All Resource Collection Projects

Windows

Windows Security Resource Collection. 1100+ open source tools, 3300+ blog posts.
This page only contains limited tools and posts. Read Full Version

PowerShell

PowerSploit

Tools

[6448Star][9d] [PS] powershellmafia/powersploit PowerSploit - A PowerShell Post-Exploitation Framework
[346Star][1y] [C#] ghostpack/sharpdump SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality.
[213Star][3m] [Py] the-useless-one/pywerview A (partial) Python rewriting of PowerSploit's PowerView

Post

2018.12 [aliyun] Reel—在HackTheBox上的一次BloodHound & PowerSploit 活动目录渗透
2018.11 [bugbountywriteup] Reel — A BloodHound & PowerSploit Active Directory HackTheBox Walkthrough
2018.02 [hackers] PowerSploit, Part 1: How to Control Nearly any Windows System with Powersploit
2017.11 [mediaservice] A patch for PowerSploit’s Invoke-Shellcode.ps1
2017.06 [stealthbits] Exploiting Weak Active Directory Permissions with PowerSploit
2017.04 [freebuf] 说说Powersploit在内网渗透中的使用
2017.03 [jpcert] Malware Leveraging PowerSploit
2016.01 [sans] toolsmith #112: Red vs Blue - PowerSploit vs PowerForensics
2016.01 [holisticinfosec] toolsmith #112: Red vs Blue - PowerSploit vs PowerForensics
2015.05 [leonjza] jenkins to meterpreter toying with powersploit
2013.04 [freebuf] PowerSploit+Metasploit=Shells
2012.05 [freebuf] Post Exploitation工具 – PowerSploit

PSAttack

Tools

Post

2017.07 [freebuf] PSAttack：一个包含所有的渗透测试用例的攻击型Powershell脚本框架
2017.07 [4hou] PSattack：一个渗透测试中使用的万能框架
2016.11 [BSidesCHS] BSidesCHS 2016: "Adding PowerShell to your Arsenal with PSAttack" - Jared Haight

Other

Tools

[216Star][23d] [PS] mkellerman/invoke-commandas Invoke Command As System/Interactive/GMSA/User on Local/Remote machine & returns PSObjects.

Post

2020.01 [4sysops] Invoke-Command: Compensating for slow responding computers
2019.12 [4sysops] Invoke-Command: Connecting to computers requiring different credentials
2019.12 [4sysops] Invoke-Command: Dealing with offline computers
2019.01 [sans] Start-Process PowerShell - Get Forensic Artifact
2018.12 [4sysops] Running PowerShell remotely as SYSTEM with Invoke-CommandAs
2013.12 [mikefrobbins] PowerShell Remoting Error When Trying to use Invoke-Command Against a Domain Controller
2013.01 [mikefrobbins] PowerShell Remoting Insanity with AppAssure and the Invoke-Command Cmdlet

DLL

Recent Add

Tools

[2064Star][10d] [C#] lucasg/dependencies A rewrite of the old legacy software "depends.exe" in C# for Windows devs to troubleshoot dll load dependencies issues.
[1393Star][12m] [C] fancycode/memorymodule Library to load a DLL from memory.
[1232Star][10d] [C#] perfare/il2cppdumper Restore dll from Unity il2cpp binary file (except code)
[810Star][10d] [C#] terminals-origin/terminals Terminals is a secure, multi tab terminal services/remote desktop client. It uses Terminal Services ActiveX Client (mstscax.dll). The project started from the need of controlling multiple connections simultaneously. It is a complete replacement for the mstsc.exe (Terminal Services) client. This is official source moved from Codeplex.
[396Star][8m] [C++] hasherezade/dll_to_exe Converts a DLL into EXE
[385Star][19d] [C#] 3f/dllexport .NET DllExport
- Also In Section: .NET->Tools->Recent Add |
[371Star][12d] [PS] netspi/pesecurity PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode.
[255Star][16d] [C++] wbenny/detoursnt Detours with just single dependency - NTDLL
[236Star][21d] [C#] erfg12/memory.dll C# Hacking library for making PC game trainers.
[234Star][1y] [C#] misaka-mikoto-tech/monohook hook C# method at runtime without modify dll file (such as UnityEditor.dll)
[220Star][2m] [C++] chuyu-team/mint Contains the definitions for the Windows Internal UserMode API from ntdll.dll, samlib.dll and winsta.dll.
[203Star][10d] [C++] s1lentq/regamedll_cs a result of reverse engineering of original library mod HLDS (build 6153beta) using DWARF debug info embedded into linux version of HLDS, cs.so

Post

2016.12 [sensepost] Rattler:Identifying and Exploiting DLL Preloading Vulnerabilities
2012.10 [netspi] Testing Applications for DLL Preloading Vulnerabilities
2010.08 [microsoft] More information about the DLL Preloading remote attack vector
2009.09 [evilcodecave] DllExportComparer
2009.07 [pediy] [原创]dll下载器分析
2009.07 [addxorrol] Poking around MSVIDCTL.DLL
2009.07 [rapid7] IE DirectShow (msvidctl.dll) MPEG-2 Metasploit Exploit
2009.07 [sans] 0-day in Microsoft DirectShow (msvidctl.dll) used in drive-by attacks
2009.07 [vexillium] DllMain and its uncovered possibilites
2009.07 [vexillium] DllMain and its uncovered possibilites
2009.06 [pediy] [原创]使用GCC创建 Windows NT 下的内核DLL
2009.06 [pediy] [Anti Virus专题]1.7 - 打造DLL内存加载引擎.
2009.05 [pediy] [原创]dll 全局api hook 一例(附代码)
2009.05 [pediy] [原创]Fengyue's DLL-Game.exe 加壳流程简单分析
2009.05 [travisgoodspeed] FET Firmware from MSP430.DLL
2009.05 [pediy] [原创]暴风影音2009(Config.dll)ActiveX远程栈溢出漏洞
2009.05 [pediy] [原创]暴风影音2009(mps.dll)ActiveX远程栈溢出漏洞
2009.04 [pediy] [求助]windows mobile dll的一个问题
2009.04 [pediy] 不需要依赖dllmain触发的CE注入代码
2009.03 [pediy] [原创]用DELPHI编写DLL插件为Windows记事本增加各种功能

DLL Injection

Tools

[994Star][1m] [C] fdiskyou/injectallthethings Seven different DLL injection techniques in one single project.
[747Star][7m] [C++] darthton/xenos Windows dll injector
[635Star][3m] [PS] monoxgas/srdi Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode

Post

2019.06 [aliyun] Windows 10 Task Scheduler服务DLL注入漏洞分析
2018.10 [pediy] [原创]代替创建用户线程使用ShellCode注入DLL的小技巧
2018.10 [4hou] 如何利用DLL注入绕过Win10勒索软件保护
2018.10 [0x00sec] Reflective Dll Injection - Any Way to check If a process is already injected?
2018.09 [pediy] [原创]win10_arm64 驱动注入dll 到 arm32程序
2018.08 [freebuf] sRDI：一款通过Shellcode实现反射型DLL注入的强大工具
2018.07 [4hou] 注入系列——DLL注入
2018.06 [0x00sec] Reflective DLL Injection - AV detects at runtime
2018.06 [qq] 【游戏漏洞】注入DLL显示游戏窗口
2017.12 [secist] Mavinject | Dll Injected
2017.12 [secvul] SSM终结dll注入
2017.10 [nsfocus] 【干货分享】Sandbox技术之DLL注入
2017.10 [freebuf] DLL注入新姿势：反射式DLL注入研究
2017.10 [pediy] [原创]通过Wannacry分析内核shellcode注入dll技术
2017.09 [360] Dll注入新姿势：SetThreadContext注入
2017.08 [silentbreaksecurity] sRDI – Shellcode Reflective DLL Injection
2017.08 [360] DLL注入那些事
2017.08 [freebuf] 系统安全攻防战：DLL注入技术详解
2017.08 [pediy] [翻译]多种DLL注入技术原理介绍
2017.07 [0x00sec] Reflective DLL Injection

DLL Hijack

Tools

[441Star][9m] [Pascal] mojtabatajik/robber Robber is open source tool for finding executables prone to DLL hijacking
[327Star][1y] [C++] anhkgg/superdllhijack A general DLL hijack technology, don't need to manually export the same function interface of the DLL, so easy!

Post

2019.06 [4hou] 戴尔预装的SupportAssist组件存在DLL劫持漏洞，全球超过1亿台设备面临网络攻击风险
2019.05 [4hou] 《Lateral Movement — SCM and DLL Hijacking Primer》的利用扩展
2019.04 [3gstudent] 《Lateral Movement — SCM and DLL Hijacking Primer》的利用扩展
2019.04 [3gstudent] 《Lateral Movement — SCM and DLL Hijacking Primer》的利用扩展
2019.04 [specterops] Lateral Movement — SCM and Dll Hijacking Primer
2019.01 [sans] DLL Hijacking Like a Boss!
2018.11 [t00ls] 一种通用DLL劫持技术研究
2018.11 [pediy] [原创]一种通用DLL劫持技术研究
2018.09 [DoktorCranium] Understanding how DLL Hijacking works
2018.09 [astr0baby] Understanding how DLL Hijacking works
2018.08 [parsiya] DVTA - Part 5 - Client-side Storage and DLL Hijacking
2018.08 [parsiya] DVTA - Part 5 - Client-side Storage and DLL Hijacking
2018.06 [cybereason] Attackers incriminate a signed Oracle process for DLL hijacking, running Mimikatz
2018.05 [360] 独辟蹊径：如何通过URL文件实现DLL劫持
2018.05 [insert] DLL Hijacking via URL files
2017.10 [cybereason] Siofra, a free tool built by Cybereason researcher, exposes DLL hijacking vulnerabilities in Windows programs
2017.08 [securiteam] SSD Advisory – Dashlane DLL Hijacking
2017.05 [4hou] Windows 下的 7 种 DLL 劫持技术
2017.05 [pediy] [原创]让代码飞出一段钢琴曲（freepiano小助手）（全局键盘钩子+dll劫持）+有码
2017.03 [pentestlab] DLL Hijacking

DLL旁加载

Post

2016.04 [hackingarticles] Hack Remote Windows PC using Office OLE multiple DLL side loading vulnerabilities
2015.12 [securify] DLL side loading vulnerability in VMware Host Guest Client Redirector
2015.11 [securify] MapsUpdateTask Task DLL side loading vulnerability
2015.11 [securify] Shutdown UX DLL side loading vulnerability
2015.09 [securify] HP ToComMsg DLL side loading vulnerability
2015.09 [securify] BDA MPEG2 Transport Information Filter DLL side loading vulnerability
2015.09 [securify] NPS Datastore server DLL side loading vulnerability
2015.09 [securify] Windows Mail Find People DLL side loading vulnerability
2015.09 [securify] HP LaserJet Fax Preview DLL side loading vulnerability
2015.09 [securify] LEADTOOLS ActiveX control multiple DLL side loading vulnerabilities
2015.08 [securify] COM+ Services DLL side loading vulnerability
2015.08 [securify] Microsoft Visio multiple DLL side loading vulnerabilities
2015.08 [securify] OLE DB Provider for Oracle multiple DLL side loading vulnerabilities
2015.08 [securify] Shockwave Flash Object DLL side loading vulnerability
2015.08 [securify] Windows Authentication UI DLL side loading vulnerability
2015.08 [securify] Event Viewer Snapin multiple DLL side loading vulnerabilities
2015.06 [securify] Cisco AnyConnect elevation of privileges via DLL side loading
2010.08 [microsoft] An update on the DLL-preloading remote attack vector

PE

PE解析

Tools

[904Star][12d] [Py] erocarrera/pefile pefile is a Python module to read and work with PE (Portable Executable) files

View Details

  ## 特性
  - Inspecting headers
  - Analysis of sections' data
  - Retrieving embedded data
  - Reading strings from the resources
  - Warnings for suspicious and malformed values
  - Support to write to some of the fields and to other parts of the PE, so it's possible to do some basic butchering of PEs
  - Packer detection with PEiD’s signatures
  - PEiD signature generation
  </details>

Post

2017.09 [] Binary offsets, virtual addresses and pefile
2017.03 [] 67,000 cuts with python-pefile
2009.05 [pediy] [原创]利用python+pefile库做PE格式文件的快速开发

Tools

[693Star][15d] [C] thewover/donut Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
- Also In Section: .NET->Tools->Recent Add |
[407Star][2m] [Assembly] hasherezade/pe_to_shellcode Converts PE into a shellcode
[399Star][5m] [Jupyter Notebook] endgameinc/ember a collection of features from PE files that serve as a benchmark dataset for researchers.
[372Star][1y] [Assembly] egebalci/amber a reflective PE packer for bypassing security products and mitigations
[342Star][7m] [C] merces/pev The PE file analysis toolkit
[328Star][2m] [VBA] itm4n/vba-runpe A VBA implementation of the RunPE technique or how to bypass application whitelisting.
[327Star][1m] [C++] trailofbits/pe-parse Principled, lightweight C/C++ PE parser
[318Star][20d] [C++] hasherezade/libpeconv A library to load, manipulate, dump PE files. See also:
[288Star][9m] [Java] katjahahn/portex Java library to analyse Portable Executable files with a special focus on malware analysis and PE malformation robustness

Post

2016.08 [3gstudent] 隐写技巧——在PE文件的数字证书中隐藏Payload
2016.08 [3gstudent] 隐写技巧——在PE文件的数字证书中隐藏Payload
2016.06 [pediy] [原创]菜鸟对PEid 0.95 Cave 查找功能逆向
2016.06 [mzrst] Professional PE Explorer – PPEE
2016.06 [pediy] [翻译]Windows PE文件中的数字签名格式
2016.05 [sans] CVE-2016-2208 Symantec Antivirus Engine Malformed PE Header Parser Memory Access Violation
2016.05 [freebuf] Manalyze：PE文件的静态分析工具
2016.04 [cyber] Presenting PeNet: a native .NET library for analyzing PE Headers with PowerShell
2016.02 [pediy] [原创]64位CreateProcess逆向:(三)PE格式的解析与效验
2016.02 [360] 在windows环境下使用Volatility或PE Capture捕捉执行代码（PE/DLL/驱动恶意文件）
2015.12 [secureallthethings] Add PE Code Signing to Backdoor Factory (BDF)
2015.12 [missmalware] PE Import Analysis for Beginners and Lazy People
2015.12 [pediy] [原创]一个C++的PE文件操作类
2015.12 [pediy] [原创]通过c++代码给PE文件添加一个区段
2015.11 [securityblog] FileAlyzer – Analyze files – Read PE information
2015.11 [securityblog] Read Portable Executable (PE) information
2015.11 [freebuf] 逆向工程（二）：从一个简单的实例来了解PE文件
2015.11 [pediy] [原创][开源]LordPE框架设计之精简版
2015.11 [pediy] [原创]手查PE重定向
2015.11 [pediy] [原创][开源]Win32控制台解析PE文件

.NET

Tools

Recent Add

[9528Star][19d] [C#] icsharpcode/ilspy .NET Decompiler with support for PDB generation, ReadyToRun, Metadata (&more) - cross-platform!
[3824Star][2m] [C#] 0xd4d/de4dot .NET deobfuscator and unpacker.
[3278Star][9m] [JS] sindresorhus/speed-test Test your internet connection speed and ping using speedtest.net from the CLI
[2526Star][1y] [C#] yck1509/confuserex An open-source, free protector for .NET applications
[1811Star][1m] [C#] sshnet/ssh.net SSH.NET is a Secure Shell (SSH) library for .NET, optimized for parallelism.
[1696Star][19d] [C#] jbevain/cecil Cecil is a library to inspect, modify and create .NET programs and libraries.
[1535Star][12d] [C#] steamre/steamkit SteamKit2 is a .NET library designed to interoperate with Valve's Steam network. It aims to provide a simple, yet extensible, interface to perform various actions on the network.
[1415Star][1y] [C++] dotnet/llilc This repo contains LLILC, an LLVM based compiler for .NET Core. It includes a set of cross-platform .NET code generation tools that enables compilation of MSIL byte code to LLVM supported platforms.
[1147Star][9d] [C#] cobbr/covenant Covenant is a collaborative .NET C2 framework for red teamers.
[1135Star][15d] [Boo] byt3bl33d3r/silenttrinity An asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR
[923Star][12d] [C#] pwntester/ysoserial.net Deserialization payload generator for a variety of .NET formatters
[818Star][12d] [C#] proxykit/proxykit A toolkit to create code-first HTTP reverse proxies on ASP.NET Core
[788Star][2m] [C#] cobbr/sharpsploit SharpSploit is a .NET post-exploitation library written in C#
[728Star][3m] [C#] obfuscar/obfuscar Open source obfuscation tool for .NET assemblies
[693Star][15d] [C] thewover/donut Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
- Also In Section: PE->Tools->Tools |
[634Star][12d] [HTML] foxzilla/pxer A tool for pixiv.net
[577Star][10d] [C#] dabutvin/imgbot An Azure Function solution to crawl through all of your image files in GitHub and losslessly compress them. This will make the file size go down, but leave the dimensions and quality untouched. Once it's done, ImgBot will open a pull request for you to review and merge. help@imgbot.net
[546Star][24d] [C#] crosire/scripthookvdotnet An ASI plugin for Grand Theft Auto V, which allows running scripts written in any .NET language in-game.
[536Star][11d] [Go] timothyye/godns A dynamic DNS client tool, supports AliDNS, Cloudflare, Google Domains, DNSPod, HE.net & DuckDNS, written in Go.
[494Star][28d] [C#] paulbartrum/jurassic A .NET library to parse and execute JavaScript code.
[493Star][1m] [C#] chmorgan/sharppcap Fully managed, cross platform (Windows, Mac, Linux) .NET library for capturing packets
[486Star][28d] [C#] tyranid/oleviewdotnet A .net OLE/COM viewer and inspector to merge functionality of OleView and Test Container
[424Star][7m] [Java] nccgroup/freddy Automatically identify deserialisation issues in Java and .NET applications by using active and passive scans
[386Star][14d] [C#] addictedcs/soundfingerprinting audio fingerprinting in .NET. An efficient algorithm for acoustic fingerprinting written purely in C#.
[385Star][19d] [C#] 3f/dllexport .NET DllExport
- Also In Section: DLL->Recent Add->Tools |
[383Star][2m] [C#] security-code-scan/security-code-scan Vulnerability Patterns Detector for C# and VB.NET
[373Star][9d] [C#] sonarsource/sonar-dotnet static code analyser for C# and VB.NET languages used as an extension for the SonarQube and SonarCloud platforms.
[366Star][10m] [JS] nikolayit/openjudgesystem An open source system for online algorithm competitions for Windows, written in ASP.NET MVC
[357Star][10d] [C#] tmoonlight/nsmartproxy reverse proxy tool that creates a secure tunnel from a public endpoint to a locally service
[334Star][10d] [Java] wiglenet/wigle-wifi-wardriving Nethugging client for Android, from wigle.net
[320Star][1m] [C#] azuread/azure-activedirectory-library-for-dotnet ADAL authentication libraries for .net
[316Star][10d] [C#] dahall/vanara A set of .NET libraries for Windows implementing PInvoke calls to many native Windows APIs with supporting wrappers.

dnspy

[13163Star][24d] [C#] 0xd4d/dnspy .NET debugger and assembly editor

Post

2011.11 [pcsxcetrasupport3] Converting VB Script To VB.Net
2011.10 [pediy] [原创]小小菜鸟爆破IphoneBackupextractor V3.08(.net)
2011.06 [pediy] [原创][.net]修復不能使用的115网盘地址解析工具
2011.02 [pediy] [原创]新发现一个简单有效的.net程序破解方法（可破隐藏IL级别的保护）
2010.12 [lowleveldesign] Writing a .net debugger (part 4) – breakpoints
2010.11 [pelock] .netshrink v2.0
2010.11 [lowleveldesign] Writing a .net debugger (part 3) – symbol and source files
2010.11 [sans] DNSSEC Progress for .com and .net
2010.10 [lowleveldesign] Writing a .net debugger (part 2) – handling events and creating wrappers
2010.10 [lowleveldesign] Writing a .net debugger (part 1) – starting the debugging session
2010.05 [pediy] [原创].Net内存程序集的DUMP(ProFile篇)
2010.01 [pediy] [原创].net逆向学习总结系列[2.24更新:.net逆向学习总结002(1)]
2008.06 [pediy] [原创]请求加精！绕过.Net 2.0强名称验证，解决混合代码无法反编译的问题。
2007.12 [pediy] [翻译]Win32asm tutorial (Asm.yeah.net)
2007.10 [pediy] [[翻译]].Net 下的保护和逆向工程](https://bbs.pediy.com/thread-52738.htm)
2007.07 [pediy] [原创].Net 2.0 通用反射脱壳机完整版
2007.07 [pediy] [原创].Net 反射脱壳机核心源代码
2007.05 [pediy] [原创].net jokeme 2
2007.04 [pediy] BSPR .net1.1保护壳内部测试
2007.03 [pediy] [原创].net的joke me

Login & Credential

Mimikatz

Tools

[9161Star][11d] [C] gentilkiwi/mimikatz A little tool to play with Windows security
[802Star][10d] [Py] skelsec/pypykatz Mimikatz implementation in pure Python
[264Star][6m] [C] portcullislabs/linikatz attack AD on UNIX
[210Star][2m] [C#] ghostpack/sharpdpapi SharpDPAPI is a C# port of some Mimikatz DPAPI functionality.

Post

2020.01 [matterpreter] Mimidrv In Depth: Exploring Mimikatz’s Kernel Driver
2019.12 [LoiLiangYang] Access Windows 10 Password with Empire and Mimikatz (Cybersecurity)
2019.12 [specterops] Mimidrv In Depth: Exploring Mimikatz’s Kernel Driver
2019.11 [sentinelone] What is Mimikatz? (And Why Is It So Dangerous?)
2019.10 [securestate] No More Mimikatz
2019.07 [4hou] 探索Mimikatz神器之SSP
2019.07 [markmotig] NetKatz, Mimikatz to Hex and Defender groans but shrugs
2019.07 [4hou] 探索 Mimikatz 神器之 WDigest
2019.06 [4hou] Mimikatz中SSP的使用
2019.06 [4hou] Mimikatz中sekurlsa::wdigest的实现
2019.06 [HackerSploit] PowerShell Empire Complete Tutorial For Beginners - Mimikatz & Privilege Escalation
2019.06 [vulnerablelife] Defending Windows Domain Against Mimikatz Attacks
2019.06 [360] 深入分析Mimikatz：WDigest
2019.06 [3gstudent] Mimikatz中SSP的使用
2019.06 [360] 深入分析Mimikatz：SSP
2019.06 [xpnsec] Exploring Mimikatz - Part 2 - SSP
2019.06 [3gstudent] Mimikatz中sekurlsa::wdigest的实现
2019.05 [malcomvetter] Choose Your Own Red Team Adventure: Mimikatz
2019.05 [xpnsec] Exploring Mimikatz - Part 1 - WDigest
2019.04 [crowdstrike] Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”

NTLM

Tools

[3097Star][5m] [Py] spiderlabs/responder a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
[1887Star][1m] [Py] lgandx/responder a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
[781Star][1m] [Py] lgandx/pcredz This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.
[744Star][1y] [C#] eladshamir/internal-monologue Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
[676Star][1y] [Py] deepzec/bad-pdf create malicious PDF file to steal NTLM(NTLMv1/NTLMv2) Hashes from windows machines
[256Star][2m] [Py] evilmog/ntlmv1-multi NTLMv1 Multitool
[252Star][14d] [PS] notmedic/netntlmtosilverticket SpoolSample -> Responder w/NetNTLM Downgrade -> NetNTLMv1 -> NTLM -> Kerberos Silver Ticket
[250Star][11d] [Ruby] urbanesec/zackattack Unveiled at DEF CON 20, NTLM Relaying to ALL THE THINGS!

Post

2019.11 [4hou] NTLM 中继攻击的几种非主流玩法
2019.10 [4hou] NTLM攻击两例
2019.09 [pentestlab] Microsoft Exchange – NTLM Relay
2019.08 [vulnerability0lab] Windows 10 Net NTLMv2 Credentials Steal with Excel
2019.06 [freebuf] CVE-2019-1040 Windows NTLM篡改漏洞分析
2019.06 [technicalsyn] Eternalrelayx.py — Non-Admin NTLM Relaying & ETERNALBLUE Exploitation
2019.06 [tencent] Windows NTLM认证(CVE-2019-1040)漏洞预警
2019.06 [4hou] 微软NTLM协议曝出巨大漏洞，现有安全保护措施也无用！
2019.06 [preempt] Security Advisory: Critical Vulnerabilities in NTLM Allow Remote Code Execution and Cloud Resources Compromise
2019.03 [nsfocus] 【M01N】资源约束委派和NTLM Relaying的组合拳接管域内任意主机系统权限
2019.03 [4hou] 结合NTLM中继和Kerberos委派实现域成员机器的提权
2019.03 [venus] 利用 Exchange SSRF 漏洞和 NTLM 中继沦陷域控
2019.03 [knownsec] 利用 Exchange SSRF 漏洞和 NTLM 中继沦陷域控
2019.01 [sans] Relaying Exchange?s NTLM authentication to domain admin (and more)
2019.01 [ironcastle] CERT/CC Reports Microsoft Exchange 2013 and Newer are Vulnerable to NTLM Relay Attacks
2019.01 [evi1cg] Remote NTLM relaying through CS
2019.01 [freebuf] Windows环境中使用Responder获取NTLMv2哈希并利用
2019.01 [4hou] 通过web应用中的文件下载漏洞窃取NTLMv2哈希
2018.12 [hitbsecconf] #HITB2018DXB D2T2: NTLM Relay Is Dead, Long Live NTLM Relay - Jianing Wang and Junyu Zhou
2018.12 [ZeroNights] Jianing Wang, Junyu Zhou - Ntlm Relay Reloaded: Attack methods you do not know

Kerberos

Tools

[728Star][19d] [C#] ghostpack/rubeus a C# toolset for raw Kerberos interaction and abuses.
[617Star][3m] [C] gentilkiwi/kekeo A little toolbox to play with Microsoft Kerberos in C
[593Star][7m] [Py] nidem/kerberoast a series of tools for attacking MS Kerberos implementations
[376Star][12d] [Go] jcmturner/gokrb5 Pure Go Kerberos library for clients and services
[354Star][2m] [Go] ropnop/kerbrute A tool to perform Kerberos pre-auth bruteforcing
[236Star][27d] [Py] dirkjanm/krbrelayx Kerberos unconstrained delegation abuse toolkit

Post

2020.02 [aliyun] 域渗透——Kerberos委派攻击
2020.01 [stealthbits] What is Kerberos Delegation? An Overview of Kerberos Delegation
2020.01 [3gstudent] 渗透技巧——通过Kerberos pre-auth进行用户枚举和口令爆破
2019.10 [4hou] Kerberos中继攻击：滥用无约束委派（下）
2019.09 [4hou] Kerberos中继攻击：滥用无约束委派（上）
2019.07 [4hou] Kerberos 委派攻击原理之 S4U2 利用详解
2019.06 [stealthbits] What is the Kerberos PAC?
2019.05 [andreafortuna] Some thoughts about Kerberos Golden Tickets
2019.05 [improsec] The mind-blowing Kerberos "Use Any Authentication Protocol" Delegation
2019.05 [aliyun] Kerberos Security
2019.03 [freebuf] Kerberos协议探索系列之委派篇
2019.03 [tarlogic] Kerberos (I): How does Kerberos work? – Theory
2019.03 [360] Kerberos协议探索系列之委派篇
2019.03 [ironcastle] Special Webcast: Purple Kerberos: Current attack strategies & defenses – March 11, 2019 1:00pm US/Eastern
2019.03 [freebuf] Kerberos协议探索系列之票据篇
2019.03 [360] Kerberos协议探索系列之票据篇
2019.03 [freebuf] Kerberos协议探索系列之扫描与爆破篇
2019.02 [360] Kerberos协议探索系列之扫描与爆破篇
2019.01 [f5] Troubleshooting Kerberos Constrained Delegation: Strong Encryption Types Allowed for Kerberos
2019.01 [sans] Attacking Kerberos

PassTheHash

Tools

Post

2020.01 [aliyun] 深入研究Pass-the-Hash攻击与防御
2019.08 [infosecinstitute] MITRE ATT&CK vulnerability spotlight: Pass-the-hash
2019.04 [4hou] 高级域渗透技术之传递哈希已死-LocalAccountTokenFilterPolicy万岁
2019.03 [freebuf] 如何检测Pass-the-Hash攻击？
2019.03 [tevora] About Windows Process/Thread Tokens and Pass The Hash
2019.02 [stealthbits] How to Detect Overpass-the-Hash Attacks
2019.02 [swordshield] Phantom Users: Deception and Pass the Hash Attacks
2019.02 [swordshield] Phantom Users: Deception and Pass the Hash Attacks
2019.02 [stealthbits] How to Detect Pass-the-Hash Attacks
2018.08 [stealthbits] Deploying Pass-the-Hash Honeypots
2018.07 [stealthbits] Detecting Pass-the-Hash with Honeypots
2018.05 [3gstudent] 渗透技巧——Pass the Hash with Remote Desktop
2018.05 [3gstudent] 渗透技巧——Pass the Hash with Remote Desktop
2018.02 [4hou] 如何用WINDOWS事件查看器检测传递哈希
2017.12 [3gstudent] 域渗透——Pass The Hash的实现
2017.12 [3gstudent] 域渗透——Pass The Hash的实现
2017.12 [aliyun] 域渗透——Pass The Hash的实现
2017.08 [labofapenetrationtester] Week of Evading Microsoft ATA - Day 2 - Overpass-the-hash and Golden Ticket
2017.06 [decoder] From Pass-the-Hash to Pass-the-Ticket with no pain
2017.06 [wikidsystems] Defeating pass-the-hash attacks with two-factor authentication

Pass-The-Ticket

Post

2019.02 [stealthbits] How to Detect Pass-the-Ticket Attacks
2017.05 [4hou] 如何通过SSH隧道实现 Windows Pass the Ticket攻击？
2017.05 [bluescreenofjeff] How To Pass the Ticket Through SSH Tunnels

winglogon.exe

Tools

Post

2020.01 [pentestlab] Persistence – Winlogon Helper DLL
2019.09 [specterops] Understanding and Defending Against Access Token Theft: Finding Alternatives to winlogon.exe
2016.11 [hexacorn] The Archaeologologogology #2 – the romantic view as seen through the winlogon.exe’s window…
2016.05 [malwarebytes] Tech support scammers using Winlogon
2010.11 [redplait] winlogon.exe RPC interfaces
2009.05 [pediy] [推荐]汇编实现注入winlogon.exe屏蔽Ctrl+Alt+Del 附lib库源码和例子

LLMNR

Tools

[1072Star][6m] [PS] kevin-robertson/inveigh Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool
[258Star][6m] [C#] kevin-robertson/inveighzero Windows C# LLMNR/mDNS/NBNS/DNS spoofer/man-in-the-middle tool

Post

2019.08 [bugbountywriteup] LLMNR Poisoning and WPAD Spoofing
2019.04 [blackhillsinfosec] An SMB Relay Race – How To Exploit LLMNR and SMB Message Signing for Fun and Profit
2018.12 [4hou] 内网渗透技术之超越LLMNR/NBNS欺骗的ADIDNS欺骗攻击
2018.07 [netspi] Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS
2018.06 [blackhillsinfosec] How to Disable LLMNR & Why You Want To
2018.05 [freebuf] 利用LLMNR结合PDF文件获取PC Hashes
2017.11 [aliyun] 利用 LLMNR 名称解析缺陷劫持内网指定主机会话
2017.04 [n0where] Windows PowerShell LLMNR/NBNS spoofer: Inveigh
2017.03 [n0where] LLMNR NBT-NS MDNS Poisoner: Responder
2017.02 [360] 渗透测试中的LLMNR/NBT-NS欺骗攻击
2017.01 [polaris] LLMNR&WPAD介绍以及渗透测试中的利用
2016.12 [pentest] What is LLMNR & WPAD and How to Abuse Them During Pentest ?
2016.11 [n0where] LLMNR, NBT-NS and MDNS Responder for Windows
2016.06 [] LLMNR and NBT-NS Poisoning Using Responder
2016.03 [360] Inveigh：Windows Powershell版的LLMNR/NBNS 协议欺骗/中间人工具
2016.02 [securityblog] LLMNR NBT-NS and MDNS poisoner
2015.12 [toolswatch] Inveigh Beta Windows PowerShell LLMNR/NBNS Spoofer
2015.09 [gracefulsecurity] Stealing Accounts: LLMNR and NBT-NS Spoofing

NetBIOS

Tools

Post

2019.01 [infosecaddicts] Enumerating NetBIOS services
2018.10 [HackerSploit] NetBIOS And SMB Enumeration - Nbtstat & smbclient
2017.09 [hackingarticles] NetBIOS and SMB Penetration Testing on Windows
2016.09 [rapid7] Sonar NetBIOS Name Service Study
2015.10 [akamai] NetBIOS, RPC Portmap and Sentinel Reflection DDoS Attacks
2015.09 [darknet] Remote Network Penetration via NetBios Hack/Hacking
2015.08 [agrrrdog] NetBIOS spoofing for attacks on browser
2014.08 [sans] All Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon
2013.04 [securityblog] Disable NetBIOS NULL Sessions
2012.08 [pentestlab] Scanning NetBIOS
2012.08 [freebuf] 使用NetBios Spoofing技术渗透内网
2012.05 [sans] Windows Firewall Bypass Vulnerability and NetBIOS NS
2012.04 [securityblog] NetBIOS name enumeration
2012.01 [sans] Is it time to get rid of NetBIOS?
2011.02 [toolswatch] Netbios Share Scanner updated to v0.3
2011.01 [toolswatch] Netbios Share Scanner v0.2 released
2008.08 [skullsecurity] nbtool 0.02 released! (also, a primer on NetBIOS)

Other

Tools

Windows Protections

UAC

Tools

[2500Star][2m] [C] hfiref0x/uacme Defeating Windows User Account Control
[2458Star][9d] [PS] k8gege/k8tools K8工具合集(内网渗透/提权工具/远程溢出/漏洞利用/扫描工具/密码破解/免杀工具/Exploit/APT/0day/Shellcode/Payload/priviledge/BypassUAC/OverFlow/WebShell/PenTest) Web GetShell Exploit(Struts2/Zimbra/Weblogic/Tomcat/Apache/Jboss/DotNetNuke/zabbix)
[1859Star][17d] [JS] coreybutler/node-windows Windows support for Node.JS scripts (daemons, eventlog, UAC, etc).
[1742Star][1m] [Py] rootm0s/winpwnage UAC bypass, Elevate, Persistence and Execution methods

Post

2020.01 [morphisec] Trickbot Trojan Leveraging a New Windows 10 UAC Bypass
2019.11 [4hou] CVE-2019-1388： Windows UAC权限提升漏洞
2019.10 [freebuf] UAC绕过初探
2019.09 [4sysops] Security options in Windows Server 2016: Accounts and UAC
2019.09 [heynowyouseeme] windows 10 GUI UAC bypass ( netplwiz.exe )
2019.08 [heynowyouseeme] Windows 10 LPE (UAC Bypass) in Windows Store (WSReset.exe)
2019.08 [freebuf] SneakyEXE：一款嵌入式UAC绕过工具
2019.04 [markmotig] Brute Forcing Admin Passwords with UAC
2019.03 [4hou] 通过模拟可信目录绕过UAC的利用分析
2019.03 [aliyun] 如何滥用Access Tokens UIAccess绕过UAC
2019.02 [3gstudent] 通过模拟可信目录绕过UAC的利用分析
2019.02 [3gstudent] 通过模拟可信目录绕过UAC的利用分析
2019.02 [sans] UAC is not all that bad really
2019.01 [fuzzysecurity] Anatomy of UAC Attacks
2019.01 [sevagas] Yet another sdclt UAC bypass
2018.11 [4hou] 利用metasploit绕过UAC的5种方式
2018.11 [tenable] UAC Bypass by Mocking Trusted Directories
2018.10 [0x000x00] How to bypass UAC in newer Windows versions
2018.10 [tyranidslair] Farewell to the Token Stealing UAC Bypass
2018.10 [tyranidslair] Farewell to the Token Stealing UAC Bypass

AppLocker

Tools

[947Star][23d] [PS] api0cradle/ultimateapplockerbypasslist The goal of this repository is to document the most common techniques to bypass AppLocker.

Post

2019.11 [tyranidslair] The Internals of AppLocker - Part 4 - Blocking DLL Loading
2019.11 [tyranidslair] The Internals of AppLocker - Part 4 - Blocking DLL Loading
2019.11 [tyranidslair] The Internals of AppLocker - Part 3 - Access Tokens and Access Checking
2019.11 [tyranidslair] The Internals of AppLocker - Part 3 - Access Tokens and Access Checking
2019.11 [tyranidslair] The Internals of AppLocker - Part 2 - Blocking Process Creation
2019.11 [tyranidslair] The Internals of AppLocker - Part 2 - Blocking Process Creation
2019.11 [tyranidslair] The Internals of AppLocker - Part 1 - Overview and Setup
2019.11 [tyranidslair] The Internals of AppLocker - Part 1 - Overview and Setup
2019.09 [blackhillsinfosec] Getting Started With AppLocker
2019.08 [p0w3rsh3ll] How to delete a single Applocker rule
2019.05 [oddvar] A small discovery about AppLocker
2019.04 [4hou] 通过regsrv32.exe绕过Applocker应用程序白名单的多种方法
2019.03 [4sysops] Application whitelisting: Software Restriction Policies vs. AppLocker vs. Windows Defender Application Control
2019.03 [4hou] 逃避手段再开花——从一个能逃避AppLocker和AMSI检测的Office文档讲起
2019.03 [yoroi] The Document that Eluded AppLocker and AMSI
2019.03 [p0w3rsh3ll] Applocker and PowerShell: how do they tightly work together?
2019.02 [4hou] 如何以管理员身份绕过AppLocker
2019.02 [oddvar] Bypassing AppLocker as an admin
2019.01 [hackingarticles] Windows Applocker Policy – A Beginner’s Guide
2019.01 [t00ls] 投稿文章：Bypass Applocker + 免杀执行任意 shellcode [ csc + installUtil ]

DEP

Tools

Post

2019.11 [aliyun] ARM EXP 开发 - 绕过 DEP 执行 mprotect()
2019.07 [codingvision] Bypassing ASLR and DEP - Getting Shells with pwntools
2019.01 [fuzzysecurity] MS13-009 Use-After-Free IE8 (DEP)
2019.01 [fuzzysecurity] BlazeVideo HDTV Player 6.6 Professional SEH&DEP&ASLR
2019.01 [fuzzysecurity] NCMedia Sound Editor Pro v7.5.1 SEH&DEP&ASLR
2019.01 [fuzzysecurity] ALLMediaServer 0.8 SEH&DEP&ASLR
2018.12 [360] CoolPlayer bypass DEP(CVE-2008-3408)分析
2018.09 [duo] Weak Apple DEP Authentication Leaves Enterprises Vulnerable to Social Engineering Attacks and Rogue Devices
2018.09 [3or] ARM Exploitation - Defeating DEP - executing mprotect()
2018.09 [3or] ARM Exploitation - Defeating DEP - execute system()
2018.06 [pediy] [原创]Easy MPEG to DVD Burner 1.7.11 SEH + DEP Bypass Local Buffer Overflow
2018.05 [pediy] [翻译]DEP缓解技术(一)
2017.12 [360] 利用缓解技术：数据执行保护（DEP）
2017.12 [0x00sec] Exploit Mitigation Techniques - Data Execution Prevention (DEP)
2017.10 [freebuf] 在64位系统中使用ROP+Return-to-dl-resolve来绕过ASLR+DEP
2017.10 [freebuf] 如何在32位系统中使用ROP+Return-to-dl来绕过ASLR+DEP
2017.08 [pediy] [原创]利用Ret2Libc挑战DEP——利用ZwSetInformationProcess
2017.06 [360] ropasaurusrex:ROP入门教程——DEP（下）
2017.06 [360] ropasaurusrex:ROP入门教程——DEP（上）
2017.05 [myonlinesecurity] fake clothing order Berhanu (PURCHASE DEPARTMENT) using winace files delivers Loki bot

PG

Tools

[551Star][11m] [C] hfiref0x/upgdsed Universal PatchGuard and Driver Signature Enforcement Disable

Post

2019.04 [OffensiveCon] OffensiveCon19 - Luc Reginato - Updated Analysis of PatchGuard on Windows RS4
2019.03 [tetrane] Updated Analysis of PatchGuard on Microsoft Windows 10 RS4
2018.10 [aliyun] 搞定PatchGuard：利用KPTI绕过内核修改保护
2018.10 [ensilo] Melting Down PatchGuard: Leveraging KPTI to Bypass Kernel Patch Protection
2018.09 [pediy] [原创]PatchGuard自效验粗略分析
2015.06 [alex] What are Little PatchGuards Made Of?
2015.01 [ptsecurity] Windows 8.1 Kernel Patch Protection — PatchGuard
2014.07 [mcafee] Malicious Utility Can Defeat Windows PatchGuard
2014.07 [mcafee] Malicious Utility Can Defeat Windows PatchGuard
2014.03 [mcafee] Analyzing the Uroburos PatchGuard Bypass
2014.03 [mcafee] Analyzing the Uroburos PatchGuard Bypass
2013.02 [pediy] [原创]DisablePatchGuard.sys
2012.11 [pediy] [讨论]让PatchGuard变狗屎的那些方法~
2011.06 [picturoku] Patchguard red flags
2009.12 [immunityinc] PatchGuard
2007.01 [alex] Windows Vista 64-bit Driver Signing/PatchGuard Workaround
2007.01 [pediy] [转帖]Bypassing PatchGuard on Windows x64
2006.10 [microsoft] The Final Word – Jim Allchin Letter Clarifies Patchguard on Vista
2006.10 [infosecblog] MS caves on Vista Patchguard? Not so fast
2006.08 [microsoft] Interview with Patchguard Architect Forrest Foltz (Windows Vista x64 Security – Patchguard follow up)

DSE

Tools

[723Star][10m] [C] hfiref0x/tdl Driver loader for bypassing Windows x64 Driver Signature Enforcement
[369Star][11d] [C] mattiwatti/efiguard Disable PatchGuard and DSE at boot time
[322Star][5m] [C] 9176324/shark Turn off PatchGuard in real time for win7 (7600) ~ win10 (18950).
[274Star][9d] [C++] can1357/byepg Defeating Patchguard universally for Windows 8, Windows 8.1 and all versions of Windows 10 regardless of HVCI

Post

2014.05 [pediy] [分享]抄抄改改过win7,win8,win8.1 x64的强制签名(DSE)
2013.01 [colinpoflynn] Windows 7 64-bit Disable Driver Signature Enforcement
2012.12 [vexillium] Defeating Windows Driver Signature Enforcement #3: The Ultimate Encounter
2012.12 [vexillium] Defeating Windows Driver Signature Enforcement #3: The Ultimate Encounter
2012.11 [vexillium] Defeating Windows Driver Signature Enforcement #2: CSRSS and thread desktops
2012.11 [vexillium] Defeating Windows Driver Signature Enforcement #2: CSRSS and thread desktops
2012.11 [vexillium] Defeating Windows Driver Signature Enforcement #1: default drivers
2012.11 [vexillium] Defeating Windows Driver Signature Enforcement #1: default drivers
2010.06 [vexillium] A quick insight into the Driver Signature Enforcement
2010.06 [vexillium] A quick insight into the Driver Signature Enforcement
2006.03 [] Showdown: MIIS vs. DSE

Defender

Tools

[424Star][10d] [C#] matterpreter/defendercheck Identifies the bytes that Microsoft Defender flags on.

Post

2020.02 [eforensicsmag] [CQLabs] Windows Defender Exploit Guard under the hood |by Artur Wojtkowski
2019.12 [p0w3rsh3ll] Quick post: Review Windows Defender notifications
2019.12 [4hou] 评估一个新的安全数据源的有效性: Windows Defender 漏洞利用防护（上）
2019.12 [Enderman] Can Windows Defender protect your computer against malware?
2019.12 [illuminati] Starlink: “Sorry this application cannot run in a Virtual Machine” while running with Windows Defender Application Guard enabled.
2019.11 [vishal] Disable Defender in Win10
2019.10 [palantir] Assessing the effectiveness of a new security data source: Windows Defender Exploit Guard
2019.10 [HackersOnBoard] Windows Offender Reverse Engineering Windows Defender's Antivirus Emulator
2019.09 [ATTTechChannel] 9/13/19 GootKit Malware Bypasses Windows Defender | AT&T ThreatTraq
2019.09 [aliyun] Playing with Windows Defender
2019.07 [microsoft] How Windows Defender Antivirus integrates hardware-based system integrity for informed, extensive endpoint protection
2019.06 [goet] Analyzing your Microsoft Defender ATP data in real-time in ELK using the new streaming API
2019.06 [goet] Protect yourself against #BlueKeep using Azure Sentinel and Defender ATP.
2019.05 [eli] Using PowerShell in Windows Defender
2019.05 [morphisec] Morphisec + WINDOWS Defender AV: Advanced Threat Protection Made Easy
2019.04 [contextis] Windows Defender Functionality
2019.04 [rce4fun] Circumventing Windows Defender ATP's user-mode APC Injection sensor from Kernel-mode
2019.03 [freebuf] 良心开发者，微软安全防护套件Windows Defender ATP将登陆Mac OS平台
2019.03 [4hou] 攻击者如何使用修改后的Empire绕过Windows Defender
2019.03 [freebuf] 修改Empire绕过Windows Defender

AMSI

Tools

[322Star][9d] [C#] hackplayers/salsa-tools Salsa Tools - ShellReverse TCP/UDP/ICMP/DNS/SSL/BINDTCP/Shellcode/SILENTTRINITY and AV bypass, AMSI patched

Post

2020.01 [ionize] Detecting AMSI Bypass
2019.11 [two06] AMSI as a Service — Automating AV Evasion
2019.11 [thecyberbutler] Yet another update to bypass AMSI in VBA
2019.11 [freebuf] 如何识别并分析反恶意软件扫描接口(AMSI)组件
2019.10 [binarydefense] Binary Defense MDR Integrates Microsoft Antimalware Scan Interface Interoperability (AMSI) - Binary Defense
2019.10 [mattifestation] Antimalware Scan Interface Detection Optics Analysis Methodology: Identification and Analysis of AMSI for WMI
2019.10 [4hou] 看我如何一步步将基于堆的 AMSI 绕过做到接近完美
2019.10 [specterops] Antimalware Scan Interface Detection Optics Analysis Methodology
2019.09 [byte] Adventures in the Wonderful World of AMSI.
2019.08 [4hou] 绕过AMSI的全套操作过程
2019.08 [mcafee] McAfee AMSI Integration Protects Against Malicious Scripts
2019.08 [mcafee] McAfee AMSI Integration Protects Against Malicious Scripts
2019.07 [codewhitesec] Heap-based AMSI bypass for MS Excel VBA and others
2019.07 [f] Hunting for AMSI bypasses
2019.06 [360] 如何绕过AMSI
2019.06 [contextis] AMSI Bypass
2019.06 [aliyun] How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code
2019.06 [360] 如何绕过AMSI及WLDP
2019.05 [benoit] Alternative AMSI bypass
2019.04 [4hou] 如何绕过AMSI for VBA

ASLR

Tools

[901Star][2m] [Roff] slimm609/checksec.sh a bash script to check the properties of executables (like PIE, RELRO, PaX, Canaries, ASLR, Fortify Source).
[371Star][12d] [PS] netspi/pesecurity PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode.

Post

2019.12 [johnlatwc] Early Security Stories — ASLR
2019.10 [HackersOnBoard] Black Hat USA 2016 Breaking Kernel Address Space Layout Randomization KASLR With Intel TSX
2019.06 [arxiv] [1906.10478] From IP ID to Device ID and KASLR Bypass (Extended Version)
2019.06 [securityevaluators] ASUSWRT RCE via Buffer Overflow, ASLR Bypass
2019.06 [openanalysis] Disable ASLR for Easier Malware Debugging With x64dbg and IDA Pro
2019.06 [OALabs] Disable ASLR For Easier Malware Debugging With x64dbg and IDA Pro
2019.04 [4hou] 利用ASLR薄弱点：Chrome沙箱逃逸漏洞分析
2019.03 [offensive] Development of a new Windows 10 KASLR Bypass (in One WinDBG Command)
2019.03 [notsoshant] Windows Exploitation: ASLR Bypass (MS07–017)
2019.02 [rce4fun] VirtualProtectEx to bypass ASLR : A specific case study
2019.01 [aliyun] 静态链接可执行文件的ASLR保护机制
2018.11 [pediy] [原创] CVE-2014-0322 IE与Flash结合利用绕过ASLR+DEP
2018.11 [pediy] [原创]CVE-2012-1889 Win7 通过GUID加载dll库绕过ASLR+DEP
2018.11 [securityevaluators] ASUSWRT Buffer Overflow, Format String ASLR Bypass
2018.10 [osandamalith] PE Sec Info – A Simple Tool to Manipulate ASLR and DEP Flags
2018.08 [cmu] When "ASLR" Is Not Really ASLR - The Case of Incorrect Assumptions and Bad Defaults
2018.06 [teamultimate] Return to PLT, GOT to bypass ASLR remotely
2018.06 [teamultimate] Format String Exploits: Defeating Stack Canary, NX and ASLR Remotely on 64 bit
2018.06 [nul] Linux ASLR的一些实验（1）
2018.05 [pediy] [翻译]绕过 ASLR + NX 第一部分

Control Flow Guard

Tools

Control Integrity Guard

Other

MS1X

Tools

[345Star][4m] [Py] 3ndg4me/autoblue-ms17-010 This is just an semi-automated fully working, no-bs, non-metasploit version of the public exploit code for MS17-010
[254Star][17d] [Py] mez-0/ms17-010-python MS17-010: Python and Meterpreter

Post

2020.02 [LoiLiangYang] Exploiting Windows 10 with MS17_010_PSEXEC
2010.04 [g] MS10-020
2010.04 [sans] MS10-021: Encountering A Failed WinXP Update
2010.03 [sans] OOB Update for Internet Explorer MS10-018
2010.02 [sans] MS10-015 may cause Windows XP to blue screen (but only if you have malware on it)
2010.02 [g] More details on MS10-006
1970.01 [] [MS15-010 / CVE-2015-0057] Exploitation

System

RDP

Tools

[6407Star][1y] [Pascal] stascorp/rdpwrap RDP Wrapper Library
[3800Star][9d] [C] freerdp/freerdp FreeRDP is a free remote desktop protocol library and clients
[1655Star][21d] [C] neutrinolabs/xrdp xrdp: an open source RDP server
[1083Star][9d] [C] zerosum0x0/cve-2019-0708 Scanner PoC for CVE-2019-0708 RDP RCE vuln
[996Star][1m] [Py] syss-research/seth Perform a MitM attack and extract clear text credentials from RDP connections
[911Star][13d] [Py] jimmy201602/webterminal ssh rdp vnc telnet sftp bastion/jump web putty xshell terminal jumpserver audit realtime monitor rz/sz 堡垒机云桌面 linux devops sftp websocket file management rz/sz otp 自动化运维审计录像文件管理 sftp上传实时监控录像回放网页版rz/sz上传下载/动态口令 django
[764Star][10d] [C] rdesktop/rdesktop rdesktop is an open source UNIX client for connecting to Windows Remote Desktop Services, capably of natively speaking Remote Desktop Protocol (RDP) in order to present the user's Windows desktop. rdesktop is known to work with Windows server version ranging from NT 4 terminal server to Windows 2012 R2.
[692Star][13d] [C] robertdavidgraham/rdpscan A quick scanner for the CVE-2019-0708 "BlueKeep" vulnerability.
[433Star][9d] [C++] 0x09al/rdpthief Extracting Clear Text Passwords from mstsc.exe using API Hooking.
[378Star][15d] [C#] beckzhu/simpleremote Remote Administration Tools
[376Star][13d] [Py] gosecure/pyrdp RDP man-in-the-middle (mitm) and library for Python 3 with the ability to watch connections live or after the fact
[339Star][21d] [PS] joelgmsec/autordpwn The Shadow Attack Framework
[296Star][9d] [Py] xfreed0m/rdpassspray Python3 tool to perform password spraying using RDP
[283Star][8m] [Py] k8gege/cve-2019-0708 3389远程桌面代码执行漏洞CVE-2019-0708批量检测工具(Rdpscan Bluekeep Check)

Post

2019.05 [fortinet] CVE-2019-0708 – Remote Desktop Protocol and Remote Code Execution #Bluekeep
2018.07 [mcafee] Organizations Leave Backdoors Open to Cheap Remote Desktop Protocol Attacks
2018.04 [fireeye] Establishing a Baseline for Remote Desktop Protocol
2017.12 [blackmoreops] Hacking remote desktop protocol using rdpy
2017.11 [esecurityplanet] Flood of Attacks Spread Ransomware via Remote Desktop Protocol
2017.03 [4hou] 如何悄无声息的对RDP和远程会话进行劫持？
2017.03 [korznikov] Passwordless RDP Session Hijacking Feature All Windows versions
2017.02 [trendmicro] Brute Force RDP Attacks Plant CRYSIS Ransomware
2016.12 [sensepost] XRDP: Exploiting Unauthenticated X Windows Sessions
2016.11 [digi] Windows RDP client, show login page
2016.11 [webroot] RDP Attacks: What You Need to Know and How to Protect Yourself
2016.11 [whereisk0shl] Cain RDP缓冲区溢出漏洞（CVE-2008-5405）
2016.08 [id] Anti-1C, RDP-WinRAR
2016.07 [freebuf] RDP连接降级攻击以及规避方法解析
2016.06 [duo] Protecting Remote Access to Your Computer: RDP Attacks and Server Credentials for Sale
2016.05 [willgenovese] SSH Tunneling RDP Using Putty
2016.05 [fox] Ransomware deployments after brute force RDP attack
2016.04 [portcullis] Downgrading RDP connections and how to avoid it
2016.04 [contextis] RDP Replay Code Release
2016.01 [securestate] Scripting RDP for Pillaging and Potato

文章_0

2019.12 [welivesecurity] It’s time to disconnect RDP from the internet | WeLiveSecurity
2019.12 [4hou] 预警！Windows BlueKeep RDP来了！
2019.12 [talosintelligence] Microsoft Remote Desktop Services (RDP8) license negotiation denial-of-service vulnerability
2019.12 [talosintelligence] Microsoft Remote Desktop Services (RDP7) Windows XP Multiple Information Leak Vulnerabilities
2019.12 [talosintelligence] Vulnerability Spotlight: Two vulnerabilities in RDP for Windows 7, XP
2019.12 [4hou] Reverse RDP攻击：Hyper-V Connection
2019.11 [freebuf] RDP远程漏洞（CVE-2019-0708）被发现野外利用来挖矿
2019.11 [venus] 通过RDP反向攻击mstsc
2019.11 [rapid7] Securing RDP Vulnerabilities: Learnings from Bluekeep and DejaBlue
2019.11 [fortinet] BlueKeep RDP Attacks are Starting – Patch CVE-2019-0708 Now
2019.09 [venus] RDP 登录日志取证与清除
2019.09 [aliyun] RDP登录日志取证与清除
2019.09 [webroot] Cyber News Rundown: TFlower Ransomware Exploiting RDP
2019.09 [freebuf] Seth：执行MitM攻击并从RDP连接中提取明文凭证
2019.09 [hakin9] PyRDP - Python 3 Remote Desktop Protocol (RDP) Man-in-the-Middle (MITM) and library
2019.09 [4hou] RDP漏洞或引发大规模蠕虫爆发，用户可用阿里云免费检测服务，请尽快修复
2019.09 [4sysops] Azure Redeploy: If RDP or application access to an Azure VM fails
2019.09 [tencent] 腾讯安全发布高危预警：Crysis勒索病毒利用RDP爆破攻击加剧
2019.08 [malwaretech] DejaBlue: Analyzing a RDP Heap Overflow
2019.08 [freebuf] 微软RDP远程代码执行漏洞（CVE-2019-0708）分析集锦

SMB

Tools

[1215Star][1m] [C#] k8gege/ladon 用于大型网络渗透的多线程插件化综合扫描神器
[820Star][1y] [PS] kevin-robertson/invoke-thehash PowerShell functions for performing pass the hash WMI and SMB tasks
[767Star][2m] [Py] shawndevans/smbmap SMBMap is a handy SMB enumeration tool
[388Star][12d] [C] zerosum0x0/smbdoor Windows kernel backdoor via registering a malicious SMB handler
[355Star][3m] [Py] m8r0wn/nullinux Internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB.
[348Star][11m] [Py] skorov/ridrelay Enumerate usernames on a domain where you have no creds by using SMB Relay with low priv.
[322Star][8m] [C#] raikia/credninja A multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB, plus now with a user hunter
[255Star][19d] [PS] p3nt4/invoke-piper Forward local or remote tcp ports through SMB pipes.
[225Star][3m] [Py] m4ll0k/smbrute SMB Protocol Bruteforce
[210Star][3m] [Py] miketeo/pysmb pysmb is an experimental SMB/CIFS library written in Python. It implements the client-side SMB/CIFS protocol (SMB1 and SMB2) which allows your Python application to access and transfer files to/from SMB/CIFS shared folders like your Windows file sharing and Samba folders.

Post

2013.12 [trendmicro] FBI details major trends in cyber attacks against SMB’s
2013.11 [sophos] Ponemon Institute: Management uncertainty, lack of security expertise put SMBs at risk
2013.10 [thomasmaurer] EMC – SMB 3.0 is the Future of Storage
2013.07 [pediy] [原创]实验：SMB抓包破解windows登陆密码
2013.06 [microsoft] Cloud Trust Study: Top of the hill Security, Privacy and Reliability benefits for SMBs in Germany
2013.06 [intercepter] Актуальность атаки SMBRelay в современных Windows сетях
2013.06 [microsoft] Cloud Trust Study: SMBs in France echo Security, Privacy and Reliability Benefits of Cloud Computing
2013.06 [microsoft] Blue Skies in London: Cloud Security, Privacy and Reliability Perceptions of SMBs in the U.K
2013.04 [microsoft] SMB CTO Reports on Security Management and Green IT with the Cloud
2013.01 [trendmicro] 2013 Security Predictions: What Should Small and Medium Businesses (SMB) Look Out For?
2013.01 [trendmicro] Securing Your First Server: What SMBs Need to Know
2012.12 [netspi] Executing SMB Relay Attacks via SQL Server using Metasploit
2012.12 [bogner] SMBX: Where is my smb.conf
2012.12 [trendmicro] Mobile Security for the SMB: Mac vs. Android Threats
2012.11 [] SMB ATTACK 绕过安全软件的访问
2012.10 [trendmicro] How the Cloud is Affecting SMB Channel Partners
2012.08 [welivesecurity] The Cloud for SMBs: 7 tips for safer cloud computing
2012.06 [freebuf] 利用Metasploit进行SMB版本的扫描
2012.05 [microsoft] Cloud Security Benefits for SMBs in Hong Kong
2012.05 [microsoft] Cloud Security Benefits for SMBs in Asia

WMI

Tools

[708Star][12d] [Go] martinlindhe/wmi_exporter Prometheus exporter for Windows machines using WMI
[706Star][1y] [PS] arvanaghi/sessiongopher a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.
[610Star][1y] [PS] fortynorthsecurity/wmimplant This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.
[265Star][9d] [JS] pandorafms/pandorafms Pandora FMS is a flexible and highly scalable monitoring system ready for big environments. It uses agents (Linux, Windows, AIX, HP-UX, Solaris and BSD systems) and can do both local and remote network monitoring (SNMP v3, TCP checks, WMI, etc).
[259Star][1m] [Go] stackexchange/wmi WMI for Go
[251Star][1y] [C#] 0xbadjuju/wheresmyimplant A Bring Your Own Land Toolkit that Doubles as a WMI Provider

Post

2020.02 [darkoperator] Getting DNS Client Cached Entries with CIM/WMI
2020.01 [pentestlab] Persistence – WMI Event Subscription
2019.12 [randomascii] O(n^2), again, now in WMI
2019.11 [4hou] 新型入侵技术：使用WMI编译的“.bmf”文件和CertUtil进行混淆执行
2019.10 [4hou] 反恶意软件扫描接口检测分析方法论: 用于 WMI 的 AMSI 识别与分析
2019.09 [4hou] GhostMiner：无文件加密货币挖矿机武器化WMI对象
2019.09 [trendmicro] Fileless Cryptocurrency-Miner GhostMiner Weaponizes WMI Objects, Kills Other Cryptocurrency-Mining Payloads
2019.06 [lazywinadmin] PowerShell - Joining WMI Classes in a query
2019.05 [mdsec] Persistence: “the continued or prolonged existence of something”: Part 3 – WMI Event Subscription
2019.04 [carbonblack] CB TAU Threat Intelligence Notification: Emotet Utilizing WMI to Launch PowerShell Encoded Code
2019.04 [rsa] Detecting Lateral Movement in RSA NetWitness: WMI
2019.03 [robtlee73] Investigating WMI Attacks
2019.03 [ironcastle] Special Webcast: Investigating WMI Attacks – March 7, 2019 3:30pm US/Eastern
2019.02 [sans] Investigating WMI Attacks
2019.01 [fuzzysecurity] wmic_info.bat
2019.01 [hackingarticles] Bypass Application Whitelisting using wmic.exe (Multiple Methods)
2019.01 [4hou] 如何检测并清除WMI持久化后门
2019.01 [sans] Theres Something About WMI
2019.01 [sans] There's Something About WMI
2019.01 [sans] SIEMple Simon Met a WMIman

ETW

Tools

[1303Star][12d] [JS] jpcertcc/logontracer Investigate malicious Windows logon by visualizing and analyzing Windows event log
[885Star][16d] [C++] google/uiforetw User interface for recording and managing ETW traces
[673Star][12m] [Roff] palantir/windows-event-forwarding A repository for using windows event forwarding for incident detection and response
[655Star][9d] [PS] sbousseaden/evtx-attack-samples windows events samples associated to specific attack and post-exploitation techniques
[566Star][30d] [PS] sans-blue-team/deepbluecli a PowerShell Module for Threat Hunting via Windows Event Logs
[505Star][11m] [C#] lowleveldesign/wtrace Command line tracing tool for Windows, based on ETW.
[466Star][15d] [PS] nsacyber/event-forwarding-guidance Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding. #nsacyber
[401Star][12m] [Py] williballenthin/python-evtx Pure Python parser for recent Windows Event Log files (.evtx)
[318Star][3m] [C#] zodiacon/procmonx Extended Process Monitor-like tool based on Event Tracing for Windows
[295Star][11d] [C#] fireeye/silketw flexible C# wrappers for ETW
[290Star][12m] [C#] nsacyber/windows-event-log-messages Retrieves the definitions of Windows Event Log messages embedded in Windows binaries and provides them in discoverable formats. #nsacyber
[268Star][5m] [C++] gametechdev/presentmon Tool for collection and processing of ETW events related to DXGI presentation.
[261Star][10d] [C++] microsoft/krabsetw KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.

Post

2020.02 [vanimpe] Parse stored Windows Event logs with Security Onion
2020.01 [X13Cubed] CVEs in Windows Event Logs? What You Need to Know
2020.01 [randomascii] Bulk ETW Trace Analysis in C#
2019.12 [Cooper] EventList, Matching Windows Event Log IDs With MITRE ATT&CK - Miriam Wiesner
2019.09 [adventuresincyberchallenges] Powershell Encoded Payload In Clear Text in Windows Event Log 4688
2019.09 [Cyb3rWard0g] Threat Hunting with ETW events and HELK — Part 2: Shipping ETW events to HELK ⚒
2019.09 [Cyb3rWard0g] Threat Hunting with ETW events and HELK — Part 1: Installing SilkETW 🏄‍♀🏄
2019.06 [fox] Export corrupts Windows Event Log files
2019.05 [freebuf] SilkETW：一款针对Windows事件追踪的自定义C#封装工具
2019.04 [4sysops] Forward Windows events to a Syslog server with free SolarWinds Event Log Forwarder for Windows
2019.02 [360] ETW注册表监控windows内核实现原理
2019.01 [sans] Rocking Your Windows EventID with ELK Stack
2019.01 [sans] Threat Hunting via Windows Event Logs
2019.01 [sans] Hunting for Lateral Movement Using Windows Event Log
2018.12 [palantir] Tampering with Windows Event Tracing: Background, Offense, and Defense
2018.12 [sophos] Hunting for threats with Intercept X and the Windows Event Collector
2018.08 [4sysops] Query multiple Windows event logs with PowerShell
2018.07 [criteo] Grab ETW Session, Providers and Events
2018.07 [3gstudent] Windows Event Viewer Log (EVT)单条日志清除（三）——删除当前系统指定指定时间段evt日志记录
2018.07 [3gstudent] Windows Event Viewer Log (EVT)单条日志清除（三）——删除当前系统指定指定时间段evt日志记录

Lsass

Tools

[489Star][20d] [Py] hackndo/lsassy Extract credentials from lsass remotely
[356Star][11d] [Py] aas-n/spraykatz Credentials gathering tool automating remote procdump and parse of lsass process.
[315Star][13d] [C] outflanknl/dumpert LSASS memory dumper using direct system calls and API unhooking.

Post

2020.02 [freebuf] Lsassy：如何远程从lsaas中提取用户凭证
2020.01 [rsa] Using RSA NetWitness to Detect Credential Harvesting: lsassy
2019.12 [jimwilbur] Defender Quarantines Lsass Dumps
2019.12 [4hou] 绕过WDATP获取LSASS进程数据
2019.07 [markmotig] Some ways to dump LSASS.exe
2019.05 [osandamalith] Shellcode to Dump the Lsass Process
2019.01 [astr0baby] AndrewSpecial – stealthy lsass.exe memory dumping
2018.01 [stealthbits] Market Trends: Announcing StealthINTERCEPT 5.0 General Availability – With Enterprise Password Enforcer & LSASS Guardian™
2017.10 [360] 绕过LSASS的SACL审计
2017.10 [tyranidslair] Bypassing SACL Auditing on LSASS
2017.10 [tyranidslair] Bypassing SACL Auditing on LSASS
2017.01 [360] MS16-137：LSASS远程拒绝服务漏洞分析
2016.11 [g] MS16-137: LSASS Remote Memory Corruption Advisory
2016.02 [govolution] Memdumps, Volatility, Mimikatz, VMs – Part 1: Mimikatz & lsass.exe Dump
2011.12 [pentestmonkey] mimikatz: Tool To Recover Cleartext Passwords From Lsass
2008.03 [pediy] [原创]磁碟机病毒(com\lsass.exe、smss.exe、dnsq.dll)新变种之anti方式及感染EXE文件方式跟踪
2006.09 [sans] CA eTrust Antivirus [was] flagging lsass.e x e
2005.03 [sans] Yahoo Messenger worm?; exploited.lsass.cc bot traffic
2004.05 [sans] -UPDATE- Sasser Worm , Week in Review; LSASS Exploit Analysis; SANSFIRE 2004
2004.04 [sans] PhatBot exploiting LSASS?

BitLocker

Tools

[772Star][3m] [C] aorimn/dislocker FUSE driver to read/write Windows' BitLocker-ed volumes under Linux / Mac OSX
[347Star][1y] [C] e-ago/bitcracker BitCracker is the first open source password cracking tool for memory units encrypted with BitLocker

Post

2020.01 [4sysops] Store and Retrieve BitLocker Recovery Keys from Active Directory
2019.10 [4sysops] Specops Key Recovery: Self-service for unlocking BitLocker-encrypted devices
2019.09 [codeinsecurity] Recovering BitLocker when the BCD has been modified
2019.06 [security] [PL] Co to jest BitLocker oraz TPM? Jak działa szyfrowanie dysków?
2019.06 [KacperSzurek] Co to jest BitLocker oraz TPM? Jak działa szyfrowanie dysków?
2019.04 [4hou] 如何从TPM中提取BitLocker私钥
2019.02 [4sysops] Find BitLocker recovery passwords in Active Directory with PowerShell
2019.01 [arxiv] [1901.01337] BitCracker: BitLocker meets GPUs
2018.12 [360] 基于Win7的Bitlocker加密分析及实战思路
2018.11 [contextis] Hardware Encryption Weaknesses and BitLocker
2018.11 [contextis] Hardware Encryption Weaknesses and BitLocker
2018.05 [irq5] Crypto-Erasing BitLocker Drives
2018.04 [NetworkHeros] How to Recover BitLocker Corrupted Drive (100% Guarantee)
2018.01 [elcomsoft] How to Instantly Access BitLocker, TrueCrypt, PGP and FileVault 2 Volumes
2017.10 [deepsec] DeepSec 2017 Talk: BitCracker – BitLocker Meets GPUs – Elena Agostini
2017.09 [n0where] Open Source BitLocker Password Cracking Tool: BitCracker
2017.09 [4hou] “密码找回”功能暗藏杀机，可绕过Windows auth &BitLocker
2017.09 [freebuf] 利用忘记密码功能绕过Windows auth & BitLocker
2017.09 [gameofpwnz] Dislocker USB with Bitlocker (LAB)
2017.09 [gameofpwnz] Dislocker: Recovering Data from Drive with BitLocker – Requires Bitlocker Recovery Key or Password

NTFS

Tools

[582Star][1y] mtivadar/windows10_ntfs_crash_dos PoC for a NTFS crash that I discovered, in various Windows versions
[270Star][17d] [Py] dkovar/analyzemft fully parse the MFT file from an NTFS filesystem and present the results as accurately as possible in multiple format
[234Star][21d] [C] pbatard/uefi-ntfs UEFI:NTFS - Boot NTFS partitions from UEFI

Post

2019.08 [X13Cubed] NTFS Journal Forensics
2019.03 [4sysops] FolderSecurityViewer: Analyze and report on effective NTFS permissions
2019.03 [4hou] Windows NTFS文件系统目录大小写敏感导致的安全问题
2019.02 [4hou] 渗透技巧——Windows下NTFS文件的USN Journal
2019.02 [tyranidslair] NTFS Case Sensitivity on Windows
2019.02 [tyranidslair] NTFS Case Sensitivity on Windows
2019.01 [4hou] 渗透技巧——Windows下NTFS文件的时间属性
2019.01 [3gstudent] 渗透技巧——Windows下NTFS文件的USN Journal
2019.01 [3gstudent] 渗透技巧——Windows下NTFS文件的USN Journal
2019.01 [sans] Forgotten but Not Gone: Gathering NTFS Artifacts of Detection
2019.01 [sans] Forgotten But Not Gone: Gathering NTFS Artifacts of Deletion
2018.12 [3gstudent] 渗透技巧——Windows下NTFS文件的时间属性
2018.12 [3gstudent] 渗透技巧——Windows下NTFS文件的时间属性
2018.10 [osr] NTFS Status Debugging
2018.09 [] NTFS Object IDs in EnCase – Part 3
2018.09 [] NTFS Object IDs in X-Ways
2018.09 [] NTFS Object IDs in EnCase – Part 2
2018.09 [] NTFS Object IDs in EnCase
2018.09 [secjuice] Hiding In Plain Sight With NTFS Steganography
2018.08 [pediy] [翻译]渗透测试的WINDOWS NTFS技巧集合

SSDT

Tools

Post

2018.12 [pediy] [原创]过用户层HOOK 驱动层SSDT HOOK (之进程保护篇）
2018.11 [pediy] [分享][原创]Win7 x86 SSDT Inline Hook
2018.04 [pediy] [原创]ROOTKIT 核心技术——利用 NT!_MDL（内存描述符链表）突破 SSDT（系统服务描述符表）的只读访问限制 PART I
2017.05 [pediy] [分享]发布一个遍历shadowssdt函数名_驱动源码
2016.05 [pediy] [原创]关于Win7 x64 Shadow SSDT 的探索和 Inline HOOK
2015.12 [insinuator] Investigating Memory Analysis Tools – SSDT Hooking via Pointer Replacement
2015.09 [pediy] [原创]旧代码分享：绕过卡巴斯基主动防御，加载驱动，unhook所有SSDT&Shadow SSDT
2015.09 [pediy] 原创普及X64 ssdtshadow inline HOOK
2015.08 [lightless] 基于SSDT的注册表主防系统
2015.06 [pediy] [原创]发个xp~win10_x86/x64全兼容的ShadowSSDT获取函数
2015.05 [pediy] [原创]SSDT InlineHook学习笔记
2014.05 [pediy] [分享]新手学内核第二篇 Shadow SSDT
2013.12 [pediy] [原创]SSDT Hook 详细过程
2013.12 [pediy] [原创]Win8 32位中SSDT Shadow Hook的实现方法
2013.08 [pediy] [原创]浅谈系列之-Add New SSDT 长夜漫漫-看流星
2013.08 [pediy] [原创]Win32Asm 驱动学习笔记《 HOOK SSDT》
2013.08 [pediy] [原创]新手学ssdt_hook
2013.06 [pediy] [原创]一份简单的内核通用HOOK 带使用例子(带简单SSDT恢复)~
2013.04 [pediy] [原创]简单调用任意未导出SSDT函数方法
2012.07 [pediy] [原创]汇编与驱动-绕过SSDT保护进程

Windows Registry

Tools

Post

2020.01 [4sysops] Audit changes in the Windows registry
2019.08 [hackerhurricane] The Windows Registry Auditing Cheat Sheet update! Aug 2019, v2.5
2019.03 [hecfblog] Daily Blog #640: Regipy - A new python windows registry forensics library
2019.01 [fireeye] Digging Up the Past: Windows Registry Forensics Revisited
2019.01 [sans] Plumbing the Depths - Windows Registry Internals
2018.03 [hackers] Digital Forensics, Part 5: Analyzing the Windows Registry for Evidence
2018.02 [ZeroNights] [Defensive Track]Maxim Suhanov - In depth forensic analysis of Windows registry files
2017.04 [redcanary] Windows Registry Attacks: Knowledge Is the Best Defense
2017.02 [alienvault] Are Windows Registry Fixers Safe?
2016.04 [windowsir] Windows Registry Forensics, 2E
2014.08 [trendmicro] POWELIKS: Malware Hides In Windows Registry
2013.09 [cylance] Windows Registry Persistence, Part 2: The Run Keys and Search-Order
2013.08 [cylance] Windows Registry Persistence, Part 1: Introduction, Attack Phases and Windows Services
2009.07 [windowsir] Windows Registry Forensic Analysis
2009.05 [moyix] Comprehensive New Resource on the Windows Registry
2008.02 [moyix] CredDump: Extract Credentials from Windows Registry Hives
2005.09 [windowsir] The Windows Registry as a Forensic Resource
2005.08 [sans] Updated Windows Registry Concealment Info;Symantec AV Vulnerability

Component Object Model(COM)

Tools

Distributed Component Object Model(DCOM)

Tools

[225Star][10d] [PS] outflanknl/excel4-dcom PowerShell and Cobalt Strike scripts for lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe)
[207Star][1y] [PS] sud0woodo/dcomrade Powershell script for enumerating vulnerable DCOM Applications

Post

2019.03 [freebuf] DCOMrade：一款枚举DCOM应用漏洞的PowerSHell脚本
2018.12 [n0where] Powershell Script for Enumerating Vulnerable DCOM Applications: DCOMrade
2018.12 [360] CVE-2015-2370之DCOM DCE/RPC协议原理详细分析
2018.12 [pediy] [原创]CVE-2015-2370之DCOM DCE/RPC协议原理详细分析
2018.07 [360] LethalHTA 一种结合DCOM和HTA的新型横向渗透技术
2018.07 [codewhitesec] LethalHTA - A new lateral movement technique using DCOM and HTA
2018.06 [4hou] 另一种滥用DCOM的内网渗透技术
2018.05 [360] 如何滥用DCOM实现横向渗透
2018.05 [pediy] [翻译] 利用“导出函数和DCOM接口”执行穿透指令、实现横向渗透
2018.04 [bohops] Abusing DCOM For Yet Another Lateral Movement Technique
2018.03 [DoktorCranium] VAX msrpc dcom ms03 026
2018.03 [360] 如何利用导出函数和暴露的DCOM接口来实现横向渗透
2018.03 [bohops] Abusing Exported Functions and Exposed DCOM Interfaces for Pass-Thru Command Execution and Lateral Movement
2018.01 [cybereason] New lateral movement techniques abuse DCOM technology
2017.11 [cybereason] Leveraging Excel DDE for lateral movement via DCOM
2017.10 [4hou] 域渗透——利用DCOM在远程系统执行程序
2017.09 [aliyun] 无视Office宏安全设置，利用EXCEL.APPLICATION和DCOM渗透内网
2017.09 [4hou] 无视Office宏安全设置，利用EXCEL.APPLICATION和DCOM渗透内网
2017.09 [3gstudent] 域渗透——利用DCOM在远程系统执行程序
2017.09 [3gstudent] 域渗透——利用DCOM在远程系统执行程序

Dynamic Data Exchange(DDE)

Post

2017.11 [fortinet] Cybercriminals Exploiting Microsoft’s Vulnerable Dynamic Data Exchange Protocol
2017.10 [mcafee] Code Execution Technique Takes Advantage of Dynamic Data Exchange
2017.10 [mcafee] Code Execution Technique Takes Advantage of Dynamic Data Exchange
2017.10 [mcafee] Code Execution Technique Takes Advantage of Dynamic Data Exchange
2017.10 [homjxi0e] execute Commands And Coding in MSFT Word Via Exploiting application dynamic data exchange //DDE//

Compiled HTML Help(CHM)

Post

2015.05 [checkpoint] The Microsoft Help File (.chm) May Enslave You | Check Point Software Blog
2015.03 [brashconcepts] New CryptoWall Attack: Block .CHM Extensions
2015.03 [freebuf] .Chm格式帮助文件作盾，CryptoWall勒索软件卷土重来
2009.06 [pediy] [原创]关于“IDA Pro 5.4 中文帮助手册.chm”在IDA打开文件时按F1出现错误的解决方法

WinSxS

Tools

WoW64

Tools

Post

2019.10 [hexacorn] IsWow64Process2
2019.07 [subTee] System32||Syswow64\Tasks\Tasks.dll
2019.04 [corelan] Windows 10 egghunter (wow64) and more
2019.04 [fsx30] Hooking Heaven’s Gate — a WOW64 hooking technique
2019.01 [sans] The WOW Effect - or how Microsoft's WOW64 technology unintentionally fools IT Security analysts
2018.11 [aliyun] Hook深度研究:监视WOW64程序在系统中的执行情况
2018.03 [sentinelone] Deep Hooks: Monitoring native execution in WoW64 applications – Part 3
2018.03 [sentinelone] Deep Hooks: Monitoring native execution in WoW64 applications – Part 2
2017.09 [pediy] [分享][原创]汇编里看Wow64的原理（浅谈32位程序是怎样在windows 64上运行的？）
2016.09 [sogeti] Deep-Dive in WoW64
2016.08 [x64dbg] 64bit Debugging and the WoW64 File System Redirection
2016.07 [corelan] Windows 10 x86/wow64 Userland heap
2015.12 [rewolf] wow64ext v1.0.0.8
2015.11 [modexp] DLL/PIC Injection on Windows from Wow64 process
2015.11 [tekwizz123] Some Observations On Duo Security's "WoW64 and So Can You" Paper
2015.11 [duo] WoW64 and So Can You
2015.08 [nul] 6.1.7600 (Win7 SP0) WinTrustVerify在关闭Wow64FsRedirection之后会出问题
2015.06 [rewolf] wow64ext v1.0.0.7
2015.06 [codereversing] Syscall Hooking Under WoW64: Implementation (2/2)
2015.06 [rewolf] WoW64 internals: Unexpected behaviour of NtQueryDirectoryObject

Background Intelligent Transfer Service(BITS)

Tools

Batch Script(.bat)

Tools

[268Star][9m] [Batchfile] diogo-fernan/ir-rescue A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
[216Star][9d] [PS] enjoiz/privesc Windows batch script that finds misconfiguration issues which can lead to privilege escalation.

Post

2019.07 [markmotig] Write, Compile and Run a C# program in a single batch file
2018.07 [sans] Windows Batch File Deobfuscation
2018.07 [lallouslab] Batchography: Parsing INI files from a Batch file
2018.06 [ironcastle] Malicious Post-Exploitation Batch File, (Tue, Jun 5th)
2018.06 [sans] Malicious Post-Exploitation Batch File
2018.01 [HACKTRONIAN] Create Dangerous Viruses - Batch File (.bat) & Executable File (.exe)
2017.08 [fossmint] KRename – A Powerful Batch File Renamer for Linux
2016.01 [sentinelone] XRTN: More batch script-based Ransomware
2014.02 [dfstream] USB Device Tracking Batch Script
2012.03 [securityblog] Start or Stop Windows Service using batch file
2008.08 [securitythinkingcap] Pipe Dream: Data migration with batch files

DACL

Tools

[333Star][11d] [PS] canix1/adaclscanner Repo for ADACLScan.ps1 - Your number one script for ACL's in Active Directory

Post

2019.10 [HackersOnBoard] Black Hat USA 2017 An ACE Up the Sleeve Designing Active Directory DACL Backdoors
2019.04 [nsfocus] 【M01N】CVE-2019-0841 DACL权限覆盖本地提权漏洞攻击分析
2019.04 [aliyun] CVE-2019-0841：Windows DACL权限覆写权限提升漏洞
2017.08 [stealthbits] From Botnets to DACL Backdoors: A Journey through Modern Active Directory Attacks – Part I
2014.04 [secureidentity] ACL, DACL, SACL and the ACE
2013.11 [freebuf] 枚举和分析Windows DACLs工具 – WindowsDACLEnumProject

WebDAV

Tools

[465Star][23d] [C++] winscp/winscp WinSCP is a popular free SFTP and FTP client for Windows, a powerful file manager that will improve your productivity. It supports also Amazon S3, FTPS, SCP and WebDAV protocols. Power users can automate WinSCP using .NET assembly.
[373Star][2m] [Py] mar10/wsgidav A generic and extendable WebDAV server based on WSGI

Post

2019.06 [n00py] Understanding UNC paths, SMB, and WebDAV
2019.04 [hackingarticles] Command & Control: WebDav C2
2019.02 [sans] Scanning for WebDAV PROPFIND Exploiting CVE-2017-7269
2018.06 [trustedsec] How to Set Up a Quick, Simple WebDAV Server for Remote File Sharing
2017.09 [360] 利用WebDAV特性建立隐蔽后门
2017.09 [pentestlab] Command and Control – WebDAV
2017.09 [arno0x0x] Using WebDAV features as a covert channel
2017.03 [aliyun] IIS 6.0 WebDAV远程代码执行漏洞分析—【CVE-2017-7269】
2016.11 [blackhillsinfosec] Deploying a WebDAV Server
2016.08 [hackingarticles] Get Admin Access of Remote Windows PC using MS16-016 mrxdav.sys WebDav Escalation
2016.03 [freebuf] 微软“WebDAV”提权漏洞（cve-2016-0051）初探
2016.02 [avfisher] WebDAV本地提权漏洞（CVE-2016-0051/MS16-016）之交互式提权EXP
2016.02 [360] WebDAV本地提权漏洞（CVE-2016-0051）POC & EXP
2016.02 [freebuf] Windows最新“WebDAV”提权漏洞介绍（MS16-016）
2011.07 [firebitsbr] DAVTest: Teste rápido e exploits para WebDAV Servers
2010.07 [sans] LNK vulnerability now with Metasploit module implementing the WebDAV method
2009.05 [holisticinfosec] WebTuff checks for WebDAV vulnerability
2009.05 [sans] IIS admins, help finding WebDAV remotely using nmap
2009.05 [skullsecurity] WebDAV Detection, Vulnerability Checking and Exploitation
2009.05 [microsoft] Answers to the IIS WebDAV authentication bypass questions

Group Policy Object(GPO)

Tools

[246Star][16d] [C#] fsecurelabs/sharpgpoabuse take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.

Post

2019.04 [stealthbits] How to Backup and Recover Group Policy Objects
2016.07 [stealthbits] Comprehensive Auditing and Protection For Group Policy Objects
2015.03 [darkoperator] Updating Group Policy Objects Remotely
2013.08 [jaapbrasser] Active Directory Friday: Query Group Policy Objects in Active Directory

AppInit/AppCert

Post

2020.01 [pentestlab] Persistence – AppInit DLLs
2017.03 [toddcullumresearch] Inline Hook of a System Call via AppInit_DLLs Part 2– The Hook
2017.03 [toddcullumresearch] Inline Hook of a System Call via AppInit_DLLs Part 1 – Decryption of XOR Cipher
2016.05 [pediy] [原创]AppInit注入的那些事

InstallUtil

Post

2017.08 [tyranidslair] DG on Windows 10 S: Abusing InstallUtil

Image File Execution Option(IFEO)

Post

2020.01 [pentestlab] Persistence – Image File Execution Options Injection
2018.07 [360] 隐蔽后门——Image File Execution Options新玩法
2015.12 [malwarebytes] An Introduction to Image File Execution Options
2012.09 [] 通过IFEO劫持提权
2008.02 [sans] Abusing Image File Execution Options

Mshta

Post

2019.07 [mcafee] What Is Mshta, How Can It Be Used and How to Protect Against It
2019.07 [mcafee] What Is Mshta, How Can It Be Used and How to Protect Against It
2019.01 [hackingarticles] Bypass Application Whitelisting using mshta.exe (Multiple Methods)
2017.12 [freebuf] 浅谈一下mshta在CVE-2017-11882里的命令构造
2017.11 [conscioushacker] Application Whitelisting Bypass: mshta.exe
2016.06 [evi1cg] Exec Commands Via Mshta.exe

Microsoft HTML Application(HTA)

Post

2015.08 [redcanary] Microsoft HTML Application (HTA) Abuse, Part Deux

NetShell

Tools

Post

2016.09 [360] 使用Netshell执行恶意DLL并实现对目标主机的持久化攻击

VBScript

Tools

[1615Star][12d] [Py] zerosum0x0/koadic Koadic C3 COM Command & Control - JScript RAT

Post

2019.12 [aliyun] 基于VBSCRIPT下16进制木马的IE浏览器BYPASS
2019.11 [trustedsec] Finding and Identifying JScript/VBScript Callable COM Objects
2019.10 [hexacorn] Rundll32 with a vbscript: protocol
2019.10 [Kaspersky] Exploit Prevention: VBScript Memory Corruption in IE
2019.04 [trendmicro] Analysis: Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript, and PowerShell Scripts
2019.04 [4hou] VBScript引擎堆溢出远程代码执行漏洞分析（CVE-2019-0666）
2019.02 [360] VBScript in 2018
2019.01 [pediy] IE VBScript 漏洞之CVE-2018-8174
2019.01 [pediy] IE VBScript 漏洞之CVE-2014-6332
2018.12 [googleprojectzero] On VBScript
2018.12 [freebuf] Windows VBScript引擎远程执行代码漏洞之CVE-2018-8373分析与复现
2018.11 [360] Windows VBScript引擎远程执行代码漏洞之CVE-2018-8373分析与复现
2018.11 [4hou] Windows VBScript引擎远程执行代码漏洞之CVE-2018-8373分析与复现
2018.11 [360] VBScript引擎远程代码执行漏洞之CVE-2018-8174分析与利用（更新）
2018.11 [4hou] Windows VBScript引擎远程执行代码漏洞之CVE-2018-8174分析与利用
2018.11 [360] Windows VBScript引擎RCE漏洞之CVE-2018-8174分析与利用
2018.09 [paloaltonetworks] Traps Prevents In-The-Wild VBScript Zero-Day Exploit in Internet
2018.08 [aliyun] CVE-2018-8373：VBScript引擎UAF漏洞
2018.08 [trendmicro] Use-after-free (UAF) Vulnerability CVE-2018-8373 in VBScript Engine Affects Internet Explorer to Run Shellcode
2018.07 [360] Analysis of the new exploitable issues with CVE-2018-8174 patch and VBScript zero-day vulnerability

VBA

Tools

[565Star][2m] [Py] decalage2/vipermonkey A VBA parser and emulation engine to analyze malicious macros.
[262Star][7m] [Py] bontchev/pcodedmp A VBA p-code disassembler
[226Star][8m] [Py] malwarecantfly/vba2graph Generate call graphs from VBA code, for easier analysis of malicious documents.

Post

2019.10 [marcoramilli] Frequent VBA Macros used in Office Malware
2019.06 [freebuf] Matlab加上VBA编程，表格就能画画了
2019.06 [beny] Weaponization: Howto Fully Undetectable Empire Powershell MS macro (VBA obfuscation & Stomping)
2019.05 [malcomvetter] Choose Your Own Red Team Adventure: Processes from VBA Macro
2019.05 [sans] VBA Office Document: Which Version?
2019.04 [pcsxcetrasupport3] A look at Stomped VBA code and the P-Code in a Word Document
2019.02 [lucasg] Discovering Nvidia NvBackend endpoint
2019.01 [pcsxcetrasupport3] A deeper look into a wild VBA Macro
2018.12 [freebuf] Vba2Graph：一款通过VBA代码分析恶意软件的强大工具（带GUI）
2018.12 [DoktorCranium] NetBSD evbarm Pinebook video test
2018.11 [ironcastle] ViperMonkey: VBA maldoc deobfuscation, (Mon, Nov 26th)
2018.11 [sans] ViperMonkey: VBA maldoc deobfuscation
2018.11 [vkremez] Let's Learn: In-Depth Review of FIN7 VBA Macro & Lightweight JavaScript Backdoor
2018.11 [hexacorn] Analyzing Word Documents via VBA/VBS
2018.10 [aliyun] 攻击者是如何隐藏恶意VBA 代码行为的
2018.08 [ColinHardy] Analysing Obfuscated VBA - Extracting indicators from a Trickbot downloader
2018.05 [scrt] Insomni’hack 2018 – vba03-strikeBack writeup
2018.04 [dist67] VBA Maldoc: Form-Embedded PE File
2018.04 [virusbulletin] New paper: Powering the distribution of Tesla stealer with PowerShell and VBA macros
2018.04 [pentestingexperts] ViperMonkey v0.06 released: A VBA parser and emulation engine to analyze malicious macros

Security Service Provider(SSP)

Post

2018.05 [ensilo] Customers Say It Best - Managed Security Service Provider
2018.05 [infosecinstitute] What is the DoD CSSP (Cyber Security Service Provider)?
2018.03 [nettitude] Building a secure future – Cyber security service provider Nettitude joins the Lloyd’s Register group
2017.09 [trustlook] Trustlook Selected as 10 Best Security Service Providers of 2017
2017.09 [trustlook] Trustlook Selected as 10 Best Security Service Providers of 2017
2017.05 [fortinet] Trends Affecting Managed Security Service Providers
2017.03 [fortinet] Managed Security Service Providers, Choosing the Right Security Vendor
2016.07 [fortinet] Security Trends: Managed Security Service Providers

Scheduled Task

Tools

[432Star][1m] [Py] sibson/redbeat RedBeat is a Celery Beat Scheduler that stores the scheduled tasks and runtime metadata in Redis.
[385Star][1m] [C#] dahall/taskscheduler Provides a .NET wrapper for the Windows Task Scheduler. It aggregates the multiple versions, provides an editor and allows for localization.

Post

2019.11 [aliyun] 持久化研究-Scheduled Tasks
2019.09 [markmotig] Command prompt with System rights using Schtasks, Ncat and Metame
2019.06 [zerodayinitiative] Exploiting the Windows Task Scheduler Through CVE-2019-1069
2018.05 [ironcastle] Adding Persistence Via Scheduled Tasks, (Mon, May 7th)
2018.05 [sans] Adding Persistence Via Scheduled Tasks
2016.05 [enigma0x3] Userland Persistence with Scheduled Tasks and COM Handler Hijacking
2015.04 [jaapbrasser] New article on PowerShell Magazine: Retrieve scheduled tasks using Schedule.Service COMObject
2015.03 [malwarebytes] Scheduled Tasks
2013.02 [mikefrobbins] Use PowerShell to Create a Scheduled Task that Uses PowerShell to Pause and Resume AppAssure Core Replication

WinRM

Tools

[708Star][13d] [Ruby] hackplayers/evil-winrm The ultimate WinRM shell for hacking/pentesting
[238Star][10d] [Go] masterzen/winrm Command-line tool and library for Windows remote command execution in Go

Post

2019.11 [hakin9] Evil-WinRM: The ultimate WinRM shell for hacking/pentesting
2019.08 [freebuf] evil-winrm：Windows远程管理（WinRM）Shell终极版
2018.07 [freebuf] 利用Winrm.vbs绕过白名单限制执行任意代码
2018.07 [4hou] 如何使用winrm.vbs绕过应用白名单执行任意未签名代码
2018.07 [360] 使用 winrm.vbs 绕过应用白名单执行任意未签名代码
2018.07 [aliyun] 利用winrm.vbs绕过应用程序白名单执行任意未签名代码
2018.07 [mattifestation] Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique in winrm.vbs
2018.06 [specterops] Application Whitelisting Bypass and Arbitrary Unsigned Code Execution Technique in winrm.vbs
2018.05 [pentestlab] Lateral Movement – WinRM
2017.09 [trustedsec] Using WinRM Through Meterpreter
2015.03 [darkoperator] WinRM SSL Certificate Deployment via GPO
2014.12 [rsa] Detecting APT Using Anomalous Windows Remote Management Methods and Dynamic RPC Endpoint Mapping
2014.07 [jaapbrasser] Setting up PowerShell Remoting using winrm quickconfig or Enable-PSRemoting fails
2013.03 [rapid7] Whiteboard Wednesday - Abusing Windows Remote Management with Metasploit
2012.11 [rapid7] Abusing Windows Remote Management (WinRM) with Metasploit
2012.10 [netspi] Exploiting Trusted Hosts in WinRM

Control Panel

Tools

Post

2019.01 [cofense] Phishing Campaigns are Manipulating the Windows Control Panel Extension to Deliver Banking Trojans
2016.12 [8090] win10控制面板在哪_Win10控制面板打不开怎么解决
2016.08 [mcafee] ‘Cat-Loving’ Mobile Ransomware Operates With Control Panel
2016.08 [mcafee] ‘Cat-Loving’ Mobile Ransomware Operates With Control Panel
2015.06 [jaapbrasser] Open Master Control Panel using PowerShell
2014.03 [trendmicro] Anatomy of a Control Panel Malware Attack, Part 2
2014.03 [trendmicro] Anatomy of a Control Panel Malware Attack, Part 1
2013.12 [] LNMP ftp控制面板安装程式未删除的漏洞
2013.06 [securityblog] Enable or Disable Control Panel
2013.06 [sans] Control Panel Forensics: Evidence of Time Manipulation and Moreâ¦
2012.03 [leehong2005] Control Panel Applet 实现
2011.10 [mikedoszhang] Remove useless item form the Control Panel\All Control Panel Items

Windows Shortcut File

Tools

Post

2017.07 [sans] Another .lnk File
2017.07 [sans] Office maldoc + .lnk
2017.04 [nviso] Tracking threat actors through .LNK files
2017.03 [sentinelone] Understanding The State of .LNK Files
2017.03 [nviso] .LNK downloader and bitsadmin.exe in malicious Office document
2017.02 [myonlinesecurity] various subject emails downloading .lnk files using PowerShell to download various malwares
2016.10 [willgenovese] tricky.lnk – Unicode Text Spoofing
2016.10 [microsoft] The new .LNK between spam and Locky infection
2016.10 [microsoft] The new .LNK between spam and Locky infection
2016.06 [onready] Hijacking Windows hotkeys with .lnk file or Old horse raids
2016.06 [onready] Embedding reverse shell in .lnk file or Old horse attacks
2016.02 [sans] Analyzis of a Malicious .lnk File with an Embedded Payload
2016.02 [onready] DOCX on fire: .lnk in docx
2010.07 [sans] autorun.inf and .lnk Malware (NOT 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198)
2010.07 [sans] Update on .LNK vulnerability
2010.04 [pediy] [原创]windows平台.lnk文件感染技术研究

Windows Explorer

Tools

Post

2018.08 [insert] Leaking Environment Variables in Windows Explorer via .URL or desktop.ini files
2013.06 [securityblog] Refresh all opened Windows Explorer windows
2010.08 [rebootuser] Mount a VMware vmdk (virtual disk) in Windows Explorer
2006.08 [sans] MS06-045: Windows Explorer Remote Code Excution Vulnerability

Application Shim

Post

2020.01 [hackingarticles] Windows Persistence using Application Shimming
2019.06 [hshrzd] Application shimming vs Import Table recovery
2018.11 [andreafortuna] Process Injection and Persistence using Application Shimming
2018.03 [countercept] Hunting for Application Shim Databases
2018.03 [countercept] Hunting for Application Shim Databases
2018.02 [redcanary] Detecting Application Shimming: A Story About Continuous Improvement
2016.08 [blacksunhackers] Post Exploitation Persistence With Application Shims (Intro)

Squiblydoo

Post

2019.03 [myonlinesecurity] Trickbot via fake Efax message using Squiblydoo, Active X, macro and abusing pastebin
2016.04 [rsa] Detection of Squiblydoo COM+ Whitelist Bypassing with ECAT

Open Office XML

Tools

Other

Software

IE

Tools

Edge

Tools

[8097Star][2m] [JS] microsoft/chakracore ChakraCore is the core part of the Chakra JavaScript engine that powers Microsoft Edge
[2356Star][1y] microsoftedge/msedge Microsoft Edge
[217Star][4m] [Go] improbable-eng/kedge kEdge - Kubernetes Edge Proxy for gRPC and HTTP Microservices

Post

2020.02 [4sysops] Deploy and manage Microsoft Edge using WSUS and GPOs
2019.09 [4hou] Microsoft Edge浏览器的Universal XSS漏洞分析（CVE-2019-1030）
2019.09 [aliyun] Microsoft Edge - Universal XSS
2019.08 [microsoft] Announcing the Microsoft Edge Insider Bounty
2019.07 [4sysops] Hands-on review of Microsoft Edge (Chromium) business features: GPO support, IE mode, offline installer
2019.06 [payatu] Microsoft Edge Extensions Host Permission Bypass (CVE-2019-0678)
2019.06 [payatu] microsoft edge extensions host-permission bypass (cve-2019-0678)
2019.05 [exodusintel] Pwn2Own 2019: Microsoft Edge Sandbox Escape (CVE-2019-0938). Part 2
2019.05 [exodusintel] Pwn2Own 2019: Microsoft Edge Renderer Exploitation (CVE-2019-0940). Part 1
2019.05 [freebuf] Microsoft Edge和IE浏览器同源策略绕过漏洞分析
2019.04 [] Microsoft Edge Uses a Secret Trick And Breaks Internet Explorer's Security
2019.04 [topsec] 天融信关于Microsoft Edge和IE浏览器同源策略绕过漏洞分析
2019.04 [venus] 关于 Microsoft Edge 和 IE 浏览器同源策略绕过漏洞分析
2019.04 [trendmicro] Microsoft Edge and Internet Explorer Zero-Days Allow Access to Confidential Session Data
2019.03 [aliyun] 深入分析Microsoft Edge Chakra JIT类型混淆漏洞的利用方式
2019.03 [360] Microsoft Edge CVE-2019-0539 漏洞分析与利用
2019.02 [4hou] Microsoft Edge Chakra JIT类型混淆漏洞分析（CVE-2019-0539）
2019.02 [trendmicro] Announcing Trend Micro Security for Microsoft Edge
2018.12 [4hou] 在Microsoft Edge中实现DOM树
2018.10 [fortinet] An Analysis of Microsoft Edge Chakra JavascriptArray TypeId Handling Memory Corruption (CVE-2018-8467)

MSOffice

Tools

[1731Star][1m] [JS] ziv-barber/officegen Standalone Office Open XML files (Microsoft Office 2007 and later) generator for Word (docx), PowerPoint (pptx) and Excell (xlsx) in javascript. The output is a stream.
[1066Star][20d] [Rich Text Format] decalage2/oletools python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
[750Star][9d] [C#] outflanknl/evilclippy A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows.
[407Star][2m] [YARA] guelfoweb/peframe PEframe is a open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.

Post

2020.02 [talosintelligence] Microsoft Office Excel Ordinal43 code execution vulnerability
2019.11 [talosintelligence] Microsoft Office Excel WorksheetOptions Code Execution Vulnerability
2019.10 [Kaspersky] Exploit Prevention: Microsoft Office Memory Corruption
2019.09 [zerodayinitiative] CVE-2019-0801: Microsoft Office Uri Hyperlink Hijinks
2019.08 [freebuf] CVE-2018-0798：Microsoft office 公式编辑器 Matrix record 栈溢出漏洞分析
2019.08 [trendmicro] Asruex Backdoor Variant Infects Word Documents and PDFs Through Old MS Office and Adobe Vulnerabilities
2019.06 [NullByte] Crack Password-Protected Microsoft Office Files [Tutorial]
2019.05 [nviso] Detecting and Analyzing Microsoft Office Online Video
2019.05 [mdsec] Persistence: “the continued or prolonged existence of something”: Part 1 – Microsoft Office
2019.05 [freebuf] 揭秘如何使用跨平台的EvilClippy创建恶意MS Office文档
2019.04 [kaspersky] Microsoft Office and its vulnerabilities
2019.04 [TROOPERScon] TR19: MS Office file format sorcery
2019.02 [myonlinesecurity] Formbook via fake invoice using Microsoft Office Equation Editor exploits
2019.01 [myonlinesecurity] Azorult via fake inquiry email using Microsoft Office Equation Editor exploits
2019.01 [fuzzysecurity] Microsoft Office 2003 Home/Pro 0day
2018.12 [proofpoint] LCG Kit: Sophisticated builder for Malicious Microsoft Office Documents
2018.10 [checkpoint] Microsoft Office Vulnerability Found, Check Point Research To The Rescue | Check Point Software Blog
2018.10 [4hou] 通过Microsoft Office和YouTube视频传递恶意软件的PoC攻击
2018.10 [stationx] Malware payloads latest: Microsoft Office macros remain the most frequently used delivery method
2018.09 [sans] Dissecting Malicious MS Office Docs

EMET

Tools

Post

2019.10 [HackersOnBoard] Black Hat USA 2016 Using EMET to Disable EMET
2018.08 [cmu] Life Beyond Microsoft EMET
2018.03 [4hou] Windows 10 RS3中的EMET ASR功能优劣分析
2018.01 [mattifestation] The EMET Attack Surface Reduction Replacement in Windows 10 RS3: The Good, the Bad, and the Ugly
2018.01 [mattifestation] The EMET Attack Surface Reduction Replacement in Windows 10 RS3: The Good, the Bad, and the Ugly
2017.08 [rootedconmadrid] PABLO SAN EMETERIO - Inteligencia privada, más allá de STIX [Rooted CON 2017 - ENG]
2017.08 [rootedconmadrid] PABLO SAN EMETERIO - Inteligencia privada, más allá de STIX [Rooted CON 2017 - ESP]
2017.04 [ropchain] Disarming EMET 5.52: Controlling it all with a single write action
2017.03 [grandstreamdreams] Enhanced Mitigation Experience Toolkit (EMET) 5.5/5.52 Uninstall Error 2738
2017.03 [pediy] [翻译]野外的 CVE-2015-2545 逃逸了 EMET
2017.03 [pediy] [翻译]EPS文件利用如何逃逸 EMET(CVE-2015-2545) —— 一次技术探索
2017.01 [microsoft] EMET 5.52 update is now available
2016.11 [sophos] Moving beyond EMET, Part 2
2016.11 [dist67] EMET vs Hancitor Maldoc
2016.11 [dist67] VBA Shellcode To Test EMET
2016.11 [cmu] Windows 10 Cannot Protect Insecure Applications Like EMET Can
2016.11 [morphisec] EMET Refuses to Die
2016.11 [sans] VBA Shellcode and EMET
2016.11 [microsoft] Bringing EMET protections into Windows 10
2016.11 [microsoft] Moving Beyond EMET

psexec

Tools

[264Star][14d] [C++] poweradminllc/paexec Remote execution, like PsExec

Post

2019.10 [freebuf] GlobeImposter2.0再出新变种，疑似利用PsExec内网传播
2019.09 [4hou] GlobeImposter2.0再出新变种，疑似利用PsExec内网传播
2019.04 [trendmicro] Account With Admin Privileges Abused to Install BitPaymer Ransomware via PsExec
2018.11 [redcanary] Threat Hunting for PsExec, Open-Source Clones, and Other Lateral Movement Tools
2018.11 [countercept] Endpoint Detection of Remote Service Creation and PsExec
2018.11 [countercept] Endpoint Detection of Remote Service Creation and PsExec
2018.11 [cybertriage] Robust Use of PsExec That Doesn’t Reveal Password Hashes
2018.09 [contextis] Lateral movement: A deep look into PsExec
2018.09 [contextis] Lateral movement: A deep look into PsExec
2018.04 [hexacorn] A quick note about PSExecutionPolicyPreference
2018.01 [venus] 老牌工具 PsExec 一个琐碎的细节
2017.12 [hexacorn] PsExec going places…
2017.12 [pediy] [原创]PsExec 在当前会话下启动系统权限进程原理
2017.06 [guyrleech] Petya: disabling remote execution of psexec
2017.06 [guyrleech] Petya: easily disabling access to psexec
2017.06 [rastamouse] PsExec Much?
2017.05 [govolution] Write your own metasploit psexec service
2017.05 [moxia] 【技术分享】丢掉PSEXEC来横向渗透
2017.03 [rapid7] Combining Responder and PsExec for Internal Penetration Tests
2017.03 [mindpointgroup] Lateral Movement with PSExec

Nltest

CMSTP.exe

Rundll32

Tools

Post

2020.01 [reegun] Curl.exe is the new rundll32.exe — LOLbin
2019.09 [hexacorn] RunDll32 — API calling
2019.01 [hackingarticles] Bypass Application Whitelisting using rundll32.exe (Multiple Methods)
2018.11 [hexacorn] advpack.dll ! DelNodeRunDLL32 and its flags
2018.11 [aliyun] 如何利用RunDLL32调用.NET Assembly
2018.11 [xpnsec] RunDLL32 your .NET (AKA DLL exports from .NET)
2018.03 [3gstudent] 关于利用rundll32执行程序的分析
2018.03 [3gstudent] 关于利用rundll32执行程序的分析
2018.03 [aliyun] 关于利用rundll32执行程序的分析
2018.01 [freebuf] 命令行下的“蒙面歌王”rundll32.exe
2016.07 [cobaltstrike] Why is rundll32.exe connecting to the internet?
2014.02 [attackdebris] rundll32 lockdown testing goodness

Regsvr32

Tools

Post

2017.11 [conscioushacker] Application Whitelisting Bypass: regsvr32.exe
2017.05 [blackhillsinfosec] How to Evade Application Whitelisting Using REGSVR32
2016.07 [hackingarticles] Hack Remote Windows PC using Regsvr32.exe (.sct) Application Whitelisting Bypass Server
2013.09 [dustri] regsvr32 returns 0x80070005

Regasm

Regsvcs

svchost

Tools

Post

2017.12 [hexacorn] svchost.exe -> explorer.exe on win10
2015.12 [hexacorn] The typographical and homomorphic abuse of svchost.exe, and other popular file names
2013.12 [myonlinesecurity] XP SP3 Svchost causes high (100%) CPU usage when updating
2013.11 [myonlinesecurity] Windows XP update locks machines with SVCHOST redlined at 100%: Fix it with KB 2879017 | Microsoft windows – InfoWorld
2013.07 [hexacorn] The typographical and homomorphic abuse of svchost.exe
2011.01 [pediy] [原创]svchost进程的浅析

MSBuild

Tools

[4136Star][7d] [C#] microsoft/msbuild The Microsoft Build Engine (MSBuild) is the build platform for .NET and Visual Studio.
[728Star][9m] [Py] mr-un1k0d3r/powerlessshell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe.
[226Star][7m] [Py] infosecn1nja/maliciousmacromsbuild Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass.

Post

2019.06 [rastamouse] TikiSpawn & MSBuild
2019.01 [hackingarticles] Bypass Application Whitelisting using msbuild.exe (Multiple Methods)
2017.11 [freebuf] 海莲花团伙利用MSBuild机制免杀样本分析
2017.11 [360] 海莲花团伙利用MSBuild机制免杀样本分析
2017.11 [venus] 海莲花团伙利用MSBuild机制免杀样本分析
2017.11 [conscioushacker] Application Whitelisting Bypass: msbuild.exe
2017.01 [codepool] Using MSBuild for DLL configuration files, transformations and output to referencing projects.
2016.10 [] Use MSBuild To Do More（渗透中MSBuild的应用技巧）
2016.09 [360] Use MSBuild To Do More（渗透中MSBuild的应用技巧）
2016.09 [3gstudent] Use MSBuild To Do More
2016.09 [sysprogs] 10 Reasons to Try Out MSBuild for your VisualGDB Projects
2013.09 [redplait] msbuild 4.0 debugger
2013.09 [redplait] clang and msbuild integration
2013.01 [lowleveldesign] MSBuild: MSB3275 warning, GAC and .NET version

csrss.exe

Post

2018.03 [pediy] [原创]驱动注入用户线程之跨session通知csrss之真正解决
2015.08 [pediy] [原创]纯C++编写Win32/X64通用Shellcode注入csrss进程.
2012.05 [pediy] [原创]Csrss进程剖析
2011.08 [vexillium] 0-day Windows XP SP3 Denial of Service (CSRSS Crash #1)
2011.08 [vexillium] 0-day Windows XP SP3 Denial of Service (CSRSS Crash)
2011.07 [vexillium] CVE-2011-1281: A story of a Windows CSRSS Privilege Escalation vulnerability
2011.07 [vexillium] CVE-2011-1281: A story of a Windows CSRSS Privilege Escalation vulnerability
2010.07 [vexillium] Windows CSRSS Write Up: Inter-process Communication (part 2/3)
2010.07 [vexillium] Windows CSRSS Write Up: Inter-process Communication (part 2/3)
2010.07 [vexillium] Windows CSRSS Write Up: Inter-process Communication (part 1/3)
2010.07 [vexillium] Windows CSRSS Write Up: Inter-process Communication (part 1/3)
2010.07 [vexillium] Windows CSRSS Write Up: the basics (part 1/1)
2010.07 [vexillium] Windows CSRSS write up: the basics
2010.05 [pediy] [原创]详解进程创建中与csrss的通信流程
2010.05 [coldwind] Windows CSRSS cross-version API Table
2010.05 [vexillium] Windows CSRSS cross-version API Table
2010.05 [vexillium] Windows CSRSS cross-version API Table
2010.02 [coldwind] Microsoft Windows CSRSS Local Privilege Elevation Vulnerability
2009.05 [pediy] [原创]CsrssWalker学习笔记(附源代码)
2009.03 [pediy] [原创]CsrssVuln.exe源代码及分析

其他exe

Post

2019.05 [hexacorn] msiexec.exe as a LOLBIN
2019.04 [talosintelligence] Shimo VPN helper tool RunVpncScript privilege escalation vulnerability
2019.01 [hackingarticles] Bypass Application Whitelisting using msiexec.exe (Multiple Methods)
2018.09 [redcanary] Detecting MSXSL Abuse in the Wild
2018.07 [4hou] mavinject.exe的新用法
2018.05 [mattifestation] mavinject.exe Functionality Deconstructed
2018.05 [mattifestation] mavinject.exe Functionality Deconstructed
2018.04 [hexacorn] Curious case of the conhost.exe and condrv.sys
2018.03 [reaqta] Spear-phishing campaign leveraging on MSXSL
2018.02 [4hou] LokiBot变种正在使用msiexec.exe安装后门
2018.02 [360] 借助Windows Installer的msiexec.exe实现LokiBot恶意软件感染
2018.02 [trendmicro] Attack Using Windows Installer msiexec.exe leads to LokiBot
2017.12 [reaqta] From False Positive to True Positive: the story of Mavinject.exe, the Microsoft Injector
2017.01 [4hou] 渗透测试中的msiexec
2016.12 [3gstudent] 渗透测试中的msiexec
2016.12 [3gstudent] 渗透测试中的msiexec
2016.12 [4hou] PowerShell技巧——借助kd.exe隐藏进程
2016.12 [nettitude] Fun with Windows binaries – application whitelist bypass using msiexec
2016.12 [3gstudent] Powershell tricks::Hide Process by kd.exe
2016.11 [3gstudent] Study Notes of using dnx.exe / rcsi.exe to bypass Decvice Guard UMCI

SysInternalSuite

Sysmon

Tools

[2177Star][1m] swiftonsecurity/sysmon-config Sysmon configuration file template with default high-quality event tracing
[715Star][23d] [PS] olafhartong/sysmon-modular A repository of sysmon configuration modules
[667Star][2m] nshalabi/sysmontools Utilities for Sysmon
[546Star][12d] mhaggis/sysmon-dfir Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.
[455Star][1y] [Batchfile] ion-storm/sysmon-config Advanced Sysmon configuration, Installer & Auto Updater with high-quality event tracing
[246Star][13d] [CSS] trustedsec/sysmoncommunityguide TrustedSec Sysinternals Sysmon Community Guide

Post

2020.01 [bugbountywriteup] Unloading the Sysmon Minifilter Driver
2019.12 [] How to Test Bro-Sysmon
2019.12 [vanimpe] Use Sysmon DNS data for incident response
2019.11 [4hou] 你不知道的威胁狩猎技巧：Windows API 与 Sysmon 事件的映射
2019.10 [HackersOnBoard] Subverting Sysmon Application of a Formalized Security Product Evasion Methodology
2019.09 [sans] Parsing Sysmon Events for IR Indicators
2019.09 [blackhillsinfosec] Getting Started With Sysmon
2019.09 [osandamalith] Unloading the Sysmon Minifilter Driver
2019.09 [matterpreter] Shhmon — Silencing Sysmon via Driver Unload
2019.09 [specterops] Shhmon — Silencing Sysmon via Driver Unload
2019.09 [4hou] 如何逃逸Sysmon工具对DNS的监控
2019.09 [olafhartong] Sysmon 10.4 release
2019.09 [blackhillsinfosec] Webcast: Windows logging, Sysmon, and ELK
2019.08 [blackhillsinfosec] Webcast: Implementing Sysmon and Applocker
2019.07 [eforensicsmag] Using Sysmon and ETW For So Much More | By David Kennedy
2019.06 [nosecurecode] Sysmon in a Box
2019.06 [binarydefense] Using Sysmon and ETW For So Much More - Binary Defense
2019.06 [360] 如何规避Sysmon DNS监控
2019.06 [SecurityWeekly] Sysmon DNS Logging, Gravwell - PSW #608
2019.06 [xpnsec] Evading Sysmon DNS Monitoring

Procmon

Tools

Post

2019.03 [eforensicsmag] DYNAMIC MALWARE ANALYSIS – PROCESS MONITOR AND EXPLORER | By Prasanna B Mundas
2018.10 [hexacorn] Process monitoring/Process cmd line monitoring – data sources
2018.10 [guyrleech] Dynamically Creating Process Monitor Filters
2018.02 [appsecconsulting] PCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring
2017.07 [arxiv] [1707.03821] Process Monitoring on Sequences of System Call Count Vectors
2017.06 [lowleveldesign] How to decode managed stack frames in procmon traces
2017.02 [lowleveldesign] When procmon trace is not enough
2017.02 [guyrleech] When even Process Monitor isn’t enough
2016.09 [dist67] Malware: Process Explorer & Procmon
2015.06 [guyrleech] Advanced Procmon Part 2 – Filtering inclusions
2015.02 [vimeo] Innuendo keylogger process monitor
2014.12 [guyrleech] Advanced Procmon Part 1 – Filtering exclusions
2014.07 [toolswatch] [New Tool] El Jefe v2.1 – Windows Process Monitoring Released
2012.04 [toolswatch] Process Monitor v3.0 Released
2011.08 [zeltser] Process Monitor Filters for Malware Analysis and Forensics
2011.04 [toolswatch] (Windows SysInternals) Process Monitor v2.95 released
2011.01 [toolswatch] (Windows SysInternals) Process Monitor v2.94 released
2010.09 [pediy] [翻译]Process Monitor中文手册

Autoruns

Tools

Post

2019.05 [jdferrell3] Scheduled Task command with space “hides” the file from Autoruns
2019.04 [sans] Offline Autoruns Revisited - Auditing Malware Persistence
2019.04 [jdferrell3] Autoruns fails to resolve file path for a scheduled task with a space in the file path
2018.12 [hexacorn] I fought the Autoruns, and Autoruns won…
2018.07 [KyleHanslovan] RE: Evading Autoruns PoCs on Windows 10
2018.07 [sans] Using AutorunsToWinEventLog
2018.04 [oddvar] Persistence using GlobalFlags in Image File Execution Options – Hidden from Autoruns.exe
2018.03 [oddvar] Persistence using RunOnceEx – Hidden from Autoruns.exe
2018.01 [p0w3rsh3ll] AutoRuns module compatible with PowerShell Core 6.0
2017.11 [360] 那些“躲避”微软autoruns工具的方法
2017.10 [conscioushacker] Evading Microsoft’s AutoRuns
2016.09 [defensivedepth] Integrating Autoruns with Security Onion
2015.07 [sans] Autoruns and VirusTotal
2012.11 [sketchymoose] Autoruns
2010.06 [sans] Autoruns and Dead Computer Forensics

ProcessExplorer

Post

2018.09 [notsoshant] A small introduction to Process Explorer
2017.12 [hasherezade] Experiment: ProcessExplorer vs my "lil_calc"
2016.05 [malwarebytes] Process Explorer: part two
2016.05 [malwarebytes] Process Explorer: an introduction
2015.07 [sans] Process Explorer and VirusTotal
2014.01 [virusbulletin] VirusTotal support integrated into new version of Process Explorer
2014.01 [malwarebytes] Process Explorer Now Including VirusTotal Support
2013.12 [dist67] Using Process Explorer's Find Window's Process
2013.01 [securityblog] Process Explorer
2012.06 [toolswatch] Process Explorer v15.2 Released
2011.12 [toolswatch] Process Explorer v15.1 Released
2011.05 [toolswatch] (Windows SysInternals) Process Explorer v14.11 released
2011.03 [toolswatch] (Windows SysInternals) Process Explorer v14.1 released
2005.08 [sans] Slow Sunday; CA Message Queuing Vulns; Process Explorer Vuln; Infocon: Green Redux

Other

Tools

Post

2019.11 [code610] Sysinternals Suite - quick review for Windows 10
2018.01 [hexacorn] Yet another way to hide from Sysinternals’ tools, part 1.5
2018.01 [hexacorn] Yet another way to hide from Sysinternals’ tools
2017.10 [360] 如何利用SysInternals Suite来隐藏你的进程
2017.08 [chrislazari] Removing Crypto-Mining Malware from Windows using SysInternals Tools
2016.11 [hackers] Digital Forensics, Part 8: Live Analysis with sysinternals
2015.11 [holisticinfosec] toolsmith #110: Sysinternals vs Kryptic
2014.11 [hexacorn] Sysinternals’ Eulagoogoolizer
2014.07 [lowleveldesign] Collect .NET applications traces with sysinternals tools
2011.04 [toolswatch] New Sysinternals Suite Available
2011.04 [pediy] [翻译]The Case of the Sysinternals-Blocking Malware——虚拟桌面程序来协助你手动杀毒
2011.04 [toolswatch] Analyzing a Stuxnet Infection with the Sysinternals Tools, Part 1
2011.03 [toolswatch] (Windows SysInternals) VMMap v3.03 released
2011.03 [toolswatch] (Windows SysInternals) ProcDump v3.03 released
2009.12 [sans] Updates to Sysinternals Toolkit
2009.09 [sans] Sysinternals Tools Updates
2009.05 [sans] Sysinternals Updates 3 Applications
2008.10 [sans] Updates to SysInternals tools!
2008.07 [pediy] [原创]Sysinternal出品工具TcpView的驱动逆向源代码
2006.07 [sans] Winternals/SysInternals acquired by Microsoft

Tools

Recent Add

[9553Star][9d] [PS] lukesampson/scoop A command-line installer for Windows.
[4868Star][10m] [Py] 10se1ucgo/disablewintracking Uses some known methods that attempt to minimize tracking in Windows 10
[3648Star][9d] [C#] kohsuke/winsw A wrapper executable that can be used to host any executable as an Windows service, in a liberal license
[3409Star][1m] [C] microsoft/windows-driver-samples This repo contains driver samples prepared for use with Microsoft Visual Studio and the Windows Driver Kit (WDK). It contains both Universal Windows Driver and desktop-only driver samples.
[3222Star][9d] [C++] 0xz0f/z0fcourse_reverseengineering Reverse engineering focusing on x64 Windows.
[2132Star][2m] [C++] darthton/blackbone Windows memory hacking library
[2052Star][1m] [C++] mhammond/pywin32 Python for Windows (pywin32) Extensions
[700Star][9d] [PS] farag2/windows-10-setup-script Script to setup Windows 10 1903/1909
[666Star][28d] [C] virtio-win/kvm-guest-drivers-windows Windows paravirtualized
[628Star][3m] [C] mrexodia/titanhide a driver intended to hide debuggers from certain processes
[278Star][1y] [Py] hakril/pythonforwindows A codebase aimed to make interaction with Windows and native execution easier
[216Star][5m] adguardteam/adguardforwindows AdGuard for Windows open bug tracker

Environment Setup

[1530Star][1y] [PS] joefitzgerald/packer-windows Windows templates that can be used to create boxes for Vagrant using Packer
[1368Star][3m] [Go] securitywithoutborders/hardentools Hardentools is a utility that disables a number of risky Windows features.
[1167Star][11d] [HTML] nsacyber/windows-secure-host-baseline Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. #nsacyber
[1054Star][9d] adolfintel/windows10-privacy Windows 10 Privacy Guide
[545Star][11d] [PS] stefanscherer/packer-windows Windows Templates for Packer: Win10, Server 2016, 1709, 1803, 1809, 2019, 1903, 1909, Insider with Docker

Kernel&&Driver

[943Star][11m] [C] microsoft/windows-driver-frameworks a set of libraries that make it simple to write high-quality device drivers.
[891Star][1m] axtmueller/windows-kernel-explorer A free but powerful Windows kernel research tool.
[515Star][7m] [Py] rabbitstack/fibratus Tool for exploration and tracing of the Windows kernel
[496Star][3m] [C] jkornev/hidden Windows driver with usermode interface which can hide objects of file-system and registry, protect processes and etc
[288Star][9d] [PS] microsoftdocs/windows-driver-docs The official Windows Driver Kit documentation sources

Registry

[521Star][9d] [Batchfile] chef-koch/regtweaks Windows Registry Tweaks (Win 7 - Win 10)
[293Star][2m] [Py] williballenthin/python-registry Pure Python parser for Windows Registry hives.

SystemCall

[757Star][4m] [HTML] j00ru/windows-syscalls Windows System Call Tables (NT/2000/XP/2003/Vista/2008/7/2012/8/10)
[349Star][20d] [C] hfiref0x/syscalltables Windows NT x64 Syscall tables

Other

[1007Star][12d] [C++] henrypp/simplewall Simple tool to configure Windows Filtering Platform (WFP) which can configure network activity on your computer.
[981Star][5m] [C] basil00/divert Windows Packet Divert
[742Star][4m] [Py] diyan/pywinrm Python library for Windows Remote Management (WinRM)
[605Star][21d] [C] hfiref0x/winobjex64 Windows Object Explorer 64-bit
[475Star][2m] [C#] microsoft/dbgshell A PowerShell front-end for the Windows debugger engine.
[428Star][12d] [C] samba-team/samba he standard Windows interoperability suite of programs for Linux and Unix
[412Star][2m] [Jupyter Notebook] microsoft/windowsdefenderatp-hunting-queries Sample queries for Advanced hunting in Microsoft Defender ATP
[396Star][16d] [C#] microsoft/binskim A binary static analysis tool that provides security and correctness results for Windows Portable Executable and *nix ELF binary formats
[377Star][2m] [Ruby] winrb/winrm Ruby library for Windows Remote Management

Post

Recent Add

2018.11 [vimeo] INNUENDO Telemetry Gathering and Incidence Response
2018.01 [4sysops] Search Active Directory with the PowerShell cmdlet Get‑ADComputer
2017.06 [faiz] #CloudComputing : #Security, #Vulnerabilities, #Privacy, #Storage, #Multicloud Overview SERIES #1
2017.03 [paloaltonetworks] Pulling Back the Curtains on EncodedCommand PowerShel
2017.02 [vexillium] Windows Kernel Local Denial-of-Service #2: win32k!NtDCompositionBeginFrame (Windows 8-10)
2017.02 [vexillium] Windows Kernel Local Denial-of-Service #2: win32k!NtDCompositionBeginFrame (Windows 8-10)
2017.01 [trustedsec] Circumventing EncodedCommand and IEX Detection in PowerShell
2013.11 [mikefrobbins] Windows 8.1 RSAT PowerShell Cmdlets Get-ADUser & Get-ADComputer : One or more Properties are Invalid

Contribute

Contents auto exported by Our System, please raise Issue if you have any question.

Files

Readme_en.md

Latest commit

History

Readme_en.md

File metadata and controls

All Resource Collection Projects

Windows

Directory

PowerShell

PowerSploit

Tools

Post

PSAttack

Tools

Post

Other

Tools

Post

DLL

Recent Add

Tools

Post

DLL Injection

Tools

Post

DLL Hijack

Tools

Post

DLL旁加载

Post

PE

PE解析

Tools

Post

Tools

Tools

Post

Post

.NET

Tools

Recent Add

dnspy

Post

Login & Credential

Mimikatz

Tools

Post

NTLM

Tools

Post

Kerberos

Tools

Post

PassTheHash

Tools

Post

Pass-The-Ticket

Post

winglogon.exe

Tools

Post

LLMNR

Tools

Post

NetBIOS

Tools

Post

Other

Tools

Windows Protections

UAC

Tools

Post

AppLocker

Tools

Post

DEP

Tools

Post