My cyber security incident response (CSIRT) related stuff by xknow_infosec
- Microsoft Defender 365 raw data/all tables schema (streaming export API overview)
- ThreatIntel.de News (InfoSec news for SOC/CSIRT employees)
- Batchfile (5)
- Bicep (1)
- Boo (1)
- C (47)
- C# (75)
- C++ (26)
- CSS (5)
- Dockerfile (1)
- Go (11)
- HCL (1)
- HTML (11)
- Haskell (1)
- Inno Setup (1)
- Java (3)
- JavaScript (16)
- Jinja (1)
- Jupyter Notebook (4)
- Lua (2)
- Others (86)
- PHP (3)
- Perl (2)
- PowerShell (83)
- Python (128)
- Rich Text Format (1)
- Roff (1)
- Ruby (2)
- Rust (1)
- Scala (1)
- Shell (18)
- TypeScript (3)
- VBA (1)
- XSLT (1)
- YARA (8)
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | KMS_VL_ALL_AIO | Smart Activation Script | abbodi1406 | 1328 |
| 2 | Powerless | Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind | M4ximuss | 413 |
| 3 | wifi-passview | An open source batch script based WiFi Passview for Windows! | WarenGonzaga | 167 |
| 4 | EDR-Testing-Script | Test the accuracy of Endpoint Detection and Response (EDR) software with simple script which executes various ATT&CK/LOLBAS/Invoke-CradleCrafter/Invoke-DOSfuscation payloads | op7ic | 145 |
| 5 | TA-Sysmon-deploy | Deploy and maintain Symon through the Splunk Deployment Sever | olafhartong | 27 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | Enterprise-Scale | The Enterprise-Scale architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture | Azure | 680 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | SILENTTRINITY | An asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR | byt3bl33d3r | 1652 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | netdata | Real-time performance monitoring, done right! https://www.netdata.cloud | netdata | 55157 |
| 2 | masscan | TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes. | robertdavidgraham | 15542 |
| 3 | mimikatz | A little tool to play with Windows security | gentilkiwi | 13421 |
| 4 | hashcat | World's fastest and most advanced password recovery utility | hashcat | 10123 |
| 5 | borg | Deduplicating archiver with compression and authenticated encryption. | borgbackup | 7382 |
| 6 | exploitdb | The official Exploit Database repository | offensive-security | 6224 |
| 7 | windows-kernel-exploits | windows-kernel-exploits Windows平台提权漏洞集合 | SecWiki | 5511 |
| 8 | yara | The pattern matching swiss knife | VirusTotal | 4822 |
| 9 | linux-kernel-exploits | linux-kernel-exploits Linux平台提权漏洞集合 | SecWiki | 3999 |
| 10 | iodine | Official git repo for iodine dns tunnel | yarrick | 3771 |
| 11 | UACME | Defeating Windows User Account Control | hfiref0x | 3549 |
| 12 | mimipenguin | A tool to dump the login password from the current linux user | huntergregal | 3021 |
| 13 | nDPI | Open Source Deep Packet Inspection Software Toolkit | ntop | 2543 |
| 14 | ProcDump-for-Linux | A Linux version of the ProcDump Sysinternals tool | Sysinternals | 2398 |
| 15 | pcileech | Direct Memory Access (DMA) Attack Software | ufrisk | 2268 |
| 16 | pafish | Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do. | a0rtega | 1876 |
| 17 | AFLplusplus | The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more! | AFLplusplus | 1875 |
| 18 | OSCPRepo | A list of commands, scripts, resources, and more that I have gathered and attempted to consolidate for use as OSCP (and more) study material. Commands in 'Usefulcommands' Keepnote. Bookmarks and reading material in 'BookmarkList' CherryTree. Reconscan Py2 and Py3. Custom ISO building. | rewardone | 1762 |
| 19 | Reptile | LKM Linux rootkit | f0rb1dd3n | 1630 |
| 20 | donut | Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters | TheWover | 1573 |
| 21 | passivedns | A network sniffer that logs all DNS server replies for use in a passive DNS setup | gamelinux | 1459 |
| 22 | headers-more-nginx-module | Set, add, and clear arbitrary output headers in NGINX http servers | openresty | 1296 |
| 23 | shad0w | A post exploitation framework designed to operate covertly on heavily monitored environments | bats3c | 1295 |
| 24 | hollows_hunter | Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches). | hasherezade | 901 |
| 25 | WinObjEx64 | Windows Object Explorer 64-bit | hfiref0x | 858 |
| 26 | kekeo | A little toolbox to play with Microsoft Kerberos in C | gentilkiwi | 810 |
| 27 | PEzor | Open-Source PE Packer | phra | 767 |
| 28 | EDRs | Mr-Un1k0d3r | 746 | |
| 29 | Dumpert | LSASS memory dumper using direct system calls and API unhooking. | outflanknl | 728 |
| 30 | KDU | Kernel Driver Utility | hfiref0x | 613 |
| 31 | RemotePotato0 | Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin. | antonioCoco | 610 |
| 32 | SyscallTables | Windows NT x64 Syscall tables | hfiref0x | 518 |
| 33 | RoguePotato | Another Windows Local Privilege Escalation from Service Account to System | antonioCoco | 468 |
| 34 | Ghost-In-The-Logs | Evade sysmon and windows event logging | bats3c | 451 |
| 35 | Backstab | A tool to kill antimalware protected processes | Yaxser | 413 |
| 36 | DarkLoadLibrary | LoadLibrary for offensive operations | bats3c | 397 |
| 37 | adversary_emulation_library | An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs. | center-for-threat-informed-defense | 390 |
| 38 | RedTeamCCode | Red Team C code repo | Mr-Un1k0d3r | 342 |
| 39 | PPLdump | Dump the memory of a PPL with a userland exploit | itm4n | 316 |
| 40 | linikatz | linikatz is a tool to attack AD on UNIX | CiscoCXSecurity | 294 |
| 41 | SCDBG | note: current build is VS_LIBEMU project. This cross platform gcc build is for Linux users but is no longer updated. modification of the libemu sctest project to add basic debugger capabilities and more output useful for manual RE. The newer version will run under WINE | dzzie | 183 |
| 42 | awesome-csirt | Awesome CSIRT is an curated list of links and resources in security and CSIRT daily activities. | Spacial | 177 |
| 43 | DLLPasswordFilterImplant | DLL Password Filter Implant with Exfiltration Capabilities | GoSecure | 114 |
| 44 | RpcSsImpersonator | Privilege Escalation Via RpcSs svc | sailay1996 | 113 |
| 45 | BOFs | Cobalt Strike Beacon Object Files | guervild | 99 |
| 46 | ditsnap | An inspection tool for Active Directory database | yosqueoy | 69 |
| 47 | InlineExecute-Assembly | InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module | anthemtotheego | 62 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | PowerShell | PowerShell for every system! | PowerShell | 27693 |
| 2 | ILSpy | .NET Decompiler with support for PDB generation, ReadyToRun, Metadata (&more) - cross-platform! | icsharpcode | 13010 |
| 3 | privilege-escalation-awesome-scripts-suite | PEASS - Privilege Escalation Awesome Scripts SUITE (with colors) | carlospolop | 5766 |
| 4 | mRemoteNG | mRemoteNG is the next generation of mRemote, open source, tabbed, multi-protocol, remote connections manager. | mRemoteNG | 5467 |
| 5 | Covenant | Covenant is a collaborative .NET C2 framework for red teamers. | cobbr | 2466 |
| 6 | ysoserial.net | Deserialization payload generator for a variety of .NET formatters | pwntester | 1787 |
| 7 | Seatbelt | Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. | GhostPack | 1699 |
| 8 | BruteShark | Network Analysis Tool | odedshimon | 1501 |
| 9 | Rubeus | Trying to tame the three-headed dog. | GhostPack | 1488 |
| 10 | SharpSploit | SharpSploit is a .NET post-exploitation library written in C# | cobbr | 1256 |
| 11 | CVE-2021-1675 | C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527 | cube0x0 | 1140 |
| 12 | DefenderCheck | Identifies the bytes that Microsoft Defender flags on. | matterpreter | 1133 |
| 13 | PowerShdll | Run PowerShell with rundll32. Bypass software restrictions. | p3nt4 | 1123 |
| 14 | AggressorScripts | Collection of Aggressor scripts for Cobalt Strike 3.0+ pulled from multiple sources | harleyQu1nn | 1071 |
| 15 | ConfuserEx | An open-source, free protector for .NET applications | mkaring | 961 |
| 16 | Internal-Monologue | Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS | eladshamir | 958 |
| 17 | AsyncRAT-C-Sharp | Open-Source Remote Administration Tool For Windows C# (RAT) | NYAN-x-CAT | 934 |
| 18 | pingcastle | PingCastle - Get Active Directory Security at 80% in 20% of the time | vletoux | 868 |
| 19 | DSInternals | Directory Services Internals (DSInternals) PowerShell Module and Framework | MichaelGrafnetter | 861 |
| 20 | passcore | A self-service password management tool for Active Directory | unosquare | 829 |
| 21 | OffensiveCSharp | Collection of Offensive C# Tooling | matterpreter | 760 |
| 22 | Sharp-Suite | Also known by Microsoft as Knifecoat 🌶️ | FuzzySecurity | 759 |
| 23 | InveighZero | .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers | Kevin-Robertson | 619 |
| 24 | defcon27_csharp_workshop | Writing custom backdoor payloads with C# - Defcon 27 Workshop | mvelazc0 | 611 |
| 25 | SharpLocker | Pickfordmatt | 573 | |
| 26 | KeeThief | Methods for attacking KeePass 2.X databases, including extracting of encryption key material from memory. | GhostPack | 569 |
| 27 | SharpRDP | Remote Desktop Protocol .NET Console Application for Authenticated Command Execution | 0xthirteen | 553 |
| 28 | TikiTorch | Process Injection | rasta-mouse | 549 |
| 29 | SharpBlock | A method of bypassing EDR's active projection DLL's by preventing entry point exection | CCob | 539 |
| 30 | Grouper2 | Find vulnerabilities in AD Group Policy | l0ss | 524 |
| 31 | CobaltStrikeScan | Scan files or process memory for CobaltStrike beacons and parse their configuration | Apr4h | 521 |
| 32 | RedTeamCSharpScripts | C# Script used for Red Team | Mr-Un1k0d3r | 509 |
| 33 | ProcessInjection | This program is designed to demonstrate various process injection techniques | 3xpl01tc0d3r | 500 |
| 34 | SharpWMI | SharpWMI is a C# implementation of various WMI functionality. | GhostPack | 489 |
| 35 | BetterSafetyKatz | Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory. | Flangvik | 485 |
| 36 | SharpDump | SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality. | GhostPack | 471 |
| 37 | SharpKatz | Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands | b4rtik | 460 |
| 38 | SharpNoPSExec | Get file less command execution for lateral movement. | juliourena | 434 |
| 39 | SilkETW | fireeye | 414 | |
| 40 | NetLoader | Loads any C# binary in mem, patching AMSI + ETW. | Flangvik | 409 |
| 41 | Lunar | A lightweight native DLL mapping library that supports mapping directly from memory | Dewera | 383 |
| 42 | WindowsProtocolTestSuites | ⭐⭐Join us at SNIA EMEA SDC SMB3 IO Lab 2021 (6/7-6/9): | microsoft | 380 |
| 43 | SharpSecDump | .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py | G0ldenGunSec | 355 |
| 44 | AMSITrigger | The Hunt for Malicious Strings | RythmStick | 348 |
| 45 | PurpleSharp | PurpleSharp is a C# adversary simulation tool that executes adversary techniques with the purpose of generating attack telemetry in monitored Windows environments | mvelazc0 | 342 |
| 46 | SharpHound3 | C# Data Collector for the BloodHound Project, Version 3 | BloodHoundAD | 335 |
| 47 | SharpSphere | .NET Project for Attacking vCenter | JamesCooteUK | 304 |
| 48 | ipnetwork | IPNetwork command line and C# library take care of complex network, IP, IPv4, IPv6, netmask, CIDR, subnet, subnetting, supernet, and supernetting calculation for .NET developers. It works with IPv4 as well as IPv6, is written in C#, has a light and clean API, and is fully unit-tested | lduchosal | 298 |
| 49 | BeaconHunter | Detect and respond to Cobalt Strike beacons using ETW. | 3lp4tr0n | 290 |
| 50 | SharpEDRChecker | Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools. | PwnDexter | 280 |
| 51 | SharpC2 | .NET C2 Framework Proof of Concept | SharpC2 | 271 |
| 52 | physmem2profit | Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely | FSecureLABS | 257 |
| 53 | SharpExec | anthemtotheego | 245 | |
| 54 | RunasCs | RunasCs - Csharp and open version of windows builtin runas.exe | antonioCoco | 238 |
| 55 | ThreatCheck | Identifies the bytes that Microsoft Defender / AMSI Consumer flags on. | rasta-mouse | 235 |
| 56 | SharpRDPHijack | A POC Remote Desktop (RDP) session hijack utility for disconnected sessions | bohops | 198 |
| 57 | EvtMute | Apply a filter to the events being reported by windows event logging | bats3c | 182 |
| 58 | CSExec | An implementation of PSExec in C# | malcomvetter | 181 |
| 59 | LDAPFragger | fox-it | 150 | |
| 60 | SharpUnhooker | C# Based Universal API Unhooker | GetRektBoy724 | 131 |
| 61 | EtwExplorer | View ETW Provider manifest | zodiacon | 125 |
| 62 | SyscallAmsiScanBufferBypass | AmsiScanBufferBypass using D/Invoke | S3cur3Th1sSh1t | 109 |
| 63 | SafetyDump | Dump stuff without touching disk | m0rv4i | 105 |
| 64 | SharpNukeEventLog | nuke that event log using some epic dinvoke fu | jfmaes | 98 |
| 65 | RunDLL.Net | Execute .Net assemblies using Rundll32.exe | p3nt4 | 97 |
| 66 | RunPE | C# Reflective loader for unmanaged binaries. | nettitude | 93 |
| 67 | SharpRDPDump | Create a minidump of TermService for clear text pw extraction | jfmaes | 81 |
| 68 | AzureADLateralMovement | Lateral Movement graph for Azure Active Directory | talmaor | 79 |
| 69 | SharpRDPThief | A C# implementation of RDPThief to steal credentials from RDP. | passthehashbrowns | 73 |
| 70 | NamedPipes | A pattern for client/server communication via Named Pipes via C# | malcomvetter | 71 |
| 71 | RDPThiefInject | RDPThief donut shellcode inject into mstsc | S3cur3Th1sSh1t | 55 |
| 72 | Reg1c1de | Registry permission scanner written in C# for finding potential privesc avenues within registry | deadjakk | 53 |
| 73 | UnstoppableService | A pattern for a self-installing Windows service in C# with the unstoppable attributes in C#. | malcomvetter | 50 |
| 74 | SysmonConfigPusher | Pushes Sysmon Configs | LaresLLC | 34 |
| 75 | Microsoft-Kerberos | I have created a small C# project that requests a Ticket Granting Service (TGS) ticket using KerberosSecurityTokenProvider to use for Kerberoasting and an option to request an Azure AD SSO TGS. | thalpius | 8 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | osquery | SQL powered operating system instrumentation, monitoring, and analytics. | osquery | 18062 |
| 2 | zeek | Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. | zeek | 3902 |
| 3 | al-khaser | Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection. | LordNoteworthy | 3246 |
| 4 | ProcMon-for-Linux | Procmon is a Linux reimagining of the classic Procmon tool from the Sysinternals suite of tools for Windows. Procmon provides a convenient and efficient way for Linux developers to trace the syscall activity on the system. | Sysinternals | 3101 |
| 5 | pe-sieve | Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches). | hasherezade | 1593 |
| 6 | BLUESPAWN | An Active Defense and EDR software to empower Blue Teams | ION28 | 814 |
| 7 | herpaderping | Process Herpaderping proof of concept, tool, and technical deep dive. Process Herpaderping bypasses security products by obscuring the intentions of a process. | jxy-s | 697 |
| 8 | SocksOverRDP | Socks5/4/4a Proxy support for Remote Desktop Protocol / Terminal Services / Citrix / XenApp / XenDesktop | nccgroup | 518 |
| 9 | TelemetrySourcerer | Enumerate and disable common sources of telemetry used by AV/EDR. | jthuraisamy | 439 |
| 10 | spectre | A Windows kernel-mode rootkit that abuses legitimate communication channels to control a machine. | D4stiny | 357 |
| 11 | Perfusion | Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012) | itm4n | 354 |
| 12 | krabsetw | KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions. | microsoft | 353 |
| 13 | procfilter | A YARA-integrated process denial framework for Windows | godaddy | 353 |
| 14 | AndrewSpecial | AndrewSpecial, dumping lsass' memory stealthily and bypassing "Cilence" since 2019. | hoangprod | 315 |
| 15 | PPLKiller | Tool to bypass LSA Protection (aka Protected Process Light) | RedCursorSecurityConsulting | 295 |
| 16 | Spray-AD | A Cobalt Strike tool to audit Active Directory user accounts for weak, well known or easy guessable passwords. | outflanknl | 295 |
| 17 | LsassSilentProcessExit | Command line interface to dump LSASS memory to disk via SilentProcessExit | deepinstinct | 287 |
| 18 | serpentine | C++/Win32/Boost Windows RAT (Remote Administration Tool) with a multiplatform Java/Spring RESTful C2 server and Go, C++/Qt5 frontends | jafarlihi | 263 |
| 19 | BOFs | Collection of Beacon Object Files | ajpc500 | 257 |
| 20 | PDBRipper | PDBRipper is a utility for extract an information from PDB-files. | horsicq | 193 |
| 21 | KernelForge | A library to develop kernel level Windows payloads for post HVCI era | Cr4sh | 161 |
| 22 | FalconEye | rajiv2790 | 144 | |
| 23 | Probatorum-EDR-Userland-Hook-Checker | Project to check which Nt/Zw functions your local EDR is hooking | asaurusrex | 112 |
| 24 | PrimaryTokenTheft | Steal a primary token and spawn cmd.exe using the stolen token | slyd0g | 95 |
| 25 | STFUEDR | Silence EDRs by removing kernel callbacks | lawiet47 | 88 |
| 26 | MiniDumpWriteDumpPoC | MiniDumpWriteDump behavior modification hook | Adepts-Of-0xCC | 44 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | source-code-pro | Monospaced font family for user interface and coding environments | adobe-fonts | 17374 |
| 2 | public-pentesting-reports | Curated list of public penetration test reports released by several consulting firms and academic security groups | juliocesarfort | 4693 |
| 3 | security | Stuff about it-security that might be good to know | xapax | 744 |
| 4 | SysmonCommunityGuide | TrustedSec Sysinternals Sysmon Community Guide | trustedsec | 655 |
| 5 | security | Notes and Commands for CTFs | D00MFist | 13 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | Docker-Security | Getting a handle on container security | OWASP | 426 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | rclone | "rsync for cloud storage" - Google Drive, S3, Dropbox, Backblaze B2, One Drive, Swift, Hubic, Wasabi, Google Cloud Storage, Yandex Files | rclone | 27907 |
| 2 | sops | Simple and flexible tool for managing secrets | mozilla | 7817 |
| 3 | evilginx2 | Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication | kgretzky | 4351 |
| 4 | Modlishka | Modlishka. Reverse Proxy. | drk1wi | 3382 |
| 5 | merlin | Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. | Ne0nd0g | 3290 |
| 6 | ruler | A tool to abuse Exchange services | sensepost | 1597 |
| 7 | ScareCrow | ScareCrow - Payload creation framework designed around EDR bypass. | optiv | 1112 |
| 8 | kerbrute | A tool to perform Kerberos pre-auth bruteforcing | ropnop | 994 |
| 9 | velociraptor | Digging Deeper.... | Velocidex | 837 |
| 10 | respounder | Respounder detects presence of responder in the network. | codeexpress | 262 |
| 11 | Dent | A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors. | optiv | 219 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | sentinel-attack | Tools to rapidly deploy a threat hunting capability on Azure Sentinel that leverages Sysmon and MITRE ATT&CK | BlueTeamLabs | 730 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | GTFOBins.github.io | GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems | GTFOBins | 4883 |
| 2 | Cerberus | A few simple, but solid patterns for responsive HTML email templates and newsletters. Even in Outlook and Gmail. | TedGoas | 4278 |
| 3 | elasticsearch-definitive-guide | The Definitive Guide to Elasticsearch | elastic | 3382 |
| 4 | DetectionLab | Automate the creation of a lab environment complete with security tooling and logging best practices | clong | 2898 |
| 5 | windows-syscalls | Windows System Call Tables (NT/2000/XP/2003/Vista/2008/7/2012/8/10) | j00ru | 1269 |
| 6 | Licensing | Microsoft 365 licensing diagrams | AaronDinnage | 976 |
| 7 | nmap-bootstrap-xsl | A Nmap XSL implementation with Bootstrap. | honze-net | 689 |
| 8 | pwnwiki.github.io | PwnWiki - The notes section of the pentesters mind. | pwnwiki | 520 |
| 9 | CSSG | Cobalt Strike Shellcode Generator | RCStep | 322 |
| 10 | APT06202001 | Applied Purple Teaming - (ITOCI4hr) - Infrastructure, Threat Optics, and Continuous Improvement - June 6, 2020 | DefensiveOrigins | 273 |
| 11 | ToolAnalysisResultSheet | Tool Analysis Result Sheet | JPCERTCC | 267 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | shellcheck | ShellCheck, a static analysis tool for shell scripts | koalaman | 25316 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | retoolkit | Reverse Engineer's Toolkit | mentebinaria | 2101 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | ysoserial | A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. | frohoff | 4264 |
| 2 | Brida | The new bridge between Burp Suite and Frida! | federicodotta | 991 |
| 3 | godofwar | GodOfWar - Malicious Java WAR builder with built-in payloads | KINGSABRI | 112 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | vue | 🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web. | vuejs | 185426 |
| 2 | bootstrap | The most popular HTML, CSS, and JavaScript framework for developing responsive, mobile first projects on the web. | twbs | 151699 |
| 3 | awesome-selfhosted | A list of Free Software network services and web applications which can be hosted on your own servers | awesome-selfhosted | 60248 |
| 4 | html5-boilerplate | A professional front-end template for building fast, robust, and adaptable web apps or sites. | h5bp | 50871 |
| 5 | video.js | Video.js - open source HTML5 & Flash video player | videojs | 31669 |
| 6 | sweetalert2 | A beautiful, responsive, highly customizable and accessible (WAI-ARIA) replacement for JavaScript's popup boxes. Zero dependencies. | sweetalert2 | 13149 |
| 7 | CyberChef | The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis | gchq | 12346 |
| 8 | awesome-wpo | 📝 A curated list of Web Performance Optimization. Everyone can contribute here! | davidsonfellipe | 7199 |
| 9 | Font-Awesome-Pro | The internet's most popular icon has been redesigned and built from scratch. | FortAwesome | 6170 |
| 10 | current-device | The easiest way to write conditional CSS and/or JavaScript based on device operating system (iOS, Android, Blackberry, Windows, Firefox OS, MeeGo), orientation (Portrait vs. Landscape), and type (Tablet vs. Mobile). | matthewhudson | 3708 |
| 11 | shhgit | Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories: www.shhgit.com | eth0izzle | 3193 |
| 12 | pwndrop | Self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV. | kgretzky | 1065 |
| 13 | npk | A mostly-serverless distributed hash cracking platform | Coalfire-Research | 714 |
| 14 | Fermion | Fermion, an electron wrapper for Frida & Monaco. | FuzzySecurity | 356 |
| 15 | SerializedPayloadGenerator | NotSoSecure | 32 | |
| 16 | BastionBox | A simple bastion host setup designed for cloud-hosted lab environments. | snaplabsio | 11 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | attack_range | A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk | splunk | 817 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | python3-in-one-pic | Learn python3 in one picture. | coodict | 4430 |
| 2 | Azure-Sentinel | Cloud-native SIEM for intelligent security analytics for your entire enterprise. | Azure | 1423 |
| 3 | Microsoft-365-Defender-Hunting-Queries | Sample queries for Advanced hunting in Microsoft 365 Defender | microsoft | 1126 |
| 4 | security-api-solutions | Microsoft Graph Security API applications and services. | microsoftgraph | 149 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | ntopng | Web-based Traffic and Security Network Traffic Monitoring | ntop | 4046 |
| 2 | grab_beacon_config | whickey-r7 | 294 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | learn-regex | Learn regex the easy way | ziishaned | 38325 |
| 2 | awesome-shell | A curated list of awesome command-line frameworks, toolkits, guides and gizmos. Inspired by awesome-php. | alebcay | 21734 |
| 3 | docker-cheat-sheet | Docker Cheat Sheet | wsargent | 20094 |
| 4 | awesome-docker | 🐳 A curated list of Docker resources and projects | veggiemonk | 20040 |
| 5 | API-Security-Checklist | Checklist of the most important security countermeasures when designing, testing, and releasing your API | shieldfy | 15781 |
| 6 | awesome-pentest | A collection of awesome penetration testing resources, tools and other shiny things | enaqx | 14393 |
| 7 | awesome-macOS | A curated list of awesome applications, softwares, tools and shiny things for macOS. | iCHAIT | 12084 |
| 8 | htaccess | ✂A collection of useful .htaccess snippets. | phanan | 11740 |
| 9 | How-To-Secure-A-Linux-Server | An evolving how-to guide for securing a Linux server. | imthenachoman | 11500 |
| 10 | server-configs-nginx | Nginx HTTP server boilerplate configs | h5bp | 9152 |
| 11 | PENTESTING-BIBLE | Learn ethical hacking.Learn about reconnaissance,windows/linux hacking,attacking web technologies,and pen testing wireless networks.Resources for learning malware analysis and reverse engineering. | blaCCkHatHacEEkr | 8381 |
| 12 | awesome-osint | 😱 A curated list of amazingly awesome OSINT | jivoi | 6947 |
| 13 | reverse-engineering | List of awesome reverse engineering resources | wtsxDev | 5920 |
| 14 | Red-Teaming-Toolkit | A collection of open source and commercial tools that aid in red team operations. | infosecn1nja | 5147 |
| 15 | awesome-threat-intelligence | A curated list of Awesome Threat Intelligence resources | hslatman | 4437 |
| 16 | awesome-incident-response | A curated list of tools for incident response | meirwah | 4343 |
| 17 | Awesome-Red-Teaming | List of Awesome Red Teaming Resources | yeyintminthuhtut | 3882 |
| 18 | Infosec_Reference | An Information Security Reference That Doesn't Suck; https://rmusser.net/git/admin-2/Infosec_Reference for non-MS Git hosted version. | rmusser01 | 3858 |
| 19 | Cheatsheet-God | Penetration Testing Reference Bank - OSCP / PTP & PTX Cheatsheet | OlivierLaflamme | 3293 |
| 20 | server-configs | Boilerplate configurations for various web servers. | h5bp | 3063 |
| 21 | sysmon-config | Sysmon configuration file template with default high-quality event tracing | SwiftOnSecurity | 3003 |
| 22 | AD-Attack-Defense | Attack and defend active directory using modern post exploitation adversary tradecraft activity | infosecn1nja | 2888 |
| 23 | MobileApp-Pentest-Cheatsheet | The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics. | tanprathan | 2843 |
| 24 | Red-Team-Infrastructure-Wiki | Wiki to collect Red Team infrastructure hardening resources | bluscreenofjeff | 2821 |
| 25 | Active-Directory-Exploitation-Cheat-Sheet | A cheat sheet that contains common enumeration and attack methods for Windows Active Directory. | S1ckB0y1337 | 1841 |
| 26 | awesome-burp-extensions | A curated list of amazingly awesome Burp Extensions | snoopysecurity | 1818 |
| 27 | Awesome-CobaltStrike | cobaltstrike的相关资源汇总 / List of Awesome CobaltStrike Resources | zer0yu | 1577 |
| 28 | awesome-forensics | A curated list of awesome forensic analysis tools and resources | cugu | 1563 |
| 29 | linux-re-101 | A collection of resources for linux reverse engineering | michalmalik | 1547 |
| 30 | pentest-guide | Penetration tests guide based on OWASP including test cases, resources and examples. | Voorivex | 1496 |
| 31 | Bash-Oneliner | A collection of handy Bash One-Liners and terminal tricks for data processing and Linux system maintenance. | onceupon | 1448 |
| 32 | CloudPentestCheatsheets | This repository contains a collection of cheatsheets I have put together for tools related to pentesting organizations that leverage cloud providers. | dafthack | 1409 |
| 33 | awesome-regex | A curated collection of awesome Regex libraries, tools, frameworks and software | aloisdg | 1082 |
| 34 | cyberchef-recipes | A list of cyber-chef recipes and curated links | mattnotmax | 997 |
| 35 | MSRC-Security-Research | Security Research from the Microsoft Security Response Center (MSRC) | microsoft | 983 |
| 36 | PrintNightmare | afwu | 905 | |
| 37 | Pentest-Tools | S3cur3Th1sSh1t | 848 | |
| 38 | SharpCollection | Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines. | Flangvik | 822 |
| 39 | AllThingsSSRF | This is a collection of writeups, cheatsheets, videos, books related to SSRF in one single location | jdonsec | 797 |
| 40 | XSS-Payloads | List of advanced XSS payloads | pgaijin66 | 735 |
| 41 | sysmon-dfir | Sources, configuration and how to detect evil things utilizing Microsoft Sysmon. | MHaggis | 669 |
| 42 | Awesome-CobaltStrike-Defence | Defences against Cobalt Strike | MichaelKoczwara | 669 |
| 43 | APT_Digital_Weapon | Indicators of compromise (IOCs) collected from public resources and categorized by Qi-AnXin. | RedDrip7 | 663 |
| 44 | osquery-configuration | A repository for using osquery for incident detection and response | palantir | 634 |
| 45 | malleable-c2 | Cobalt Strike Malleable C2 Design and Reference Guide | threatexpress | 633 |
| 46 | auditd | Best Practice Auditd Configuration | Neo23x0 | 592 |
| 47 | osquery-attck | Mapping the MITRE ATT&CK Matrix with Osquery | teoseller | 557 |
| 48 | Amsi-Bypass-Powershell | This repo contains some Amsi Bypass methods i found on different Blog Posts. | S3cur3Th1sSh1t | 498 |
| 49 | .NET-Deobfuscator | Lists of .NET Deobfuscator and Unpacker (Open Source) | NotPrab | 392 |
| 50 | Windows-Hunting | beahunt3r | 311 | |
| 51 | Bloodhound-Custom-Queries | Custom Query list for the Bloodhound GUI based off my cheatsheet | hausec | 308 |
| 52 | Awesome-SOAR | A curated Cyber "Security Orchestration, Automation and Response (SOAR)" awesome list. | correlatedsecurity | 256 |
| 53 | microsoftgraph-postman-collections | microsoftgraph | 255 | |
| 54 | Slides | Misc Threat Hunting Resources | sbousseaden | 235 |
| 55 | KapeFiles | This repository serves as a place for community created Targets and Modules for use with KAPE. | EricZimmerman | 225 |
| 56 | what_is_this_c2 | For all these times you're asking yourself "what is this panel again?" | misterch0c | 190 |
| 57 | FalconFriday | Bi-weekly hunting queries | FalconForceTeam | 189 |
| 58 | CrimeBoards | A list of private and public (more or less) blackhat boards | misterch0c | 159 |
| 59 | KQL | Kusto Query Language | marcusbakker | 105 |
| 60 | AzureAD-Attack-Defense | This publication is a collection of various common attack scenarios on Azure Active Directory and how they can be mitigated or detected. | Cloud-Architekt | 96 |
| 61 | Cloud-Pentesting | This repository is in progress, it will keep updating as I come across to new learning materials. Feel free to contribute. | TROUBLE-1 | 91 |
| 62 | botsv3 | Splunk Boss of the SOC version 3 dataset. | splunk | 91 |
| 63 | Threat-Hunting-and-Detection | Repository for threat hunting and detection queries, tools, etc. | Cyb3r-Monk | 90 |
| 64 | CTI-Lexicon | Dictionary of CTI-related acronyms, terms, and jargon | BushidoUK | 86 |
| 65 | Windows-API-To-Sysmon-Events | A repository that maps API calls to Sysmon Event ID's. | jsecurity101 | 72 |
| 66 | awesome-azure-security | A curated list of awesome Microsoft Azure Security tools, guides, blogs, and other resources. | kmcquade | 71 |
| 67 | static-files | A collection of static files maintained by the Sublime team, primarily used for phishing defense. | sublime-security | 58 |
| 68 | InlineExecute-Assembly | InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module | xforcered | 57 |
| 69 | AdvHuntingCheatSheet | Microsoft Threat Protection Advance Hunting Cheat Sheet | MiladMSFT | 57 |
| 70 | Detection-Ideas-Rules | Detection Ideas & Rules repository. | vadim-hunter | 56 |
| 71 | blue-teaming-with-kql | Repository with Sample KQL Query examples for Threat Hunting | ashwin-patil | 55 |
| 72 | MicrosoftDefenderForEndpoint-PowerBI | A repo for sample MDATP Power BI Templates | microsoft | 49 |
| 73 | detection-sources | olafhartong | 49 | |
| 74 | AdvancedHunting | Advanced Hunting Queries for Microsoft Security Products | jangeisbauer | 42 |
| 75 | Useful-BloodHound-Queries | A collection of Neo4j/BloodHound queries to collect interesting information. | xenoscr | 34 |
| 76 | SC-200T00A-Microsoft-Security-Operations-Analyst | MicrosoftLearning | 27 | |
| 77 | ossem_modular | OSSEM Modular | secgroundzero | 26 |
| 78 | splunk-addon-powershell | Splunk Add-on for PowerShell provides field extraction for PowerShell event logs. | swisscom | 17 |
| 79 | OSSEM-CDM | OSSEM Common Data Model | OTRF | 15 |
| 80 | Azure-Sentinel | DebugPrivilege | 14 | |
| 81 | PoSH_Teams_Message_Theif | Quick and dirty PoSH code to read teams messages | Xenov-X | 11 |
| 82 | xknow_infosec | Random Stuff for Cyber Security Incident Response | Iveco | 10 |
| 83 | OSSEM-DD | OSSEM Data Dictionaries | OTRF | 7 |
| 84 | M365-Defender | DebugPrivilege | 5 | |
| 85 | SA_ESS_Windows | Splunk App for Enterprise Security and Windows Security log | aholzel | 3 |
| 86 | TA-microsoft-365-defender-advanced-hunting-add-on | splunk | 1 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | SecLists | SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. | danielmiessler | 32404 |
| 2 | fuzzdb | Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery. | fuzzdb-project | 5842 |
| 3 | MISP | MISP (core software) - Open Source Threat Intelligence and Sharing Platform (formely known as Malware Information Sharing Platform) | MISP | 3273 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | MySQLTuner-perl | MySQLTuner is a script written in Perl that will assist you with your MySQL configuration and make recommendations for increased performance and stability. | major | 6938 |
| 2 | RegRipper3.0 | RegRipper3.0 | keydet89 | 156 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | BloodHound | Six Degrees of Domain Admin | BloodHoundAD | 5654 |
| 2 | azure-docs | Open source documentation of Microsoft Azure | MicrosoftDocs | 5529 |
| 3 | nishang | Nishang - Offensive PowerShell for red team, penetration testing and offensive security. | samratashok | 5371 |
| 4 | atomic-red-team | Small and highly portable detection tests based on MITRE's ATT&CK. | redcanaryco | 4784 |
| 5 | Invoke-Obfuscation | PowerShell Obfuscator | danielbohannon | 2106 |
| 6 | Empire | Empire is a PowerShell and Python 3.x post-exploitation framework. | BC-SECURITY | 1914 |
| 7 | RedTeam-Tactics-and-Techniques | Red Teaming Tactics and Techniques | mantvydasb | 1817 |
| 8 | MailSniper | MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain. | dafthack | 1815 |
| 9 | Invoke-PSImage | Encodes a PowerShell script in the pixels of a PNG file and generates a oneliner to execute | peewpw | 1717 |
| 10 | WinPwn | Automation for internal Windows Penetrationtest / AD-Security | S3cur3Th1sSh1t | 1609 |
| 11 | Inveigh | .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers | Kevin-Robertson | 1485 |
| 12 | PowerUpSQL | PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server | NetSPI | 1485 |
| 13 | sysmon-modular | A repository of sysmon configuration modules | olafhartong | 1423 |
| 14 | PowerShell | PowerShell functions and scripts (Azure, Active Directory, SCCM, SCSM, Exchange, O365, ...) | lazywinadmin | 1394 |
| 15 | EVTX-ATTACK-SAMPLES | Windows Events Attack Samples | sbousseaden | 1372 |
| 16 | AutomatedLab | AutomatedLab is a provisioning solution and framework that lets you deploy complex labs on HyperV and Azure with simple PowerShell scripts. It supports all Windows operating systems from 2008 R2 to 2019, some Linux distributions and various products like AD, Exchange, PKI, IIS, etc. | AutomatedLab | 1272 |
| 17 | PrivescCheck | Privilege Escalation Enumeration Script for Windows | itm4n | 1232 |
| 18 | Kansa | A Powershell incident response framework | davehull | 1119 |
| 19 | DeepBlueCLI | sans-blue-team | 1104 | |
| 20 | Phant0m | Windows Event Log Killer | hlldz | 1074 |
| 21 | Invoke-TheHash | PowerShell Pass The Hash Utils | Kevin-Robertson | 1022 |
| 22 | Active-Directory-Exploitation-Cheat-Sheet | A cheat sheet that contains common enumeration and attack methods for Windows Active Directory. | Integration-IT | 987 |
| 23 | PSBits | Simple (relatively) things allowing you to dig a bit deeper than usual. | gtworek | 805 |
| 24 | Random-PowerShell-Work | Random PowerShell Work | adbertram | 757 |
| 25 | PowerShellArsenal | A PowerShell Module Dedicated to Reverse Engineering | mattifestation | 738 |
| 26 | BadBlood | BadBlood by @davidprowe, Secframe.com, fills a Microsoft Active Directory Domain with a structure and thousands of objects. The output of the tool is a domain similar to a domain in the real world. After BadBlood is ran on a domain, security analysts and engineers can practice using tools to gain an understanding and prescribe to securing Active Directory. Each time this tool runs, it produces different results. The domain, users, groups, computers and permissions are different. Every. Single. Time. | davidprowe | 702 |
| 27 | WMImplant | This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based. | FortyNorthSecurity | 691 |
| 28 | Invoke-WCMDump | PowerShell Script to Dump Windows Credentials from the Credential Manager | peewpw | 666 |
| 29 | Invoke-CradleCrafter | PowerShell Remote Download Cradle Generator & Obfuscator | danielbohannon | 612 |
| 30 | Azure-Security-Center | Welcome to the Azure Security Center community repository | Azure | 609 |
| 31 | redteam | Red Team Scripts by d0nkeys (ex SnadoTeam) | d0nkeys | 591 |
| 32 | PSWinReporting | This PowerShell Module has multiple functionalities, but one of the signature features of this module is the ability to parse Security logs on Domain Controllers providing easy to use access to AD Events. | EvotecIT | 591 |
| 33 | Revoke-Obfuscation | PowerShell Obfuscation Detection Framework | danielbohannon | 556 |
| 34 | Powermad | PowerShell MachineAccountQuota and DNS exploit tools | Kevin-Robertson | 527 |
| 35 | OrgKit | Provision a brand-new company with proper defaults in Windows, Offic365, and Azure | SwiftOnSecurity | 500 |
| 36 | powershell | 🧛🏻♂️ Dark theme for PowerShell and cmd.exe | dracula | 498 |
| 37 | PowerSharpPack | S3cur3Th1sSh1t | 491 | |
| 38 | SimuLand | Understand adversary tradecraft and improve detection strategies | Azure | 488 |
| 39 | CVE-2021-1675 | Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare) | calebstewart | 461 |
| 40 | CRT | Contact: [email protected] | CrowdStrike | 455 |
| 41 | ADACLScanner | Repo for ADACLScan.ps1 - Your number one script for ACL's in Active Directory | canix1 | 455 |
| 42 | MSOLSpray | A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled. | dafthack | 406 |
| 43 | Creds | Some usefull Scripts and Executables for Pentest & Forensics | S3cur3Th1sSh1t | 398 |
| 44 | Invoke-ACLPwn | fox-it | 379 | |
| 45 | Mandiant-Azure-AD-Investigator | fireeye | 359 | |
| 46 | adsec | An introduction to Active Directory security | cfalta | 358 |
| 47 | NetNTLMtoSilverTicket | SpoolSample -> Responder w/NetNTLM Downgrade -> NetNTLMv1 -> NTLM -> Kerberos Silver Ticket | NotMedic | 358 |
| 48 | LAPSToolkit | Tool to audit and attack LAPS environments | leoloobeek | 332 |
| 49 | Invoke-CommandAs | Invoke Command As System/Interactive/GMSA/User on Local/Remote machine & returns PSObjects. | mkellerman | 310 |
| 50 | ADTimeline | Timeline of Active Directory changes with replication metadata | ANSSI-FR | 270 |
| 51 | Invoke-SharpLoader | S3cur3Th1sSh1t | 258 | |
| 52 | PAW | unassassinable | 253 | |
| 53 | invoke-atomicredteam | Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the atomics folder of Red Canary's Atomic Red Team project. | redcanaryco | 246 |
| 54 | MFASweep | A tool for checking if MFA is enabled on multiple Microsoft Services | dafthack | 240 |
| 55 | DCOMrade | Powershell script for enumerating vulnerable DCOM Applications | sud0woodo | 237 |
| 56 | psgetsystem | getsystem via parent process using ps1 & embeded c# | decoder-it | 216 |
| 57 | RiskySPN | Detect and abuse risky SPNs | cyberark | 212 |
| 58 | Azure-Network-Security | Resources for improving Customer Experience with Azure Network Security | Azure | 199 |
| 59 | PowerShell | NetSPI PowerShell Scripts | NetSPI | 187 |
| 60 | PSPKIAudit | PowerShell toolkit for AD CS auditing based on the PSPKI toolkit. | GhostPack | 179 |
| 61 | PowerShellArmoury | A PowerShell armoury for penetration testers or other random security guys | cfalta | 160 |
| 62 | Minimalistic-offensive-security-tools | A repository of tools for pentesting of restricted and isolated environments. | InfosecMatter | 153 |
| 63 | Microsoft-Blue-Forest | Creating a hardened "Blue Forest" with Server 2016/2019 Domain Controllers | rootsecdev | 148 |
| 64 | WT64 | A Commodore 64 Skin for Windows Terminal | PowerFeature | 141 |
| 65 | Office-365-Extractor | The Office 365 Extractor is a tool that allows for complete and reliable extraction of the Unified Audit Log (UAL) | JoeyRentenaar | 130 |
| 66 | MDATP | Microsoft 365 Defender - Resource Hub | alexverboon | 129 |
| 67 | AtomicTestHarnesses | Public Repo for Atomic Test Harness | redcanaryco | 116 |
| 68 | New-KrbtgtKeys.ps1 | This script will enable you to reset the krbtgt account password and related keys while minimizing the likelihood of Kerberos authentication issues being caused by the operation. | microsoft | 116 |
| 69 | UncoverDCShadow | A PowerShell utility to dynamically uncover a DCShadow attack | AlsidOfficial | 108 |
| 70 | NamedPipePTH | Pass the Hash to a named pipe for token Impersonation | S3cur3Th1sSh1t | 107 |
| 71 | PowerSploit | PowerSploit - A PowerShell Post-Exploitation Framework | ZeroDayLab | 106 |
| 72 | ppid-spoofing | Scripts for performing and detecting parent PID spoofing | countercept | 96 |
| 73 | Update-Sysmon | This repository was created to aid in the deployment/maintenance of the Sysmon service on a large number of computers. | jokezone | 68 |
| 74 | TokenTactics | Azure JWT Token Manipulation Toolset | rvrsh3ll | 67 |
| 75 | Microsoft-Cloud-App-Security | Additional Resources to improve Customer Experience with Microsoft Cloud App Security | microsoft | 36 |
| 76 | Invoke-WordThief | This script runs multithreading module that connects to a remote TCP server, monitors active (opened) Microsoft Word documents (.doc,.docx,etc') and extracting their text using Word application's COM Object. The script adds HKCU registry (no admin needed) Run key, so this script runs persistently. | danielwolfmann | 32 |
| 77 | MDATP_PoSh_Scripts | anthonws | 19 | |
| 78 | Optimized.Mga | PowerShell module for Microsoft Graph REST API. To optimize, speed, and bulk use Microsoft Graph API in PowerShell. You can can enter your own URL so you aren't restricted to the limitations of the official Microsoft Module. Includes ways to speed up the process, handle throttling, and re-authenticate after the token expires. | baswijdenes | 15 |
| 79 | SplunkTools | A collection of scripts useful in management of Splunk deployment | dstaulcu | 11 |
| 80 | burmatscripts | Scripts and One-Liners | burmat | 9 |
| 81 | Azure-Security-Center | Azure Security Center resources and community knowledge hub | akudrati | 7 |
| 82 | HybridDevicesHealthChecker | HybridDevicesHealthChecker PowerShell script checks the health status of hybrid Azure AD joined devices. This PowerShell script performs various tests on selected devices and shows the result on the Shell screen, grid view and generates HTML report. | mzmaili | 5 |
| 83 | PowerShellCode | PowerShell stuff I work on | alexverboon | 4 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | PayloadsAllTheThings | A list of useful payloads and bypass for Web Application Security and Pentest/CTF | swisskyrepo | 25905 |
| 2 | mitmproxy | An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers. | mitmproxy | 22801 |
| 3 | sqlmap | Automatic SQL injection and database takeover tool | sqlmapproject | 20493 |
| 4 | Depix | Recovers passwords from pixelized screenshots | beurtschipper | 19464 |
| 5 | CheatSheetSeries | The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. | OWASP | 17467 |
| 6 | wifiphisher | The Rogue Access Point Framework | wifiphisher | 9912 |
| 7 | routersploit | Exploitation Framework for Embedded Devices | threat9 | 9499 |
| 8 | frida | Clone this repo to build Frida | frida | 7869 |
| 9 | binwalk | Firmware Analysis Tool | ReFirmLabs | 7477 |
| 10 | impacket | Impacket is a collection of Python classes for working with network protocols. | SecureAuthCorp | 7072 |
| 11 | social-engineer-toolkit | The Social-Engineer Toolkit (SET) repository from TrustedSec - All new versions of SET will be deployed here. | trustedsec | 6637 |
| 12 | scapy | Scapy: the Python-based interactive packet manipulation program & library. Supports Python 2 & Python 3. | secdev | 6433 |
| 13 | dirsearch | Web path scanner | maurosoria | 6359 |
| 14 | fail2ban | Daemon to ban hosts that cause multiple authentication errors | fail2ban | 6198 |
| 15 | spiderfoot | SpiderFoot automates OSINT so you can focus on analysis. | smicallef | 6015 |
| 16 | CrackMapExec | A swiss army knife for pentesting networks | byt3bl33d3r | 4943 |
| 17 | volatility | An advanced memory forensics framework | volatilityfoundation | 4643 |
| 18 | grr | GRR Rapid Response: remote live forensics for incident response | 3833 | |
| 19 | wfuzz | Web application fuzzer | xmendez | 3798 |
| 20 | sigma | Generic Signature Format for SIEM Systems | SigmaHQ | 3749 |
| 21 | Awesome-WAF | 🔥 Everything about web-application firewalls (WAF). | 0xInfection | 3669 |
| 22 | w3af | w3af: web application attack and audit framework, the open source web vulnerability scanner. | andresriancho | 3636 |
| 23 | ScoutSuite | Multi-Cloud Security Auditing Tool | nccgroup | 3353 |
| 24 | EyeWitness | EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible. | FortyNorthSecurity | 3069 |
| 25 | dispatch | All of the ad-hoc things you're doing to manage incidents today, done for you, and much more! | Netflix | 2984 |
| 26 | unicorn | Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18. | trustedsec | 2927 |
| 27 | dnstwist | Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation | elceef | 2914 |
| 28 | Responder | Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. | lgandx | 2856 |
| 29 | Veil | Veil 3.1.X (Check version info in Veil at runtime) | Veil-Framework | 2769 |
| 30 | hacktricks | Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps, and reading researches and news. | carlospolop | 2750 |
| 31 | ROPgadget | This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget supports ELF, PE and Mach-O format on x86, x64, ARM, ARM64, PowerPC, SPARC and MIPS architectures. | JonathanSalwan | 2746 |
| 32 | caldera | Scalable Automated Adversary Emulation Platform | mitre | 2732 |
| 33 | ThreatHunter-Playbook | A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns. | OTRF | 2685 |
| 34 | wesng | Windows Exploit Suggester - Next Generation | bitsadmin | 2374 |
| 35 | pentest-tools | Custom pentesting tools | gwen001 | 2251 |
| 36 | WinPwnage | UAC bypass, Elevate, Persistence methods | rootm0s | 2076 |
| 37 | diaphora | Diaphora, the most advanced Free and Open Source program diffing tool. | joxeankoret | 2047 |
| 38 | Loki | Loki - Simple IOC and Incident Response Scanner | Neo23x0 | 2027 |
| 39 | koadic | Koadic C3 COM Command & Control - JScript RAT | zerosum0x0 | 1984 |
| 40 | IntelOwl | Intel Owl: analyze files, domains, IPs in multiple ways from a single API at scale | intelowlproject | 1895 |
| 41 | flare-floss | FireEye Labs Obfuscated String Solver - Automatically extract obfuscated strings from malware. | fireeye | 1889 |
| 42 | LogonTracer | Investigate malicious Windows logon by visualizing and analyzing Windows event log | JPCERTCC | 1774 |
| 43 | BeRoot | Privilege Escalation Project - Windows / Linux / Mac | AlessandroZ | 1751 |
| 44 | cve-search | cve-search - a tool to perform local searches for known vulnerabilities | cve-search | 1681 |
| 45 | capa | The FLARE team's open-source tool to identify capabilities in executable files. | fireeye | 1662 |
| 46 | pypykatz | Mimikatz implementation in pure Python | skelsec | 1521 |
| 47 | malwoverview | Malwoverview is a first response tool used for threat hunting and offers intel information from Virus Total, Hybrid Analysis, URLHaus, Polyswarm, Malshare, Alien Vault, Malpedia, ThreatCrowd, Valhalla, Malware Bazaar, ThreatFox, Triage and it is able to scan Android devices against VT and HA. | alexandreborges | 1476 |
| 48 | SSRFmap | Automatic SSRF fuzzer and exploitation tool | swisskyrepo | 1465 |
| 49 | S3Scanner | Scan for open S3 buckets and dump the contents | sa7mon | 1461 |
| 50 | inception | Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces. | carmaa | 1431 |
| 51 | brutespray | Brute-Forcing from Nmap output - Automatically attempts default creds on found services. | x90skysn3k | 1294 |
| 52 | ja3 | JA3 is a standard for creating SSL client fingerprints in an easy to produce and shareable way. | salesforce | 1265 |
| 53 | flare-fakenet-ng | [Suspended] FakeNet-NG - Next Generation Dynamic Network Analysis Tool | fireeye | 1259 |
| 54 | plaso | Super timeline all the things | log2timeline | 1107 |
| 55 | DeTTECT | Detect Tactics, Techniques & Combat Threats | rabobank-cdc | 1090 |
| 56 | APT_REPORT | Interesting apt report collection and some special ioc express | blackorbird | 1039 |
| 57 | Security-Datasets | Re-play Security Events | OTRF | 1006 |
| 58 | odat | ODAT: Oracle Database Attacking Tool | quentinhardy | 992 |
| 59 | mitm6 | pwning IPv4 via IPv6 | fox-it | 965 |
| 60 | GreatSCT | The project is called Great SCT (Great Scott). Great SCT is an open source project to generate application white list bypasses. This tool is intended for BOTH red and blue team. | GreatSCT | 957 |
| 61 | Sooty | The SOC Analysts all-in-one CLI tool to automate and speed up workflow. | TheresAFewConors | 913 |
| 62 | lsassy | Extract credentials from lsass remotely | Hackndo | 892 |
| 63 | SprayingToolkit | Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient | byt3bl33d3r | 891 |
| 64 | kerberoast | nidem | 862 | |
| 65 | OSSEM | Open Source Security Events Metadata (OSSEM) | OTRF | 856 |
| 66 | linuxprivchecker | linuxprivchecker.py -- a Linux Privilege Escalation Check Script | sleventyeleven | 809 |
| 67 | BloodHound.py | A Python based ingestor for BloodHound | fox-it | 803 |
| 68 | Stormspotter | Azure Red Team tool for graphing Azure and Azure Active Directory objects | Azure | 802 |
| 69 | ThreatHunting | A Splunk app mapped to MITRE ATT&CK to guide your threat hunts | olafhartong | 793 |
| 70 | PrivExchange | Exchange your privileges for Domain Admin privs by abusing Exchange | dirkjanm | 768 |
| 71 | detection-rules | Rules for Elastic Security's detection engine | elastic | 745 |
| 72 | FavFreak | Making Favicon.ico based Recon Great again ! | devanshbatham | 653 |
| 73 | content | Demisto is now Cortex XSOAR. Automate and orchestrate your Security Operations with Cortex XSOAR's ever-growing Content Repository. Pull Requests are always welcome and highly appreciated! | demisto | 653 |
| 74 | atomic-threat-coverage | Actionable analytics designed to combat threats | atc-project | 641 |
| 75 | OSCP-Prep | A comprehensive guide/material for anyone looking to get into infosec or take the OSCP exam | RustyShackleford221 | 637 |
| 76 | hindsight | Web browser forensics for Google Chrome/Chromium | obsidianforensics | 628 |
| 77 | artifacts | Digital Forensics Artifact Repository | ForensicArtifacts | 602 |
| 78 | wifipumpkin3 | Powerful framework for rogue access point attack. | P0cL4bs | 590 |
| 79 | ROADtools | The Azure AD exploration framework. | dirkjanm | 589 |
| 80 | munin | Online hash checker for Virustotal and other services | Neo23x0 | 556 |
| 81 | car | Cyber Analytics Repository | mitre-attack | 550 |
| 82 | volatility3 | Volatility 3.0 development | volatilityfoundation | 543 |
| 83 | weirdAAL | WeirdAAL (AWS Attack Library) | carnal0wnage | 531 |
| 84 | cloud_enum | Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud. | initstring | 528 |
| 85 | fatt | FATT /fingerprintAllTheThings - a pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic | 0x4D31 | 503 |
| 86 | ItWasAllADream | A PrintNightmare (CVE-2021-34527) Python Scanner. Scan entire subnets for hosts vulnerable to the PrintNightmare RCE | byt3bl33d3r | 499 |
| 87 | python-evtx | Pure Python parser for recent Windows Event Log files (.evtx) | williballenthin | 499 |
| 88 | PlumHound | Bloodhound for Blue and Purple Teams | PlumHound | 498 |
| 89 | jarm | salesforce | 497 | |
| 90 | WitnessMe | Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier. | byt3bl33d3r | 476 |
| 91 | impacket_static_binaries | Standalone binaries for Linux/Windows of Impacket's examples | ropnop | 454 |
| 92 | adidnsdump | Active Directory Integrated DNS dumping by any authenticated user | dirkjanm | 442 |
| 93 | degoogle | search Google and extract results directly. skip all the click-through links and other sketchiness | deepseagirl | 407 |
| 94 | ATTACK-Python-Client | Python Script to access ATT&CK content available in STIX via a public TAXII server | OTRF | 374 |
| 95 | APT-Hunter | APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity | ahmedkhlief | 372 |
| 96 | CobaltStrikeParser | Sentinel-One | 340 | |
| 97 | security_content | Splunk Security Content | splunk | 303 |
| 98 | playbooks | Phantom Community Playbooks | phantomcyber | 286 |
| 99 | atc-react | A knowledge base of actionable Incident Response techniques | atc-project | 275 |
| 100 | NTLMRecon | Enumerate information from NTLM authentication enabled web endpoints 🔎 | pwnfoo | 257 |
| 101 | Incident-Playbook | GOAL: Incident Response Playbooks Mapped to MITRE Attack Tactics and Techniques. [Contributors Friendly] | austinsonger | 243 |
| 102 | rbcd-attack | Kerberos Resource-Based Constrained Delegation Attack from Outside using Impacket | tothi | 243 |
| 103 | chaos-ssm-documents | Collection of AWS SSM Documents to perform Chaos Engineering experiments | adhorn | 229 |
| 104 | basecrack | Decode All Bases - Base Scheme Decoder | mufeedvh | 224 |
| 105 | evil-ssdp | Spoof SSDP replies and create fake UPnP devices to phish for credentials and NetNTLM challenge/response. | initstring | 221 |
| 106 | experiments | Expriments | commial | 200 |
| 107 | Collabfiltrator | Exfiltrate blind remote code execution output over DNS via Burp Collaborator. | 0xC01DF00D | 178 |
| 108 | thetick | A simple embedded Linux backdoor. | nccgroup | 178 |
| 109 | HoneyCreds | HoneyCreds network credential injection to detect responder and other network poisoners. | Ben0xA | 175 |
| 110 | kerberoast | Kerberoast attack -pure python- | skelsec | 173 |
| 111 | attack_data | A Repository of curated datasets from various attacks | splunk | 154 |
| 112 | ntlmscan | scan for NTLM directories | nyxgeek | 151 |
| 113 | pybeacon | A collection of scripts for dealing with Cobalt Strike beacons in Python | nccgroup | 147 |
| 114 | ADFSpoof | fireeye | 131 | |
| 115 | adfsbrute | A script to test credentials against Active Directory Federation Services (ADFS), allowing password spraying or bruteforce attacks. | ricardojoserf | 104 |
| 116 | attack-coverage | an excel-centric approach for the MITRE ATT&CK® Tactics and Techniques | RealityNet | 104 |
| 117 | bloodhound-quickwin | Simple script to extract useful informations from the combo BloodHound + Neo4j | kaluche | 99 |
| 118 | dfir-toolset | Dump of organized knowledge on DFIR | marcurdy | 81 |
| 119 | chameleon | PowerShell Script Obfuscator | klezVirus | 78 |
| 120 | attack2jira | attack2jira automates the process of standing up a Jira environment that can be used to track and measure ATT&CK coverage | mvelazc0 | 76 |
| 121 | alert_manager | Splunk Alert Manager with advanced reporting on alerts, workflows (modify assignee, status, severity) and auto-resolve features | alertmanager | 75 |
| 122 | icmpdoor | ICMP Reverse Shell written in Python 3 and with Scapy (backdoor/rev shell) | krabelize | 44 |
| 123 | security-stack-mappings | This project empowers defenders with independent data on which native security controls of leading technology platforms are most useful in defending against the adversary TTPs they care about. | center-for-threat-informed-defense | 40 |
| 124 | OSSEM-DM | OSSEM Detection Model | OTRF | 32 |
| 125 | mdatp-xplat | Microsoft Defender for macOS/Linux - config samples, auxiliary tools | microsoft | 29 |
| 126 | DA-ESS-MitreContent | MITRE ATT&CK Framework compliance dashboard and correlation searches that works with Splunk Enterprise Security and ES Content Update | seynur | 16 |
| 127 | starred | creating your own Awesome List by GitHub stars! | 1132719438 | 10 |
| 128 | phantom-community-projects | This repo represents work the Phantom Community collaborates on to build apps and learn. | phantomcyber | 10 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | oletools | oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging. | decalage2 | 1637 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | windows-event-forwarding | A repository for using windows event forwarding for incident detection and response | palantir | 915 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | metasploit-framework | Metasploit Framework | rapid7 | 24490 |
| 2 | evil-winrm | The ultimate WinRM shell for hacking/pentesting | Hackplayers | 1842 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | ripgrep | ripgrep recursively searches directories for a regex pattern while respecting your gitignore | BurntSushi | 26267 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | TheHive | TheHive: a Scalable, Open Source and Free Security Incident Response Platform | TheHive-Project | 2084 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | og-aws | 📙 Amazon Web Services — a practical guide | open-guides | 29733 |
| 2 | azure-quickstart-templates | Azure Quickstart Templates | Azure | 10587 |
| 3 | lynis | Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional. | CISOfy | 8622 |
| 4 | my-arsenal-of-aws-security-tools | List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc. | toniblyx | 6069 |
| 5 | ctf-tools | Some setup scripts for security research tools. | zardus | 5761 |
| 6 | LinEnum | Scripted Local Linux Enumeration & Privilege Escalation Checks | rebootuser | 4254 |
| 7 | airgeddon | This is a multi-use bash script for Linux systems to audit wireless networks. | v1s1t0r1sh3r3 | 3482 |
| 8 | spectre-meltdown-checker | Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad vulnerability/mitigation checker for Linux & BSD | speed47 | 3444 |
| 9 | server-configs-apache | Apache HTTP server boilerplate configs | h5bp | 2855 |
| 10 | linux-exploit-suggester | Linux privilege escalation auditing tool | mzet- | 2740 |
| 11 | nanorc | Improved Nano Syntax Highlighting Files | scopatz | 2172 |
| 12 | nginx-ultimate-bad-bot-blocker | Nginx Block Bad Bots, Spam Referrer Blocker, Vulnerability Scanners, User-Agents, Malware, Adware, Ransomware, Malicious Sites, with anti-DDOS, Wordpress Theme Detector Blocking and Fail2Ban Jail for Repeat Offenders | mitchellkrogza | 2135 |
| 13 | linux-smart-enumeration | Linux enumeration tool for pentesting and CTFs with verbosity levels | diego-treitos | 1639 |
| 14 | SUDO_KILLER | A tool to identify and exploit sudo rules' misconfigurations and vulnerabilities within sudo for linux privilege escalation. | TH3xACE | 1198 |
| 15 | pwncat | pwncat - netcat on steroids with Firewall, IDS/IPS evasion, bind and reverse shell, self-injecting shell and port forwarding magic - and its fully scriptable with Python (PSE) | cytopia | 1083 |
| 16 | BruteX | Automatically brute force all services running on a target. | 1N3 | 1066 |
| 17 | lme | Logging Made Easy | ukncsc | 535 |
| 18 | clamav-unofficial-sigs | ClamAV Unofficial Signatures Updater maintained by eXtremeSHOK.com | extremeshok | 426 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | n8n | Free and open fair-code licensed node based Workflow Automation Tool. Easily automate tasks across different services. | n8n-io | 16458 |
| 2 | fingerprintjs | Browser fingerprinting library with the highest accuracy and stability. | fingerprintjs | 14076 |
| 3 | feathers | A framework for real-time applications and REST APIs with JavaScript and TypeScript | feathersjs | 13472 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | VBA-RunPE | A VBA implementation of the RunPE technique or how to bypass application whitelisting. | itm4n | 575 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | LOLBAS | Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) | LOLBAS-Project | 3127 |
| Name | Description | Owner | Stars | |
|---|---|---|---|---|
| 1 | rules | Repository of yara rules | Yara-Rules | 2642 |
| 2 | APT_CyberCriminal_Campagin_Collections | APT & CyberCriminal Campaign Collection | CyberMonitor | 2311 |
| 3 | signature-base | Signature base for my scanner tools | Neo23x0 | 1327 |
| 4 | DidierStevensSuite | Please no pull requests for this repository. Thanks! | DidierStevens | 941 |
| 5 | Mitigating-Web-Shells | Guidance for mitigation web shells. #nsacyber | nsacyber | 747 |
| 6 | YaraHunts | Random hunting ordiented yara rules | sbousseaden | 79 |
| 7 | Certify | Active Directory certificate abuse. | GhostPack | 69 |
| 8 | ForgeCert | "Golden" certificates | GhostPack | 57 |
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent