Signatures and Making One Invalid Signature at a Time | secretsquirrel | 1001 |
| 63 | lsassy | Extract credentials from lsass remotely | Hackndo | 987 |
| 64 | GreatSCT | The project is called Great SCT (Great Scott). Great SCT is an open source project to generate application white list bypasses. This tool is intended for BOTH red and blue team. | GreatSCT | 987 |
| 65 | Sooty | The SOC Analysts all-in-one CLI tool to automate and speed up workflow. | TheresAFewConors | 941 |
| 66 | SprayingToolkit | Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient | byt3bl33d3r | 932 |
| 67 | kerberoast | nidem | 910 | |
| 68 | OSSEM | Open Source Security Events Metadata (OSSEM) | OTRF | 897 |
| 69 | BloodHound.py | A Python based ingestor for BloodHound | fox-it | 873 |
| 70 | Stormspotter | Azure Red Team tool for graphing Azure and Azure Active Directory objects | Azure | 871 |
| 71 | linuxprivchecker | linuxprivchecker.py -- a Linux Privilege Escalation Check Script | sleventyeleven | 861 |
| 72 | detection-rules | Rules for Elastic Security's detection engine | elastic | 845 |
| 73 | ThreatHunting | A Splunk app mapped to MITRE ATT&CK to guide your threat hunts | olafhartong | 829 |
| 74 | PrivExchange | Exchange your privileges for Domain Admin privs by abusing Exchange | dirkjanm | 776 |
| 75 | OSINT | Collections of tools and methods created to aid in OSINT collection | sinwindie | 700 |
| 76 | OSCP-Prep | A comprehensive guide/material for anyone looking to get into infosec or take the OSCP exam | RustyShackleford221 | 691 |
| 77 | content | Demisto is now Cortex XSOAR. Automate and orchestrate your Security Operations with Cortex XSOAR's ever-growing Content Repository. Pull Requests are always welcome and highly appreciated! | demisto | 689 |
| 78 | FavFreak | Making Favicon.ico based Recon Great again ! | devanshbatham | 675 |
| 79 | atomic-threat-coverage | Actionable analytics designed to combat threats | atc-project | 669 |
| 80 | wifipumpkin3 | Powerful framework for rogue access point attack. | P0cL4bs | 659 |
| 81 | hindsight | Web browser forensics for Google Chrome/Chromium | obsidianforensics | 644 |
| 82 | ItWasAllADream | A PrintNightmare (CVE-2021-34527) Python Scanner. Scan entire subnets for hosts vulnerable to the PrintNightmare RCE | byt3bl33d3r | 642 |
| 83 | ROADtools | The Azure AD exploration framework. | dirkjanm | 639 |
| 84 | volatility3 | Volatility 3.0 development | volatilityfoundation | 633 |
| 85 | artifacts | Digital Forensics Artifact Repository | ForensicArtifacts | 628 |
| 86 | awspx | A graph-based tool for visualizing effective access and resource relationships in AWS environments. | FSecureLABS | 612 |
| 87 | arsenal | Arsenal is just a quick inventory and launcher for hacking programs | Orange-Cyberdefense | 605 |
| 88 | car | Cyber Analytics Repository | mitre-attack | 583 |
| 89 | munin | Online hash checker for Virustotal and other services | Neo23x0 | 579 |
| 90 | cloud_enum | Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud. | initstring | 571 |
| 91 | PlumHound | Bloodhound for Blue and Purple Teams | PlumHound | 545 |
| 92 | weirdAAL | WeirdAAL (AWS Attack Library) | carnal0wnage | 541 |
| 93 | jarm | salesforce | 540 | |
| 94 | fatt | FATT /fingerprintAllTheThings - a pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic | 0x4D31 | 522 |
| 95 | python-evtx | Pure Python parser for recent Windows Event Log files (.evtx) | williballenthin | 512 |
| 96 | WitnessMe | Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier. | byt3bl33d3r | 508 |
| 97 | CobaltStrikeParser | Sentinel-One | 494 | |
| 98 | impacket_static_binaries | Standalone binaries for Linux/Windows of Impacket's examples | ropnop | 471 |
| 99 | adidnsdump | Active Directory Integrated DNS dumping by any authenticated user | dirkjanm | 462 |
| 100 | FindFrontableDomains | Search for potential frontable domains | rvrsh3ll | 450 |
| 101 | degoogle | search Google and extract results directly. skip all the click-through links and other sketchiness | deepseagirl | 419 |
| 102 | wifipineapple-modules | The Official WiFi Pineapple Module Repository for the NANO & TETRA | hak5 | 409 |
| 103 | APT-Hunter | APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity | ahmedkhlief | 408 |
| 104 | ATTACK-Python-Client | Python Script to access ATT&CK content available in STIX via a public TAXII server | OTRF | 387 |
| 105 | security_content | Splunk Security Content | splunk | 375 |
| 106 | adconnectdump | Dump Azure AD Connect credentials for Azure AD and Active Directory | fox-it | 340 |
| 107 | atc-react | A knowledge base of actionable Incident Response techniques | atc-project | 315 |
| 108 | rbcd-attack | Kerberos Resource-Based Constrained Delegation Attack from Outside using Impacket | tothi | 299 |
| 109 | playbooks | Phantom Community Playbooks | phantomcyber | 298 |
| 110 | NTLMRecon | Enumerate information from NTLM authentication enabled web endpoints 🔎 | pwnfoo | 268 |
| 111 | CobaltSpam | Tool based on CobaltStrikeParser from SentinelOne which can be used to spam a CobaltStrike server with fake beacons | hariomenkel | 252 |
| 112 | basecrack | Decode All Bases - Base Scheme Decoder | mufeedvh | 240 |
| 113 | evil-ssdp | Spoof SSDP replies and create fake UPnP devices to phish for credentials and NetNTLM challenge/response. | initstring | 233 |
| 114 | chaos-ssm-documents | Collection of AWS SSM Documents to perform Chaos Engineering experiments | adhorn | 233 |
| 115 | chameleon | PowerShell Script Obfuscator | klezVirus | 218 |
| 116 | PKINITtools | Tools for Kerberos PKINIT and relaying to AD CS | dirkjanm | 216 |
| 117 | experiments | Expriments | commial | 205 |
| 118 | attack_data | A repository of curated datasets from various attacks | splunk | 203 |
| 119 | HoneyCreds | HoneyCreds network credential injection to detect responder and other network poisoners. | Ben0xA | 190 |
| 120 | Collabfiltrator | Exfiltrate blind remote code execution output over DNS via Burp Collaborator. | 0xC01DF00D | 185 |
| 121 | FSEventsParser | Parser for OSX/iOS FSEvents Logs | dlcowen | 182 |
| 122 | thetick | A simple embedded Linux backdoor. | nccgroup | 179 |
| 123 | kerberoast | Kerberoast attack -pure python- | skelsec | 174 |
| 124 | Zircolite | A standalone SIGMA-based detection tool for EVTX. | wagga40 | 158 |
| 125 | CVE-2021-38647 | Proof on Concept Exploit for CVE-2021-38647 (OMIGOD) | horizon3ai | 157 |
| 126 | ntlmscan | scan for NTLM directories | nyxgeek | 154 |
| 127 | pybeacon | A collection of scripts for dealing with Cobalt Strike beacons in Python | nccgroup | 152 |
| 128 | ADFSpoof | mandiant | 143 | |
| 129 | adfsbrute | A script to test credentials against Active Directory Federation Services (ADFS), allowing password spraying or bruteforce attacks. | ricardojoserf | 111 |
| 130 | icmpdoor | ICMP Reverse Shell written in Python 3 and with Scapy (backdoor/rev shell) | krabelize | 110 |
| 131 | attack-coverage | an excel-centric approach for the MITRE ATT&CK® Tactics and Techniques | RealityNet | 109 |
| 132 | bloodhound-quickwin | Simple script to extract useful informations from the combo BloodHound + Neo4j | kaluche | 103 |
| 133 | security-stack-mappings | This project empowers defenders with independent data on which native security controls of leading technology platforms are most useful in defending against the adversary TTPs they care about. | center-for-threat-informed-defense | 93 |
| 134 | dfir-toolset | Dump of organized knowledge on DFIR | marcurdy | 87 |
| 135 | attack2jira | attack2jira automates the process of standing up a Jira environment that can be used to track and measure ATT&CK coverage | mvelazc0 | 83 |
| 136 | alert_manager | Splunk Alert Manager with advanced reporting on alerts, workflows (modify assignee, status, severity) and auto-resolve features | alertmanager | 75 |
| 137 | SuperMem | A python script developed to process Windows memory images based on triage type. | CrowdStrike | 74 |
| 138 | Sigma2SplunkAlert | Converts Sigma detection rules to a Splunk alert configuration. | P4T12ICK | 72 |
| 139 | Jir-Thief | A Red Team tool for exfiltrating sensitive data from Jira tickets. | antman1p | 59 |
| 140 | SIEGMA | SIEGMA - Transform Sigma rules into SIEM consumables | 3CORESec | 53 |
| 141 | cobaltstrike-config-extractor | Cobalt Strike Beacon configuration extractor and parser. | strozfriedberg | 52 |
| 142 | OSSEM-DM | OSSEM Detection Model | OTRF | 52 |
| 143 | mdatp-xplat | Microsoft Defender for macOS/Linux - config samples, auxiliary tools | microsoft | 39 |
| 144 | DSStoreParser | macOS .DS_Store Parser | nicoleibrahim | 30 |
| 145 | Automata | Automatic detection engineering technical state compliance | 3CORESec | 28 |
| 146 | greppin-logs | 2021 SANS DFIR Summit: Greppin' Logs | strozfriedberg | 19 |
| 147 | splunk_pstree_app | Custom Splunk search command to reconstruct a pstree from Sysmon process creation events (EventCode 1) | murchisd | 16 |
| 148 | PrintNightmare | Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) | ollypwn | 15 |
| 149 | AzureAD-incident-response | Notes on responding to security breaches relating to Azure AD | WillOram | 15 |
| 150 | Frack | Frack - Keep and Maintain your breach data | sensepost | 12 |
| 151 | phantom-community-projects | This repo represents work the Phantom Community collaborates on to build apps and learn. | phantomcyber | 11 |
| 152 | starred | creating your own Awesome List by GitHub stars! | 1132719438 | 10 |
| 153 | PowerChunker | Bypass AMSI via PowerShell by splitting a file into multiple chunks | icyguider | 8 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | oletools | oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging. | decalage2 | 1737 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | windows-event-forwarding | A repository for using windows event forwarding for incident detection and response | palantir | 941 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | metasploit-framework | Metasploit Framework | rapid7 | 25170 |
| 2 | evil-winrm | The ultimate WinRM shell for hacking/pentesting | Hackplayers | 2106 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | ripgrep | ripgrep recursively searches directories for a regex pattern while respecting your gitignore | BurntSushi | 27290 |
| 2 | chainsaw | Rapidly Search and Hunt through Windows Event Logs | countercept | 628 |
| 3 | laurel | Transform Linux Audit logs for SIEM usage | threathunters-io | 193 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | TheHive | TheHive: a Scalable, Open Source and Free Security Incident Response Platform | TheHive-Project | 2182 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | og-aws | 📙 Amazon Web Services — a practical guide | open-guides | 30064 |
| 2 | azure-quickstart-templates | Azure Quickstart Templates | Azure | 10890 |
| 3 | lynis | Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional. | CISOfy | 8846 |
| 4 | my-arsenal-of-aws-security-tools | List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc. | toniblyx | 6282 |
| 5 | ctf-tools | Some setup scripts for security research tools. | zardus | 5994 |
| 6 | LinEnum | Scripted Local Linux Enumeration & Privilege Escalation Checks | rebootuser | 4449 |
| 7 | airgeddon | This is a multi-use bash script for Linux systems to audit wireless networks. | v1s1t0r1sh3r3 | 3643 |
| 8 | spectre-meltdown-checker | Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad vulnerability/mitigation checker for Linux & BSD | speed47 | 3460 |
| 9 | linux-exploit-suggester | Linux privilege escalation auditing tool | mzet- | 2921 |
| 10 | server-configs-apache | Apache HTTP server boilerplate configs | h5bp | 2885 |
| 11 | nanorc | Improved Nano Syntax Highlighting Files | scopatz | 2291 |
| 12 | nginx-ultimate-bad-bot-blocker | Nginx Block Bad Bots, Spam Referrer Blocker, Vulnerability Scanners, User-Agents, Malware, Adware, Ransomware, Malicious Sites, with anti-DDOS, Wordpress Theme Detector Blocking and Fail2Ban Jail for Repeat Offenders | mitchellkrogza | 2241 |
| 13 | linux-smart-enumeration | Linux enumeration tool for pentesting and CTFs with verbosity levels | diego-treitos | 1809 |
| 14 | SUDO_KILLER | A tool to identify and exploit sudo rules' misconfigurations and vulnerabilities within sudo for linux privilege escalation. | TH3xACE | 1286 |
| 15 | pwncat | pwncat - netcat on steroids with Firewall, IDS/IPS evasion, bind and reverse shell, self-injecting shell and port forwarding magic - and its fully scriptable with Python (PSE) | cytopia | 1151 |
| 16 | BruteX | Automatically brute force all services running on a target. | 1N3 | 1117 |
| 17 | lme | Logging Made Easy | ukncsc | 563 |
| 18 | clamav-unofficial-sigs | ClamAV Unofficial Signatures Updater maintained by eXtremeSHOK.com | extremeshok | 436 |
| 19 | Azure-Red-Team | Azure Security Resources and Notes | rootsecdev | 259 |
| 20 | uac | UAC (Unix-like Artifacts Collector) is a Live Response collection tool for Incident Reponse that makes use of built-in tools to automate the collection of Unix-like systems artifacts. Supported systems: AIX, FreeBSD, Linux, macOS, NetBSD, Netscaler, OpenBSD and Solaris. | tclahr | 101 |
| 21 | RTOVMSetup | ZeroPointSecurity | 59 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | sans-indexes | Indexes for SANS Courses and GIAC Certifications | ancailliau | 44 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | n8n | Free and open fair-code licensed node based Workflow Automation Tool. Easily automate tasks across different services. | n8n-io | 17862 |
| 2 | fingerprintjs | Browser fingerprinting library with the highest accuracy and stability. | fingerprintjs | 14825 |
| 3 | feathers | A framework for real-time applications and REST APIs with JavaScript and TypeScript | feathersjs | 13600 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | VBA-RunPE | A VBA implementation of the RunPE technique or how to bypass application whitelisting. | itm4n | 587 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | LOLBAS | Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) | LOLBAS-Project | 3407 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | rules | Repository of yara rules | Yara-Rules | 2755 |
| 2 | APT_CyberCriminal_Campagin_Collections | APT & CyberCriminal Campaign Collection | CyberMonitor | 2478 |
| 3 | signature-base | Signature base for my scanner tools | Neo23x0 | 1412 |
| 4 | DidierStevensSuite | Please no pull requests for this repository. Thanks! | DidierStevens | 1006 |
| 5 | Mitigating-Web-Shells | Guidance for mitigation web shells. #nsacyber | nsacyber | 782 |
| 6 | ThreatHunting | Tools for hunting for threats. | GossiTheDog | 266 |
| 7 | YaraHunts | Random hunting ordiented yara rules | sbousseaden | 79 |
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent