• https://medium.com/mitre-attack/getting-started-with-attack-red-29f074ccf7e3
• https://attack.mitre.org/resources/adversary-emulation-plans/
• https://www.nviso.eu/en/service/21/adversary-emulation#:~:text=Adversary%20emulation%20aims%20to%20test,targets%20in%20a%20continuous%20fashion.
• https://www.dxc.technology/security/insights/147214-adversary_emulation_measure_your_ability_to_detect_attackers
• https://www.scythe.io/library/introduction-to-adversary-emulation
• https://www.cybereason.com/blog/what-are-adversary-emulation-plans
• https://hackerculture.com.br/?p=1047
• https://depthsecurity.com/assessments/adversary-emulation
• https://obscuritylabs.com/adversary-emulation/
• https://av.tib.eu/media/49170

• PowerView is a PowerShell tool to gain network situational awareness on Windows domains. https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
• Get-GPPPassword Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
• Invoke-ACLpwn is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured. https://github.com/fox-it/Invoke-ACLPwn
• BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. https://github.com/BloodHoundAD/BloodHound
• PyKEK (Python Kerberos Exploitation Kit), a python library to manipulate KRB5-related data. https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek
• Grouper a PowerShell script for helping to find vulnerable settings in AD Group Policy. https://github.com/l0ss/Grouper
• ADRecon is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis. https://github.com/sense-of-security/ADRecon
• ADACLScanner one script for ACL's in Active Directory. https://github.com/canix1/ADACLScanner
• ACLight a useful script for advanced discovery of Domain Privileged Accounts that could be targeted - including Shadow Admins. https://github.com/cyberark/ACLight
• LAPSToolkit a tool to audit and attack LAPS environments. https://github.com/leoloobeek/LAPSToolkit
• PingCastle is a free, Windows-based utility to audit the risk level of your AD infrastructure and check for vulnerable practices. https://www.pingcastle.com/download
• RiskySPNs is a collection of PowerShell scripts focused on detecting and abusing accounts associated with SPNs (Service Principal Name). https://github.com/cyberark/RiskySPN
• Mystique is a PowerShell tool to play with Kerberos S4U extensions, this module can assist blue teams to identify risky Kerberos delegation configurations as well as red teams to impersonate arbitrary users by leveraging KCD with Protocol Transition. https://github.com/machosec/Mystique
• Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpy's Kekeo project. https://github.com/GhostPack/Rubeus
• kekeo is a little toolbox I have started to manipulate Microsoft Kerberos in C (and for fun). https://github.com/gentilkiwi/kekeo

• UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. https://github.com/hfiref0x/UACME
• windows-kernel-exploits a collection windows kernel exploit. https://github.com/SecWiki/windows-kernel-exploits
• PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations. https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
• The Elevate Kit demonstrates how to use third-party privilege escalation attacks with Cobalt Strike's Beacon payload. https://github.com/rsmudge/ElevateKit
• Sherlock a powerShell script to quickly find missing software patches for local privilege escalation vulnerabilities. https://github.com/rasta-mouse/Sherlock
• Tokenvator a tool to elevate privilege with Windows Tokens. https://github.com/0xbadjuju/Tokenvator

• https://osintframework.com/
• https://en.wikipedia.org/wiki/Doxing
• https://github.com/HackingEnVivo/Doxing
• https://www.maltego.com/blog/investigating-ta413-threat-actor-group-using-opencti-in-maltego/

• Active Intelligence Gathering

  • EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible. https://github.com/ChrisTruncer/EyeWitness
  • AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for loot. https://github.com/jordanpotti/AWSBucketDump
  • AQUATONE is a set of tools for performing reconnaissance on domain names. https://github.com/michenriksen/aquatone
  • spoofcheck a program that checks if a domain can be spoofed from. The program checks SPF and DMARC records for weak configurations that allow spoofing. https://github.com/BishopFox/spoofcheck
  • Nmap is used to discover hosts and services on a computer network, thus building a "map" of the network. https://github.com/nmap/nmap
  • dnsrecon a tool DNS Enumeration Script. https://github.com/darkoperator/dnsrecon
  • dirsearch is a simple command line tool designed to brute force directories and files in websites. https://github.com/maurosoria/dirsearch
  • Sn1per automated pentest recon scanner. https://github.com/1N3/Sn1per

• Passive Intelligence Gathering

  • Social Mapper OSINT Social Media Mapping Tool, takes a list of names & images (or LinkedIn company name) and performs automated target searching on a huge scale across multiple social media sites. Not restricted by APIs as it instruments a browser using Selenium. Outputs reports to aid in correlating targets across sites. https://github.com/SpiderLabs/social_mapper
  • skiptracer OSINT scraping framework, utilizes some basic python webscraping (BeautifulSoup) of PII paywall sites to compile passive information on a target on a ramen noodle budget. https://github.com/xillwillx/skiptracer
  • FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans. https://github.com/ElevenPaths/FOCA
  • theHarvester is a tool for gathering subdomain names, e-mail addresses, virtual hosts, open ports/ banners, and employee names from different public sources. https://github.com/laramies/theHarvester
  • Metagoofil is a tool for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the target websites. https://github.com/laramies/metagoofil
  • SimplyEmail Email recon made fast and easy, with a framework to build on. https://github.com/killswitch-GUI/SimplyEmail
  • truffleHog searches through git repositories for secrets, digging deep into commit history and branches. https://github.com/dxa4481/truffleHog
  • Just-Metadata is a tool that gathers and analyzes metadata about IP addresses. It attempts to find relationships between systems within a large dataset. https://github.com/ChrisTruncer/Just-Metadata
  • typofinder a finder of domain typos showing country of IP address. https://github.com/nccgroup/typofinder
  • pwnedOrNot is a python script which checks if the email account has been compromised in a data breach, if the email account is compromised it proceeds to find passwords for the compromised account. https://github.com/thewhiteh4t/pwnedOrNot
  • GitHarvester This tool is used for harvesting information from GitHub like google dork. https://github.com/metac0rtex/GitHarvester
  • pwndb is a python command-line tool for searching leaked credentials using the Onion service with the same name. https://github.com/davidtavarez/pwndb/
  • LinkedInt LinkedIn Recon Tool. https://github.com/vysecurity/LinkedInt
  • CrossLinked LinkedIn enumeration tool to extract valid employee names from an organization through search engine scraping. https://github.com/m8r0wn/CrossLinked
  • findomain is a fast domain enumeration tool that uses Certificate Transparency logs and a selection of APIs. https://github.com/Edu4rdSHL/findomain

• Framework

  • Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. https://www.paterva.com/web7/downloads.php
  • SpiderFoot the open source footprinting and intelligence-gathering tool. https://github.com/smicallef/spiderfoot
  • datasploit is an OSINT Framework to perform various recon techniques on Companies, People, Phone Number, Bitcoin Addresses, etc., aggregate all the raw data, and give data in multiple formats. https://github.com/DataSploit/datasploit
  • Recon-ng is a full-featured Web Reconnaissance framework written in Python. https://bitbucket.org/LaNMaSteR53/recon-ng

• King Phisher is a tool for testing and promoting user awareness by simulating real world phishing attacks. https://github.com/securestate/king-phisher
• FiercePhish is a full-fledged phishing framework to manage all phishing engagements. It allows you to track separate phishing campaigns, schedule sending of emails, and much more. https://github.com/Raikia/FiercePhish
• ReelPhish is a Real-Time Two-Factor Phishing Tool. https://github.com/fireeye/ReelPhish/
• Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training. https://github.com/gophish/gophish
• CredSniper is a phishing framework written with the Python micro-framework Flask and Jinja2 templating which supports capturing 2FA tokens. https://github.com/ustayready/CredSniper
• PwnAuth a web application framework for launching and managing OAuth abuse campaigns. https://github.com/fireeye/PwnAuth
• Phishing Frenzy Ruby on Rails Phishing Framework. https://github.com/pentestgeek/phishing-frenzy
• Phishing Pretexts a library of pretexts to use on offensive phishing engagements. https://github.com/L4bF0x/PhishingPretexts
• Modlishka is a flexible and powerful reverse proxy, that will take your ethical phishing campaigns to the next level. https://github.com/drk1wi/Modlishka
• Evilginx2 is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. https://github.com/kgretzky/evilginx2

• BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. https://github.com/beefproject/beef

• Remote Access Tools
• Cobalt Strike is software for Adversary Simulations and Red Team Operations. https://cobaltstrike.com/
• Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. https://github.com/EmpireProject/Empire
• Metasploit Framework is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. https://github.com/rapid7/metasploit-framework
• SILENTTRINITY A post-exploitation agent powered by Python, IronPython, C#/.NET. https://github.com/byt3bl33d3r/SILENTTRINITY
• Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python. https://github.com/n1nj4sec/pupy
• Koadic or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. https://github.com/zerosum0x0/koadic
• PoshC2 is a proxy aware C2 framework written completely in PowerShell to aid penetration testers with red teaming, post-exploitation and lateral movement. https://github.com/nettitude/PoshC2_Python
• Gcat a stealthy Python based backdoor that uses Gmail as a command and control server. https://github.com/byt3bl33d3r/gcat
• TrevorC2 is a legitimate website (browsable) that tunnels client/server communications for covert command execution. https://github.com/trustedsec/trevorc2
• Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. https://github.com/Ne0nd0g/merlin
• Quasar is a fast and light-weight remote administration tool coded in C#. Providing high stability and an easy-to-use user interface, Quasar is the perfect remote administration solution for you. https://github.com/quasar/QuasarRAT
• Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. https://github.com/cobbr/Covenant
• FactionC2 is a C2 framework which use websockets based API that allows for interacting with agents and transports. https://github.com/FactionC2/
• DNScat2 is a tool is designed to create an encrypted command-and-control (C&C) channel over the DNS protocol. https://github.com/iagox86/dnscat2
• Sliver is a general purpose cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS. https://github.com/BishopFox/sliver
• EvilOSX An evil RAT (Remote Administration Tool) for macOS / OS X. https://github.com/Marten4n6/EvilOSX
• EggShell is a post exploitation surveillance tool written in Python. It gives you a command line session with extra functionality between you and a target machine. https://github.com/neoneggplant/EggShell
• https://github.com/CyberSecurityUP/Trevorfuscation

• Rapid Attack Infrastructure (RAI) Red Team Infrastructure... Quick... Fast... Simplified One of the most tedious phases of a Red Team Operation is usually the infrastructure setup. This usually entails a teamserver or controller, domains, redirectors, and a Phishing server. https://github.com/obscuritylabs/RAI
• Red Baron is a set of modules and custom/third-party providers for Terraform which tries to automate creating resilient, disposable, secure and agile infrastructure for Red Teams. https://github.com/byt3bl33d3r/Red-Baron
• EvilURL generate unicode evil domains for IDN Homograph Attack and detect them. https://github.com/UndeadSec/EvilURL
• Domain Hunter checks expired domains, bluecoat categorization, and Archive.org history to determine good candidates for phishing and C2 domain names. https://github.com/threatexpress/domainhunter
• PowerDNS is a simple proof of concept to demonstrate the execution of PowerShell script using DNS only. https://github.com/mdsecactivebreach/PowerDNS
• Chameleon a tool for evading Proxy categorisation. https://github.com/mdsecactivebreach/Chameleon
• CatMyFish Search for categorized domain that can be used during red teaming engagement. Perfect to setup whitelisted domain for your Cobalt Strike beacon C&C. https://github.com/Mr-Un1k0d3r/CatMyFish
• Malleable C2 is a domain specific language to redefine indicators in Beacon's communication. https://github.com/rsmudge/Malleable-C2-Profiles
• Malleable-C2-Randomizer This script randomizes Cobalt Strike Malleable C2 profiles through the use of a metalanguage, hopefully reducing the chances of flagging signature-based detection controls. https://github.com/bluscreenofjeff/Malleable-C2-Randomizer
• FindFrontableDomains search for potential frontable domains. https://github.com/rvrsh3ll/FindFrontableDomains
• Postfix-Server-Setup Setting up a phishing server is a very long and tedious process. It can take hours to setup, and can be compromised in minutes. https://github.com/n0pe-sled/Postfix-Server-Setup
• DomainFrontingLists a list of Domain Frontable Domains by CDN. https://github.com/vysec/DomainFrontingLists
• Apache2-Mod-Rewrite-Setup Quickly Implement Mod-Rewrite in your infastructure. https://github.com/n0pe-sled/Apache2-Mod-Rewrite-Setup
• mod_rewrite rule to evade vendor sandboxes. https://gist.github.com/curi0usJack/971385e8334e189d93a6cb4671238b10
• external_c2 framework a python framework for usage with Cobalt Strike's External C2. https://github.com/Und3rf10w/external_c2_framework
• Malleable-C2-Profiles A collection of profiles used in different projects using Cobalt Strike https://www.cobaltstrike.com/. https://github.com/xx0hcd/Malleable-C2-Profiles
• ExternalC2 a library for integrating communication channels with the Cobalt Strike External C2 server. https://github.com/ryhanson/ExternalC2
• cs2modrewrite a tools for convert Cobalt Strike profiles to modrewrite scripts. https://github.com/threatexpress/cs2modrewrite
• e2modrewrite a tools for convert Empire profiles to Apache modrewrite scripts. https://github.com/infosecn1nja/e2modrewrite
• redi automated script for setting up CobaltStrike redirectors (nginx reverse proxy, letsencrypt). https://github.com/taherio/redi
• cat-sites Library of sites for categorization. https://github.com/audrummer15/cat-sites
• ycsm is a quick script installation for resilient redirector using nginx reverse proxy and letsencrypt compatible with some popular Post-Ex Tools (Cobalt Strike, Empire, Metasploit, PoshC2). https://github.com/infosecn1nja/ycsm
• Domain Fronting Google App Engine. https://github.com/redteam-cyberark/Google-Domain-fronting
• DomainFrontDiscover Scripts and results for finding domain frontable CloudFront domains. https://github.com/peewpw/DomainFrontDiscover
• Automated Empire Infrastructure https://github.com/bneg/RedTeam-Automation
• Serving Random Payloads with NGINX. https://gist.github.com/jivoi/a33ace2e25515a31aa2ffbae246d98c9
• meek is a blocking-resistant pluggable transport for Tor. It encodes a data stream as a sequence of HTTPS requests and responses. https://github.com/arlolra/meek
• CobaltStrike-ToolKit Some useful scripts for CobaltStrike. https://github.com/killswitch-GUI/CobaltStrike-ToolKit
• mkhtaccess_red Auto-generate an HTaccess for payload delivery -- automatically pulls ips/nets/etc from known sandbox companies/sources that have been seen before, and redirects them to a benign payload. https://github.com/violentlydave/mkhtaccess_red
• RedFile a flask wsgi application that serves files with intelligence, good for serving conditional RedTeam payloads. https://github.com/outflanknl/RedFile
• keyserver Easily serve HTTP and DNS keys for proper payload protection. https://github.com/leoloobeek/keyserver
• DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be leveraged for command and control (C2) via DNS over HTTPS (DoH). This is built for the popular Adversary Simulation and Red Team Operations Software Cobalt Strike (https://www.cobaltstrike.com). https://github.com/SpiderLabs/DoHC2
• HTran is a connection bouncer, a kind of proxy server. A “listener” program is hacked stealthily onto an unsuspecting host anywhere on the Internet. https://github.com/HiwinCN/HTran

• PERSISTENT RED TEAM OPERATIONS™
• Our team has the capabilities and experience to run long-term persistent style Red Team engagements spanning up to 6 months in length. This capability is rarely found in our industry and pushes some companies boundaries to produce actual threat and adversary replication.
• STRATEGIC ENGAGEMENT PLANNING
• Whether you want a Black Box or Purple Team style engagement, our seasoned Red Team Operators and Management team can help you design and deliver your organization the ideal test. At Obscurity Labs, we understand that it’s about more than just breaking defensives. It’s about helping identify security control and operational gaps that will prevent you from the next breach.
• WHITE CELL COLLABORATION
• Communication is critical to the success of Red Team operations. We take this real-time communication aspect very seriously and provide direct access to Obscurity Labs resources for deconfliction and strategic and tactical decision processes. Our goal is to ensure our customer has the proper channels for escalation and clear guidelines in place.
• ENVIRONMENT STRENGTH OBSERVATIONS
• During the assessment, the Red Ream often encounters security controls that prevent or forces the team to adapt to the environment. These strengths should be noted and lauded. An organization that understands its strengths will have a more significant impact on the overall security of the network. Our team always captures these for future reporting so your security team has the best data on which tools and processes had a high rate of success.
• GAP & RISK ANALYSIS
• During Red Team operations, our team will become extremely familiar with your environment, key cyber terrain, and business unit operations. Our team does this to ensure we can provide unbiased risk and gap based analysis of our findings. We provide key finding details and detection recommendations as part of our deliverables.
• EXECUTIVE OUT-BRIEF SUPPORT
• One of the overlooked components of offensive engagements is providing executive leadership and stakeholders vulnerabilities, metrics, and outcomes during the reporting stage. Obscurity Labs provides on-site or virtual out-briefs to executive leadership tailored to the business unit’s requirements. We use this time to ensure the narrative of the test outcomes are properly received and understood.
• CUSTOM ROE
• Our service adapts to most of today’s threats and can successfully provide you with real-world emulation of those threats. With that comes extensive paper-work! We make it easy by filling out a form to which we provide a custom ROE based on the on-boarding and scoping process, which ensures we protect you from unnecessary actions that can cause impact to your business’s operations. We provide descriptions and expert guidance when planning your next Red Team!
• DOCUMENTATION & REPORTING
• We provide custom-tailored reporting in the format you prefer.
• ON-TAP SECURITY CONSULTING™
• When you enroll in an Adversary Emulation Engagement™ with our team you gain exclusive access to our On-tap Security Consulting team™. This lets you know we stick with you the entire year, summarize, perform a quick analysis of duplicates. Ask our team about any security concerns, implementation, or ways to improve. We are here to help you! We are more than a pentest company!

• MITRE CALDERA - An automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. https://github.com/mitre/caldera
• APTSimulator - A Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised. https://github.com/NextronSystems/APTSimulator
• Atomic Red Team - Small and highly portable detection tests mapped to the Mitre ATT&CK Framework. https://github.com/redcanaryco/atomic-red-team
• Network Flight Simulator - flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility. https://github.com/alphasoc/flightsim
• Metta - A security preparedness tool to do adversarial simulation. https://github.com/uber-common/metta
• Red Team Automation (RTA) - RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK. https://github.com/endgameinc/RTA

• https://www.thec2matrix.com/matrix

  • Ares
  • AsyncRAT-C#
  • BabyShark
  • BlackMamba
  • Brute Ratel
  • C3
  • CALDERA
  • Callidus
  • CHAOS
  • Cobalt Strike
  • Covenant
  • Dali
  • DarkFinger
  • DBC2
  • DeimosC2
  • Eggshell
  • Empire
  • EvilOSX
  • Faction C2
  • FlyingAFalseFlag
  • FudgeC2
  • godoh
  • GRAT2
  • HARS
  • HTTP-RevShell
  • ibombshell
  • INNUENDO
  • Koadic C3
  • MacC2
  • MacShellSwift
  • Merlin
  • Metasploit
  • Meterpeter
  • MicroBackdoor
  • MikeC2
  • Mistica
  • Mythic
  • Ninja
  • NorthStarC2
  • Nuages
  • Octopus
  • Oyabun C2
  • PetaQ
  • PoshC2
  • PowerHub
  • Prelude
  • Prismatica
  • Proton
  • Pupy
  • QuasarRAT
  • RATel
  • Red Team Toolkit
  • redViper
  • ReverseTCPShell
  • sak1to-shell
  • SCYTHE
  • Serpentine
  • Shad0w
  • Shadow Workers
  • SharpC2
  • SilentTrinity
  • SK8PARK/RAT
  • Slack-C2Bot
  • Slackor
  • Sliver
  • Throwback
  • ThunderShell
  • Trevor C2
  • Void-RAT
  • Voodoo
  • WEASEL

XMind - Evaluation Version