所有收集类项目

Windows

跟Windows安全有关的资源收集。当前包括的工具个数1100+，并根据功能进行了粗糙的分类。部分工具添加了中文描述。当前包括文章数3300+。
此页只包含部分内容. 查看完整版
English Version

PowerShell
- PowerSploit -> (4)工具 (12)文章
- PSAttack -> (3)工具 (3)文章
- 其他 -> (5)工具 (7)文章
DLL
- 新添加 -> (107)工具 (152)文章
- DLL注入 -> (67)工具 (69)文章
- DLL劫持 -> (18)工具 (60)文章
- DLL旁加载 -> (18)文章
PE
- PE解析 -> (1)工具 (3)文章
- 工具 -> (66)工具
- 文章 -> (131)文章
.NET
- 工具
  - (36) 新添加
  - (5) dnspy
- (56) 文章
登录与认证
- Mimikatz -> (13)工具 (128)文章
- NTLM -> (36)工具 (128)文章
- Kerberos -> (28)工具 (71)文章
- Pass-The-Hash -> (1)工具 (52)文章
- Pass-The-Ticket -> (3)文章
- winglogon.exe -> (1)工具 (6)文章
- LLMNR -> (5)工具 (18)文章
- NetBIOS -> (2)工具 (17)文章
- 其他 -> (2)工具
安全防护
- UAC -> (41)工具 (139)文章
- AppLocker -> (13)工具 (98)文章
- Data Execution Prevention(DEP) -> (1)工具 (68)文章
- Patch Guard(PG) -> (2)工具 (24)文章
- Driver Signature Enforcement(DSE) -> (11)工具 (11)文章
- Windows Defender -> (15)工具 (155)文章
- Antimalware Scan Interface(AMSI) -> (11)工具 (62)文章
- Address Space Layout Randomization(ASLR) -> (12)工具 (124)文章
- Control Flow Guard -> (4)工具
- Control Integrity Guard ->
- 其他 ->
MS1X -> (46)工具 (7)文章
系统机制
- RDP
  - (53) 工具
  - (70) 文章
  - (141) 文章_0
- SMB -> (61)工具 (51)文章
- Windows Management Instrumentation(WMI) -> (37)工具 (144)文章
- Event Tracing for Windows(ETW) -> (40)工具 (66)文章
- Lsass -> (7)工具 (22)文章
- BitLocker -> (10)工具 (50)文章
- NTFS -> (21)工具 (73)文章
- SSDT -> (11)工具 (57)文章
- Windows Registry -> (12)工具 (18)文章
- Component Object Model(COM) -> (1)工具
- Distributed Component Object Model(DCOM) -> (10)工具 (35)文章
- Dynamic Data Exchange(DDE) -> (5)文章
- Compiled HTML Help(CHM) -> (4)文章
- WinSxS -> (1)工具
- WoW64 -> (9)工具 (28)文章
- Background Intelligent Transfer Service(BITS) -> (2)工具
- Batch Script(.bat) -> (12)工具 (11)文章
- DACL -> (2)工具 (6)文章
- WebDAV -> (11)工具 (26)文章
- Group Policy Object(GPO) -> (1)工具 (4)文章
- AppInit/AppCert -> (4)文章
- InstallUtil -> (1)文章
- Image File Execution Option(IFEO) -> (5)文章
- Mshta -> (6)文章
- Microsoft HTML Application(HTA) -> (1)文章
- NetShell -> (2)工具 (1)文章
- VBScript -> (9)工具 (59)文章
- VBA -> (16)工具 (76)文章
- Security Service Provider(SSP) -> (8)文章
- Scheduled Task -> (6)工具 (9)文章
- Windows Remote Management(WinRM) -> (9)工具 (16)文章
- Control Panel -> (1)工具 (12)文章
- Windows Shortcut File -> (8)工具 (18)文章
- Windows Explorer -> (27)工具 (4)文章
- Application Shim -> (7)文章
- Squiblydoo -> (2)文章
- Open Office XML -> (1)工具
- 其他 ->
各类软件
- MS Internet Explorer -> (32)工具
- MS Edge -> (19)工具 (51)文章
- MS Office -> (17)工具 (190)文章
- EMET -> (3)工具 (118)文章
- psexec -> (3)工具 (42)文章
- Nltest ->
- CMSTP.exe ->
- Rundll32 -> (1)工具 (12)文章
- Regsvr32 -> (2)工具 (4)文章
- Regasm ->
- Regsvcs ->
- svchost -> (1)工具 (6)文章
- MSBuild -> (6)工具 (14)文章
- csrss.exe -> (21)文章
- 其他exe -> (23)文章
SysInternalSuite
- Sysmon -> (36)工具 (144)文章
- Procmon -> (4)工具 (18)文章
- Autoruns -> (7)工具 (17)文章
- ProcessExplorer -> (14)文章
- 其他 -> (5)工具 (20)文章
工具
文章
- (8) 新添加

PowerShell

PowerSploit

[6448星][9d] [PS] powershellmafia/powersploit PowerSploit - A PowerShell Post-Exploitation Framework
[346星][1y] [C#] ghostpack/sharpdump SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality.
[213星][3m] [Py] the-useless-one/pywerview A (partial) Python rewriting of PowerSploit's PowerView

PSAttack

其他

[216星][23d] [PS] mkellerman/invoke-commandas Invoke Command As System/Interactive/GMSA/User on Local/Remote machine & returns PSObjects.

DLL

新添加

[2064星][10d] [C#] lucasg/dependencies A rewrite of the old legacy software "depends.exe" in C# for Windows devs to troubleshoot dll load dependencies issues.
[1393星][12m] [C] fancycode/memorymodule Library to load a DLL from memory.
[1232星][10d] [C#] perfare/il2cppdumper Restore dll from Unity il2cpp binary file (except code)
[810星][10d] [C#] terminals-origin/terminals Terminals is a secure, multi tab terminal services/remote desktop client. It uses Terminal Services ActiveX Client (mstscax.dll). The project started from the need of controlling multiple connections simultaneously. It is a complete replacement for the mstsc.exe (Terminal Services) client. This is official source moved from Codeplex.
[396星][8m] [C++] hasherezade/dll_to_exe Converts a DLL into EXE
[385星][19d] [C#] 3f/dllexport .NET DllExport
- 重复区段: .NET->工具->新添加 |
[371星][12d] [PS] netspi/pesecurity PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode.
[255星][16d] [C++] wbenny/detoursnt Detours with just single dependency - NTDLL
[236星][21d] [C#] erfg12/memory.dll C# Hacking library for making PC game trainers.
[234星][1y] [C#] misaka-mikoto-tech/monohook hook C# method at runtime without modify dll file (such as UnityEditor.dll)
[220星][2m] [C++] chuyu-team/mint Contains the definitions for the Windows Internal UserMode API from ntdll.dll, samlib.dll and winsta.dll.
[203星][10d] [C++] s1lentq/regamedll_cs a result of reverse engineering of original library mod HLDS (build 6153beta) using DWARF debug info embedded into linux version of HLDS, cs.so

DLL注入

[994星][1m] [C] fdiskyou/injectallthethings Seven different DLL injection techniques in one single project.
[747星][7m] [C++] darthton/xenos Windows DLL 注入器
[635星][3m] [PS] monoxgas/srdi Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode

DLL劫持

[441星][9m] [Pascal] mojtabatajik/robber 查找易于发生DLL劫持的可执行文件
[327星][1y] [C++] anhkgg/superdllhijack 一种通用Dll劫持技术，不再需要手工导出Dll的函数接口了

DLL旁加载

PE

PE解析

[904星][12d] [Py] erocarrera/pefile PE文件读取、解析工具，Python编写

  ## 特性
  - Inspecting headers
  - Analysis of sections' data
  - Retrieving embedded data
  - Reading strings from the resources
  - Warnings for suspicious and malformed values
  - Support to write to some of the fields and to other parts of the PE, so it's possible to do some basic butchering of PEs
  - Packer detection with PEiD’s signatures
  - PEiD signature generation
  </details>

工具

[693星][15d] [C] thewover/donut 生成位置无关的shellcode（x86，x64或AMD64 + x86），该shellcode从内存中加载.NET程序集、PE文件和其他Windows有效负载，并使用参数运行它们
- 重复区段: .NET->工具->新添加 |
[407星][2m] [Assembly] hasherezade/pe_to_shellcode Converts PE into a shellcode
[399星][5m] [Jupyter Notebook] endgameinc/ember 110万PE文件的数据集合, 可用于训练相关模型. PE文件信息主要包括: SHA256/histogram(直方图)/byteentropy(字节熵)/字符串/PE头信息/段信息/导入表/导出表
[372星][1y] [Assembly] egebalci/amber 反射式PE加壳器，用于绕过安全产品和缓解措施
[342星][7m] [C] merces/pev The PE file analysis toolkit
[328星][2m] [VBA] itm4n/vba-runpe A VBA implementation of the RunPE technique or how to bypass application whitelisting.
[327星][1m] [C++] trailofbits/pe-parse Principled, lightweight C/C++ PE parser
[318星][20d] [C++] hasherezade/libpeconv 用于映射和取消映射PE 文件的库
[288星][9m] [Java] katjahahn/portex Java library to analyse Portable Executable files with a special focus on malware analysis and PE malformation robustness

文章

.NET

工具

[9528星][19d] [C#] icsharpcode/ilspy .NET Decompiler with support for PDB generation, ReadyToRun, Metadata (&more) - cross-platform!
[3824星][2m] [C#] 0xd4d/de4dot .NET deobfuscator and unpacker.
[3278星][9m] [JS] sindresorhus/speed-test Test your internet connection speed and ping using speedtest.net from the CLI
[2526星][1y] [C#] yck1509/confuserex An open-source, free protector for .NET applications
[1811星][1m] [C#] sshnet/ssh.net SSH.NET is a Secure Shell (SSH) library for .NET, optimized for parallelism.
[1696星][19d] [C#] jbevain/cecil C#库, 探查/修改/生成 .NET App/库
[1535星][12d] [C#] steamre/steamkit SteamKit2 is a .NET library designed to interoperate with Valve's Steam network. It aims to provide a simple, yet extensible, interface to perform various actions on the network.
[1415星][1y] [C++] dotnet/llilc This repo contains LLILC, an LLVM based compiler for .NET Core. It includes a set of cross-platform .NET code generation tools that enables compilation of MSIL byte code to LLVM supported platforms.
[1147星][9d] [C#] cobbr/covenant Covenant is a collaborative .NET C2 framework for red teamers.
[1135星][15d] [Boo] byt3bl33d3r/silenttrinity An asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR
[923星][12d] [C#] pwntester/ysoserial.net 生成Payload，恶意利用不安全的 .NET 对象反序列化
[818星][12d] [C#] proxykit/proxykit A toolkit to create code-first HTTP reverse proxies on ASP.NET Core
[788星][2m] [C#] cobbr/sharpsploit SharpSploit is a .NET post-exploitation library written in C#
[728星][3m] [C#] obfuscar/obfuscar Open source obfuscation tool for .NET assemblies
[693星][15d] [C] thewover/donut 生成位置无关的shellcode（x86，x64或AMD64 + x86），该shellcode从内存中加载.NET程序集、PE文件和其他Windows有效负载，并使用参数运行它们
- 重复区段: PE->工具->工具 |
[634星][12d] [HTML] foxzilla/pxer 人人可用的P站爬虫
[577星][10d] [C#] dabutvin/imgbot An Azure Function solution to crawl through all of your image files in GitHub and losslessly compress them. This will make the file size go down, but leave the dimensions and quality untouched. Once it's done, ImgBot will open a pull request for you to review and merge. help@imgbot.net
[546星][24d] [C#] crosire/scripthookvdotnet An ASI plugin for Grand Theft Auto V, which allows running scripts written in any .NET language in-game.
[536星][11d] [Go] timothyye/godns A dynamic DNS client tool, supports AliDNS, Cloudflare, Google Domains, DNSPod, HE.net & DuckDNS, written in Go.
[494星][28d] [C#] paulbartrum/jurassic A .NET library to parse and execute JavaScript code.
[493星][1m] [C#] chmorgan/sharppcap 用于捕获数据包的跨平台 (Windows, Mac, Linux)库，.NET编写
[486星][28d] [C#] tyranid/oleviewdotnet OLE/COM查看和检测工具，.NET语言编写
[424星][7m] [Java] nccgroup/freddy 自动识别 Java/.NET 应用程序中的反序列化漏洞
[386星][14d] [C#] addictedcs/soundfingerprinting .NET中的音频指纹识别。完全用C＃编写的高效的声音指纹识别算法。
[385星][19d] [C#] 3f/dllexport .NET DllExport
- 重复区段: DLL->新添加->工具 |
[383星][2m] [C#] security-code-scan/security-code-scan Vulnerability Patterns Detector for C# and VB.NET
[373星][9d] [C#] sonarsource/sonar-dotnet 用于C＃和VB.NET语言的静态代码分析器，用作SonarQube和SonarCloud平台的扩展。
[366星][10m] [JS] nikolayit/openjudgesystem An open source system for online algorithm competitions for Windows, written in ASP.NET MVC
[357星][10d] [C#] tmoonlight/nsmartproxy 内网穿透工具。采用.NET CORE的全异步模式打造
[334星][10d] [Java] wiglenet/wigle-wifi-wardriving Nethugging client for Android, from wigle.net
[320星][1m] [C#] azuread/azure-activedirectory-library-for-dotnet ADAL authentication libraries for .net
[316星][10d] [C#] dahall/vanara A set of .NET libraries for Windows implementing PInvoke calls to many native Windows APIs with supporting wrappers.

[13163星][24d] [C#] 0xd4d/dnspy .NET debugger and assembly editor

文章

登录与认证

Mimikatz

[9161星][11d] [C] gentilkiwi/mimikatz A little tool to play with Windows security
[802星][10d] [Py] skelsec/pypykatz 纯Python实现的Mimikatz
[264星][6m] [C] portcullislabs/linikatz UNIX版本的Mimikatz
[210星][2m] [C#] ghostpack/sharpdpapi SharpDPAPI is a C# port of some Mimikatz DPAPI functionality.

NTLM

[3097星][5m] [Py] spiderlabs/responder LLMNR/NBT-NS/MDNS投毒，内置HTTP/SMB/MSSQL/FTP/LDAP认证服务器, 支持NTLMv1/NTLMv2/LMv2
[1887星][1m] [Py] lgandx/responder LLMNR, NBT-NS, MDNS 投毒工具，内置 HTTP/SMB/MSSQL/FTP/LDAP 流氓认证服务器，支持 NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP和基础 HTTP认证
[781星][1m] [Py] lgandx/pcredz This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.
[744星][1y] [C#] eladshamir/internal-monologue 在不接触LSASS的情况下提取NTLM hash
[676星][1y] [Py] deepzec/bad-pdf create malicious PDF file to steal NTLM(NTLMv1/NTLMv2) Hashes from windows machines
[256星][2m] [Py] evilmog/ntlmv1-multi 修改NTLMv1/NTLMv1-ESS/MSCHAPv1 Hask, 使其可以在hashcat中用DES模式14000破解
[252星][14d] [PS] notmedic/netntlmtosilverticket SpoolSample -> Responder w/NetNTLM Downgrade -> NetNTLMv1 -> NTLM -> Kerberos Silver Ticket
[250星][11d] [Ruby] urbanesec/zackattack Unveiled at DEF CON 20, NTLM Relaying to ALL THE THINGS!

Kerberos

[728星][19d] [C#] ghostpack/rubeus 原始Kerberos交互和滥用，C＃编写
[617星][3m] [C] gentilkiwi/kekeo 玩弄 Windows Kerberos 的工具箱
[593星][7m] [Py] nidem/kerberoast 一系列用于攻击MS Kerberos实现的工具
[376星][12d] [Go] jcmturner/gokrb5 Pure Go Kerberos library for clients and services
[354星][2m] [Go] ropnop/kerbrute A tool to perform Kerberos pre-auth bruteforcing
[236星][27d] [Py] dirkjanm/krbrelayx Kerberos unconstrained delegation abuse toolkit

Pass-The-Hash

Pass-The-Ticket

winglogon.exe

LLMNR

[1072星][6m] [PS] kevin-robertson/inveigh Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool
[258星][6m] [C#] kevin-robertson/inveighzero Windows C# LLMNR/mDNS/NBNS/DNS spoofer/man-in-the-middle tool

NetBIOS

其他

安全防护

UAC

[2500星][2m] [C] hfiref0x/uacme Defeating Windows User Account Control
[2458星][9d] [PS] k8gege/k8tools K8工具合集(内网渗透/提权工具/远程溢出/漏洞利用/扫描工具/密码破解/免杀工具/Exploit/APT/0day/Shellcode/Payload/priviledge/BypassUAC/OverFlow/WebShell/PenTest) Web GetShell Exploit(Struts2/Zimbra/Weblogic/Tomcat/Apache/Jboss/DotNetNuke/zabbix)
[1859星][17d] [JS] coreybutler/node-windows Windows support for Node.JS scripts (daemons, eventlog, UAC, etc).
[1742星][1m] [Py] rootm0s/winpwnage UAC bypass, Elevate, Persistence and Execution methods

AppLocker

[947星][23d] [PS] api0cradle/ultimateapplockerbypasslist The goal of this repository is to document the most common techniques to bypass AppLocker.

Data Execution Prevention(DEP)

Patch Guard(PG)

[551星][11m] [C] hfiref0x/upgdsed 通用PG和DSE禁用工具

Driver Signature Enforcement(DSE)

[723星][10m] [C] hfiref0x/tdl Driver loader for bypassing Windows x64 Driver Signature Enforcement
[369星][11d] [C] mattiwatti/efiguard Disable PatchGuard and DSE at boot time
[322星][5m] [C] 9176324/shark Turn off PatchGuard in real time for win7 (7600) ~ win10 (18950).
[274星][9d] [C++] can1357/byepg Defeating Patchguard universally for Windows 8, Windows 8.1 and all versions of Windows 10 regardless of HVCI

Windows Defender

[424星][10d] [C#] matterpreter/defendercheck Identifies the bytes that Microsoft Defender flags on.

Antimalware Scan Interface(AMSI)

[322星][9d] [C#] hackplayers/salsa-tools Salsa Tools - ShellReverse TCP/UDP/ICMP/DNS/SSL/BINDTCP/Shellcode/SILENTTRINITY and AV bypass, AMSI patched

Address Space Layout Randomization(ASLR)

[901星][2m] [Roff] slimm609/checksec.sh 检查可执行文件(PIE, RELRO, PaX, Canaries, ASLR, Fortify Source)属性的 bash 脚本
[371星][12d] [PS] netspi/pesecurity 检查PE(EXE/DLL)编译选项是否有：ASLR, DEP, SafeSEH, StrongNaming, Authenticode。PowerShell模块

Control Flow Guard

Control Integrity Guard

其他

MS1X

工具

[345星][4m] [Py] 3ndg4me/autoblue-ms17-010 This is just an semi-automated fully working, no-bs, non-metasploit version of the public exploit code for MS17-010
[254星][17d] [Py] mez-0/ms17-010-python MS17-010: Python and Meterpreter

文章

系统机制

RDP

[6407星][1y] [Pascal] stascorp/rdpwrap RDP Wrapper Library
[3800星][9d] [C] freerdp/freerdp FreeRDP is a free remote desktop protocol library and clients
[1655星][21d] [C] neutrinolabs/xrdp xrdp: an open source RDP server
[1083星][9d] [C] zerosum0x0/cve-2019-0708 Scanner PoC for CVE-2019-0708 RDP RCE vuln
[996星][1m] [Py] syss-research/seth Perform a MitM attack and extract clear text credentials from RDP connections
[911星][13d] [Py] jimmy201602/webterminal ssh rdp vnc telnet sftp bastion/jump web putty xshell terminal jumpserver audit realtime monitor rz/sz 堡垒机云桌面 linux devops sftp websocket file management rz/sz otp 自动化运维审计录像文件管理 sftp上传实时监控录像回放网页版rz/sz上传下载/动态口令 django
[764星][10d] [C] rdesktop/rdesktop rdesktop is an open source UNIX client for connecting to Windows Remote Desktop Services, capably of natively speaking Remote Desktop Protocol (RDP) in order to present the user's Windows desktop. rdesktop is known to work with Windows server version ranging from NT 4 terminal server to Windows 2012 R2.
[692星][13d] [C] robertdavidgraham/rdpscan A quick scanner for the CVE-2019-0708 "BlueKeep" vulnerability.
[433星][9d] [C++] 0x09al/rdpthief Extracting Clear Text Passwords from mstsc.exe using API Hooking.
[378星][15d] [C#] beckzhu/simpleremote 远程管理工具。轻量级、选项卡式、免费、开源的远程连接管理工具，支持RDP、SSH、Telnet协议
[376星][13d] [Py] gosecure/pyrdp RDP man-in-the-middle (mitm) and library for Python 3 with the ability to watch connections live or after the fact
[339星][21d] [PS] joelgmsec/autordpwn The Shadow Attack Framework
[296星][9d] [Py] xfreed0m/rdpassspray Python3 tool to perform password spraying using RDP
[283星][8m] [Py] k8gege/cve-2019-0708 3389远程桌面代码执行漏洞CVE-2019-0708批量检测工具(Rdpscan Bluekeep Check)

SMB

[1215星][1m] [C#] k8gege/ladon 用于大型网络渗透的多线程插件化综合扫描神器
[820星][1y] [PS] kevin-robertson/invoke-thehash 执行 pass the hash WMI 和 SMB 任务的PowerShell函数
[767星][2m] [Py] shawndevans/smbmap SMB枚举
[388星][12d] [C] zerosum0x0/smbdoor Windows kernel backdoor via registering a malicious SMB handler
[355星][3m] [Py] m8r0wn/nullinux SMB null 会话识别和枚举工具
[348星][11m] [Py] skorov/ridrelay 通过使用具有低priv的SMB中继来枚举您没有信誉的域上的用户名。
[322星][8m] [C#] raikia/credninja A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB, plus now with a user hunter
[255星][19d] [PS] p3nt4/invoke-piper Forward local or remote tcp ports through SMB pipes.
[225星][3m] [Py] m4ll0k/smbrute SMB Protocol Bruteforce
[210星][3m] [Py] miketeo/pysmb pysmb is an experimental SMB/CIFS library written in Python. It implements the client-side SMB/CIFS protocol (SMB1 and SMB2) which allows your Python application to access and transfer files to/from SMB/CIFS shared folders like your Windows file sharing and Samba folders.

Windows Management Instrumentation(WMI)

[708星][12d] [Go] martinlindhe/wmi_exporter Prometheus exporter for Windows machines using WMI
[706星][1y] [PS] arvanaghi/sessiongopher 使用WMI为远程访问工具（如WinSCP，PuTTY，SuperPuTTY，FileZilla和Microsoft远程桌面）提取保存的会话信息。PowerShell编写
[610星][1y] [PS] fortynorthsecurity/wmimplant This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.
[265星][9d] [JS] pandorafms/pandorafms Pandora FMS is a flexible and highly scalable monitoring system ready for big environments. It uses agents (Linux, Windows, AIX, HP-UX, Solaris and BSD systems) and can do both local and remote network monitoring (SNMP v3, TCP checks, WMI, etc).
[259星][1m] [Go] stackexchange/wmi WMI for Go
[251星][1y] [C#] 0xbadjuju/wheresmyimplant A Bring Your Own Land Toolkit that Doubles as a WMI Provider

Event Tracing for Windows(ETW)

[1303星][12d] [JS] jpcertcc/logontracer 通过可视化和分析Windows事件日志来调查恶意的Windows登录
[885星][16d] [C++] google/uiforetw User interface for recording and managing ETW traces
[673星][12m] [Roff] palantir/windows-event-forwarding 使用 Windows 事件转发实现网络事件监测和防御
[655星][9d] [PS] sbousseaden/evtx-attack-samples 与特定攻击和利用后渗透技术相关的Windows事件样例
[566星][30d] [PS] sans-blue-team/deepbluecli a PowerShell Module for Threat Hunting via Windows Event Logs
[505星][11m] [C#] lowleveldesign/wtrace Command line tracing tool for Windows, based on ETW.
[466星][15d] [PS] nsacyber/event-forwarding-guidance 帮助管理员使用Windows事件转发（WEF）收集与安全相关的Windows事件日志
[401星][12m] [Py] williballenthin/python-evtx 纯Python编写的Windows事件日志解析器
[318星][3m] [C#] zodiacon/procmonx 通过Windows事件日志获取与Process Monitor显示的相同的信息，无需内核驱动
[295星][11d] [C#] fireeye/silketw flexible C# wrappers for ETW
[290星][12m] [C#] nsacyber/windows-event-log-messages 检索Windows二进制文件中嵌入的Windows事件日志消息的定义，并以discoverable的格式提供它们
[268星][5m] [C++] gametechdev/presentmon Tool for collection and processing of ETW events related to DXGI presentation.
[261星][10d] [C++] microsoft/krabsetw KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.

Lsass

[489星][20d] [Py] hackndo/lsassy Extract credentials from lsass remotely
[356星][11d] [Py] aas-n/spraykatz Credentials gathering tool automating remote procdump and parse of lsass process.
[315星][13d] [C] outflanknl/dumpert LSASS memory dumper using direct system calls and API unhooking.

BitLocker

[772星][3m] [C] aorimn/dislocker FUSE driver to read/write Windows' BitLocker-ed volumes under Linux / Mac OSX
[347星][1y] [C] e-ago/bitcracker BitLocker密码破解器

NTFS

[582星][1y] mtivadar/windows10_ntfs_crash_dos Windows NTFS文件系统崩溃漏洞PoC
[270星][17d] [Py] dkovar/analyzemft fully parse the MFT file from an NTFS filesystem and present the results as accurately as possible in multiple format
[234星][21d] [C] pbatard/uefi-ntfs UEFI:NTFS - Boot NTFS partitions from UEFI

SSDT

Windows Registry

Component Object Model(COM)

Distributed Component Object Model(DCOM)

[225星][10d] [PS] outflanknl/excel4-dcom PowerShell and Cobalt Strike scripts for lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe)
[207星][1y] [PS] sud0woodo/dcomrade Powershell script for enumerating vulnerable DCOM Applications

Dynamic Data Exchange(DDE)

Compiled HTML Help(CHM)

WinSxS

WoW64

Background Intelligent Transfer Service(BITS)

Batch Script(.bat)

[268星][9m] [Batchfile] diogo-fernan/ir-rescue A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
[216星][9d] [PS] enjoiz/privesc Windows batch script that finds misconfiguration issues which can lead to privilege escalation.

DACL

[333星][11d] [PS] canix1/adaclscanner Repo for ADACLScan.ps1 - Your number one script for ACL's in Active Directory

WebDAV

[465星][23d] [C++] winscp/winscp WinSCP is a popular free SFTP and FTP client for Windows, a powerful file manager that will improve your productivity. It supports also Amazon S3, FTPS, SCP and WebDAV protocols. Power users can automate WinSCP using .NET assembly.
[373星][2m] [Py] mar10/wsgidav A generic and extendable WebDAV server based on WSGI

Group Policy Object(GPO)

[246星][16d] [C#] fsecurelabs/sharpgpoabuse take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.

AppInit/AppCert

InstallUtil

Image File Execution Option(IFEO)

Mshta

Microsoft HTML Application(HTA)

NetShell

VBScript

[1615星][12d] [Py] zerosum0x0/koadic 类似于Meterpreter、Powershell Empire 的post-exploitation rootkit，区别在于其大多数操作都是由 Windows 脚本主机 JScript/VBScript 执行

VBA

[565星][2m] [Py] decalage2/vipermonkey A VBA parser and emulation engine to analyze malicious macros.
[262星][7m] [Py] bontchev/pcodedmp A VBA p-code disassembler
[226星][8m] [Py] malwarecantfly/vba2graph Generate call graphs from VBA code, for easier analysis of malicious documents.

Security Service Provider(SSP)

Scheduled Task

[432星][1m] [Py] sibson/redbeat RedBeat is a Celery Beat Scheduler that stores the scheduled tasks and runtime metadata in Redis.
[385星][1m] [C#] dahall/taskscheduler Provides a .NET wrapper for the Windows Task Scheduler. It aggregates the multiple versions, provides an editor and allows for localization.

Windows Remote Management(WinRM)

[708星][13d] [Ruby] hackplayers/evil-winrm 用户Hacking/渗透的终极WinRM shell
[238星][10d] [Go] masterzen/winrm Windows远程命令执行，命令行工具+库，Go编写

Control Panel

Windows Shortcut File

Windows Explorer

Application Shim

Squiblydoo

Open Office XML

其他

各类软件

MS Internet Explorer

MS Edge

[8097星][2m] [JS] microsoft/chakracore ChakraCore is the core part of the Chakra JavaScript engine that powers Microsoft Edge
[2356星][1y] microsoftedge/msedge Microsoft Edge
[217星][4m] [Go] improbable-eng/kedge kEdge - Kubernetes Edge Proxy for gRPC and HTTP Microservices

MS Office

[1731星][1m] [JS] ziv-barber/officegen Standalone Office Open XML files (Microsoft Office 2007 and later) generator for Word (docx), PowerPoint (pptx) and Excell (xlsx) in javascript. The output is a stream.
[1066星][20d] [Rich Text Format] decalage2/oletools python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
[750星][9d] [C#] outflanknl/evilclippy A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows.
[407星][2m] [YARA] guelfoweb/peframe PEframe is a open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.

EMET

psexec

[264星][14d] [C++] poweradminllc/paexec Remote execution, like PsExec

Nltest

CMSTP.exe

Rundll32

Regsvr32

Regasm

Regsvcs

svchost

MSBuild

[4136星][7d] [C#] microsoft/msbuild The Microsoft Build Engine (MSBuild) is the build platform for .NET and Visual Studio.
[728星][9m] [Py] mr-un1k0d3r/powerlessshell 依靠MSBuild.exe远程执行PowerShell脚本和命令
[226星][7m] [Py] infosecn1nja/maliciousmacromsbuild Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass.

csrss.exe

其他exe

SysInternalSuite

Sysmon

[2177星][1m] swiftonsecurity/sysmon-config Sysmon configuration file template with default high-quality event tracing
[715星][23d] [PS] olafhartong/sysmon-modular sysmon配置模块收集
[667星][2m] nshalabi/sysmontools Utilities for Sysmon
[546星][12d] mhaggis/sysmon-dfir Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.
[455星][1y] [Batchfile] ion-storm/sysmon-config Advanced Sysmon configuration, Installer & Auto Updater with high-quality event tracing
[246星][13d] [CSS] trustedsec/sysmoncommunityguide TrustedSec Sysinternals Sysmon Community Guide

Procmon

Autoruns

ProcessExplorer

其他

工具

新添加的

[9553星][9d] [PS] lukesampson/scoop A command-line installer for Windows.
[4868星][10m] [Py] 10se1ucgo/disablewintracking Uses some known methods that attempt to minimize tracking in Windows 10
[3648星][9d] [C#] kohsuke/winsw A wrapper executable that can be used to host any executable as an Windows service, in a liberal license
[3409星][1m] [C] microsoft/windows-driver-samples This repo contains driver samples prepared for use with Microsoft Visual Studio and the Windows Driver Kit (WDK). It contains both Universal Windows Driver and desktop-only driver samples.
[3222星][9d] [C++] 0xz0f/z0fcourse_reverseengineering Reverse engineering focusing on x64 Windows.
[2132星][2m] [C++] darthton/blackbone Windows memory hacking library
[2052星][1m] [C++] mhammond/pywin32 Python for Windows (pywin32) Extensions
[700星][9d] [PS] farag2/windows-10-setup-script Windows 10 1903/1909 自动化配置脚本
[666星][28d] [C] virtio-win/kvm-guest-drivers-windows KVM / QEMU Windows来宾驱动程序
[628星][3m] [C] mrexodia/titanhide 用于隐藏某些进程调试器的驱动程序
[278星][1y] [Py] hakril/pythonforwindows 简化Python与Windows操作系统交互的库
[216星][5m] adguardteam/adguardforwindows Windows系统范围的AdBlocker

Environment&&环境&&配置

[1530星][1y] [PS] joefitzgerald/packer-windows 使用Packer创建Vagrant boxes的模板
[1368星][3m] [Go] securitywithoutborders/hardentools 禁用许多有危险的Windows功能
[1167星][11d] [HTML] nsacyber/windows-secure-host-baseline Windows 10和Windows Server 2016 DoD 安全主机基准设置的配置指南
[1054星][9d] adolfintel/windows10-privacy Win10隐私指南
[545星][11d] [PS] stefanscherer/packer-windows Windows Packer 模板：Win10, Server 2016, 1709, 1803, 1809, 2019, 1903, Insider with Docker

内核&&驱动

[943星][11m] [C] microsoft/windows-driver-frameworks Windows驱动框架(WDF)
[891星][1m] axtmueller/windows-kernel-explorer Windows内核研究工具
[515星][7m] [Py] rabbitstack/fibratus Windows内核探索和跟踪工具
[496星][3m] [C] jkornev/hidden Windows驱动，带用户模式接口：隐藏文件系统和注册表对象、保护进程等
[288星][9d] [PS] microsoftdocs/windows-driver-docs 官方Windows驱动程序工具包文档

注册表

[521星][9d] [Batchfile] chef-koch/regtweaks Windows注册表调整（Win 7-Win 10）
[293星][2m] [Py] williballenthin/python-registry 用于对Windows NT注册表文件进行纯读取访问的Python库

系统调用

[757星][4m] [HTML] j00ru/windows-syscalls Windows 系统调用表(NT/2000/XP/2003/Vista/2008/7/2012/8/10)
[349星][20d] [C] hfiref0x/syscalltables Windows NT x64系统调用表

其他

[1007星][12d] [C++] henrypp/simplewall 为Windows 过滤平台提供的配置界面
[981星][5m] [C] basil00/divert 用户模式数据包拦截库，适用于Win 7/8/10
[742星][4m] [Py] diyan/pywinrm Python实现的WinRM客户端
[605星][21d] [C] hfiref0x/winobjex64 Windows对象浏览器. x64
[475星][2m] [C#] microsoft/dbgshell PowerShell编写的Windows调试器引擎前端
[428星][12d] [C] samba-team/samba 适用于Linux和Unix的标准Windows interoperability程序套件
[412星][2m] [Jupyter Notebook] microsoft/windowsdefenderatp-hunting-queries 在MS Defender ATP中进行高级查询的示例
[396星][16d] [C#] microsoft/binskim 二进制静态分析工具，可为PE和ELF二进制格式提供安全性和正确性分析
[377星][2m] [Ruby] winrb/winrm 在Windows中使用WinRM的功能调用原生对象的SOAP库。Ruby编写

文章

新添加

贡献

内容为系统自动导出, 有任何问题请提issue

所有收集类项目

Windows

目录

PowerShell

PowerSploit

工具

文章

PSAttack

工具

文章

其他

工具

文章

DLL

新添加

工具

文章

DLL注入

工具

文章

DLL劫持

工具

文章

DLL旁加载

文章

PE

PE解析

工具

文章

工具

工具

文章

文章

.NET

工具

新添加

dnspy

文章

登录与认证

Mimikatz

工具

文章

NTLM

工具

文章

Kerberos

工具

文章

Pass-The-Hash

工具

文章

Pass-The-Ticket

文章

winglogon.exe

工具

文章

LLMNR

工具

文章

NetBIOS

工具

文章

其他

工具

安全防护

UAC

工具

文章

AppLocker

工具

文章

Data Execution Prevention(DEP)

工具

文章

Patch Guard(PG)

工具

文章

Driver Signature Enforcement(DSE)

工具

文章