Cyber Security Bronnen

• NIST Cybersecurity Framework: Een reeks richtlijnen voor bedrijven in de particuliere sector om beter voorbereid te zijn op het identificeren, detecteren en reageren op cyberaanvallen. (Resources Library, NIST CSF 2.0)
• CIS Controls: Prioritaire reeks acties om uw organisatie en gegevens te beschermen tegen bekende vectoren van cyberaanvallen. (Assessment Tool)
• NIST SP 800-53: Beveiligings- en privacycontroles voor informatiesystemen en organisaties. (Machine Readable Data)
• PCI DSS: Payment Card Industry Data Security Standard voor organisaties die creditcards verwerken.
• SOC 2: Service Organization Control 2 - Vertrouwensdiensten criteria voor serviceorganisaties.
• COBIT: Control Objectives for Information and Related Technologies, een kader voor IT-beheer en governance. (Auditing COBIT 2019)
• ISO 27001/27002 Toolkit: Een repository met een uitgebreide toolkit die is ontworpen om organisaties te helpen bij het implementeren van het ISO 27001:2022 Information Security Management System (ISMS).
• ISF SOGP: De ISF Standard of Good Practice for Information Security (SOGP) is de toonaangevende autoriteit op het gebied van informatiebeveiliging.

• Kali Linux: Offensieve toolkit voor scannen, exploitatie en red teaming. Draai in een VM om andere labsystemen te scannen/exploiteren.
• Metasploitable 2: Kwetsbare Linux VM voor veilige exploitoefening. Combineer met Kali om exploits te testen & documenteren.
• Vulnerable-AD: Onveilig Active Directory lab. Gebruik met Windows Server om AD-aanvallen te simuleren.
• WebGoat: OWASP kwetsbare webapp. Draai lokaal/Docker & voltooi ingebouwde lessen.
• Juice Shop: Moderne OWASP vuln app. Host lokaal & probeer SQLi, XSS, meer.
• GoPhish: Phishing simulatieplatform. Stuur test-phishing e-mails naar lab-inboxen.
• PortSwigger: Gratis webbeveiligingslabs. Werk door online exploit-uitdagingen.
• Vulnserver: Windows buffer overflow server. Draai in Win7 VM & exploiteer met Immunity Debugger.
• Vulnerable WP: Exploiteerbare WordPress-site. Installeer lokaal & test WP-specifieke exploits.
• CTFlearn: CTF-uitdagingen voor alle niveaus. Los puzzels op om te verbeteren in domeinen.
• pfSense: Firewall/router voor segmentatie. Plaats tussen VM's om verkeer te controleren & inspecteren.
• Suricata: IDS/IPS. Implementeer inline met pfSense om dreigingen te detecteren/blokkeren.
• Wazuh: SIEM/XDR. Verzamel & analyseer logs van labmachines.
• OpenSearch: Zoek/visualisatiestack. Integreer met Wazuh voor evenementendashboards.
• Security Onion: Dreigingsdetectiesuite. Verwerk labverkeer voor threat hunting.
• Cowrie: SSH/telnet honeypot. Implementeer geïsoleerd om inlogpogingen te monitoren.
• WireGuard: VPN. Verbind veilig op afstand met het labnetwerk.
• Sysmon: Windows logging. Installeer om beveiligingsgebeurtenissen bij te houden.
• Ansible: Automatiseringstool. Push configuraties naar meerdere lab-VM's.
• MITRE Caldera: Tegenstander-emulatie. Simuleer aanvallersgedrag in testnetwerken.
• Wireshark: Pakketvastlegging/-analyse. Inspecteer verkeer tussen labhosts. (Download)
• Zeek: Netwerkmonitoring/-logging. Draai met Security Onion voor diepe analyse. (Download)
• REMnux: Malware-analysedistributie. Reverse-engineer veilig in VM. (Download)
• Sigma: Detectieregels. Schrijf regels & test in Wazuh/Graylog.
• Proxmox VE: Virtualisatieplatform voor het draaien van uw lab-VM's.
• Docker: Platform voor het ontwikkelen, verzenden en draaien van applicaties in containers.
• Portainer: Universele containerbeheeromgeving.
• Pi-hole: Netwerkbrede advertentieblokkering via uw eigen Linux-hardware.
• T-Pot: Het alles-in-één honeypotplatform.
• HELK: De Hunting ELK - Een jachtplatform.
• Ghidra: Een software reverse engineering (SRE) suite van tools ontwikkeld door de NSA.
• FlareVM: Op Windows gebaseerde beveiligingsdistributie voor malware-analyse, incidentrespons, penetratietesten, enz.

• MITRE ATT&CK: Een wereldwijd toegankelijke kennisbank van tactieken en technieken van tegenstanders gebaseerd op observaties uit de echte wereld.
• Cyber Kill Chain: Ontwikkeld door Lockheed Martin, dit kader identificeert wat de tegenstanders moeten voltooien om hun doel te bereiken.
• Diamond Model: Een cognitief model voor inbraakanalyse.
• STRIDE: Een methodologie voor dreigingsmodellering ontwikkeld door Microsoft (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege).
• PASTA: Process for Attack Simulation and Threat Analysis, een risicogerichte methodologie voor dreigingsmodellering.
• LINDDUN: Privacy dreigingsmodelleringskader (Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance). (PILLAR AI Tool)
• OCTAVE: Operationally Critical Threat, Asset, and Vulnerability Evaluation, een op risico gebaseerde strategische beoordelings- en planningstechniek.
• Trike: Een op risico gebaseerde methodologie en tool voor dreigingsmodellering. (GitHub Repo)
• Attack Trees: Conceptuele diagrammen die laten zien hoe een activum of doelwit kan worden aangevallen. (ATTop Analysis Tool)

• OWASP Threat Dragon: Een open source tool voor dreigingsmodellering van OWASP.
• pytm: Een Pythonic kader voor dreigingsmodellering.
• Threagile: Agile Dreigingsmodellering Toolkit.
• Threat Composer: Een eenvoudige tool voor dreigingsmodellering om mensen te helpen de time-to-value te verkorten bij het modelleren van dreigingen.
• Microsoft Threat Modeling Tool: Een tool om gegevensstroomdiagrammen te maken om dreigingen te identificeren.

Beveiligingsmonitoring & SIEM

• Sysmon: Windows-systeemmonitor die systeemactiviteit bijhoudt en logt naar het Windows-gebeurtenislogboek.
• Wazuh: Gratis en open source beveiligingsplatform dat XDR- en SIEM-mogelijkheden verenigt.
• Security Onion: Een gratis en open platform voor threat hunting, bedrijfsbeveiligingsmonitoring en logbeheer.
• Elastic Security (ELK): Geïntegreerde bescherming voor iedereen.
• Velociraptor: Tool voor endpoint-zichtbaarheid en verzameling.
• SysmonSearch: Aggregeert gebeurtenislogboeken gegenereerd door Microsoft's Sysmon.

Incidentrespons & Forensisch Onderzoek

• TheHive: Een schaalbaar, open source en gratis Security Incident Response Platform.
• Cortex: Krachtige Observable Analysis en Active Response Engine.
• SANS SIFT: SANS Investigative Forensic Toolkit.
• Autopsy: Digitaal forensisch platform en grafische interface voor The Sleuth Kit.
• Volatility: Geavanceerd geheugenforensisch kader.
• KAPE: Kroll Artifact Parser en Extractor.

Dreigingsinformatie

• MISP: Malware Information Sharing Platform en Threat Sharing.
• OpenCTI: Open Cyber Threat Intelligence Platform.
• YARA: Het patroonherkennings-zakmes voor malware-onderzoekers.

Analyse & Sandboxing

• Cuckoo Sandbox: Geautomatiseerd Malware Analyse Systeem.
• CyberChef: Het Cyber Zwitserse Zakmes.
• VirusTotal: Analyseer verdachte bestanden, domeinen, IP's en URL's.

Applicatiebeveiliging

• SafeLine: Lichtgewicht web application firewall (WAF) met layer 7 beveiliging.
• Medusa: Multi-Language Security Scanner with AI-first architecture.

• Sigma: Generic Signature Format for SIEM Systems.
• Unprotect Project: Malware evasion techniques knowledge base.
• LOLBAS: Living Off The Land Binaries, Scripts and Libraries.
• GTFOBins: List of Unix binaries that can be used to bypass local security restrictions.

Verkenning is de eerste fase van de Cyber Kill Chain, die onderzoek, identificatie en selectie van doelen omvat.

Tools

Scanners & Kaders

• Argus: Python-powered toolkit voor informatievergaring en verkenning.
• RustScan: The Modern Port Scanner. Find ports quickly (3 seconds at its fastest). Run scripts through our scripting engine (Python, Lua, Shell supported).
• Amass: In-depth Attack Surface Mapping and Asset Discovery.
• Nmap: The "Network Mapper", free and open source utility for network discovery and security auditing.
• nmapUnleashed: Een krachtige CLI-wrapper die de mogelijkheden van Nmap verbetert voor penetratietesters en netwerkauditors met multithreading en een dashboard.
• Masscan: Internet-scale port scanner, transmitting 10 million packets per second.
• Naabu: A fast port scanning tool written in Go that enumerates valid ports in a reliable manner.
• OpenVAS: Full-featured vulnerability scanner with extensive testing capabilities.
• Nikto: Open Source web server scanner for over 6700 potentially dangerous files/programs.
• Sn1per: Automated scanner for enumeration and vulnerability scanning.
• Osmedeus: Workflow engine for offensive security, running awesome tools for recon and vulnerability scanning.
• D0rkerR3con Framework: Offensive Recon toolkit to discover exposed files, secrets, and launch weaponized Google Dorks.
• Recon-ng: Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.
• Scanners-Box: A powerful and open-source toolkit for hackers and security automation.
• Reconness: ReconNess helps you to run and keep all your recon in the same place.
• Lazyrecon: Script written in Bash to automate tedious tasks of reconnaissance and information gathering.
• reconFTW: A powerful automated reconnaissance tool designed for security researchers.
• axiom: A distributed dynamic infrastructure framework for offensive security operations.
• Trivy: Uitgebreide en veelzijdige beveiligingsscanner voor kwetsbaarheden en misconfiguraties.

Domein & DNS

• Subfinder: Subdomain discovery tool that discovers valid subdomains for websites by using passive online sources.
• Puredns: Fast, professional DNS resolver. Replaces Altdns/Massdns for many workflows.
• Chaos: Actively scans and maintains internet-wide assets' data.
• Dnsprobe: Tool built on top of retryabledns that allows you to perform multiple DNS queries.
• Shuffledns: Wrapper around massdns that allows you to enumerate valid subdomains using active bruteforce.
• Findomain: Offers dedicated monitoring service for target domains and alerts.
• Dnsgen: Generates a combination of domain names from the provided input.
• Gotator: Powerful permutation generation for subdomains.
• Massdns: High-performance DNS stub resolver.
• Sublert: Security and reconnaissance tool to leverage certificate transparency for monitoring new subdomains.
• Subjack: Subdomain Takeover tool written in Go.
• dnscan: A python wordlist-based DNS subdomain scanner.

Web & OSINT

• Wappalyzer: Browser extension that uncovers the technologies used on websites.
• BuiltWith: Helps find out what technologies web pages are using.
• WhatWeb: Recognizes web technologies including CMS, blogging platforms, statistic/analytics packages, etc.
• Gau: Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.
• Waybackurls: Fetch known URLs from the Wayback Machine.
• Meg: Tool for fetching lots of URLs without taking a toll on the servers.
• Katana: A next-generation crawling and spidering framework.
• Feroxbuster: A Rust-based content discovery tool. Faster, smarter, and more modern than Dirb/DirBuster.
• Dirsearch: A simple command line tool designed to brute force directories and files in websites.
• Ffuf: A fast web fuzzer written in Go.
• httpx: Fast and multi-purpose HTTP toolkit that allows running multiple probes.
• EyeWitness: Designed to take screenshots of websites, provide some server header info, and identify default credentials.
• Gowitness: Website screenshot utility written in Golang using Chrome Headless.
• SpiderFoot: Open source intelligence (OSINT) automation tool.
• Maltego: OSINT and graphical link analysis tool for gathering and connecting information.
• Shodan: Search engine for Internet-connected devices.
• Censys: Scans the most ports and houses the biggest certificate database in the world.
• Jsluice: Extract URLs, paths, secrets, and other interesting data from JavaScript source code.
• Unfurl: Parse URLs and pull out content based on criteria.
• Asnlookup: Displays information about an IP address's Autonomous System Number (ASN).
• Virtual-host-discovery: Enumerates virtual hosts on a given IP address.
• WitnessMe: Web Inventory tool, takes screenshots of webpages using Pyppeteer.
• BBOT: Recursive internet scanner designed to be faster and more reliable.
• ENScan_GO: Tool based on major enterprise information APIs to solve problems in collecting domestic enterprise information (ICP, APP, WeChat, etc.).
• dismap: Asset discovery and identification tool for rapid web fingerprint recognition.

Cloud & Git

• gitGraber: Monitor GitHub to search and find sensitive data in real time.
• Shhgit: Finds secrets and sensitive files across GitHub code and Gists in real-time.
• gitleaks: SAST tool for detecting hardcoded secrets in git repos.
• cloud_enum: Multi-cloud OSINT tool.
• S3Scanner: Scan for open S3 buckets and dump the contents.
• Gato (Github Attack TOolkit): Enumeration and attack tool for GitHub organizations.
• apk2url: OSINT tool to extract IP and URL endpoints from APKs.
• Checkov: Statische analysetool voor Infrastructure as Code (IaC) beveiliging en compliance.

Social Media

• buster: An advanced tool for email reconnaissance.
• linkedin2username: Generate username lists for companies on LinkedIn.
• LinkedInt: LinkedIn Recon Tool.

Wapenontwikkeling omvat het koppelen van een remote access trojan met een exploit tot een leverbare payload.

Tools (Payload Ontwikkeling)

• Ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
• Payloads All The Things: A list of useful payloads and bypasses for Web Application Security.
• GhostStrike: Deploy stealthy reverse shells using advanced process hollowing.
• Ivy: Payload creation framework for the execution of arbitrary VBA (macro) source code directly in memory.
• PEzor: Open-Source PE Packer.
• GadgetToJScript: Generates .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized.
• ScareCrow: Payload creation framework designed around EDR bypass.
• Donut: Position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies.
• Mystikal: macOS Initial Access Payload Generator.
• charlotte: C++ fully undetected shellcode launcher.
• InvisibilityCloak: Obfuscation toolkit for C# post-exploitation tools.
• Dendrobate: Framework that facilitates the development of payloads that hook unmanaged code through managed .NET code.
• Offensive VBA and XLS Entanglement: Examples of how VBA can be used for offensive purposes.
• xlsGen: Tiny Excel BIFF8 Generator, to Embedded 4.0 Macros in *.xls.
• darkarmour: Windows AV Evasion.
• InlineWhispers: Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF).
• EvilClippy: Assistant for creating malicious MS Office documents.
• OfficePurge: VBA purge your Office documents.
• ThreatCheck: Identifies the bytes that Microsoft Defender / AMSI Consumer flags on.
• CrossC2: Generate CobaltStrike's cross-platform payload.
• Ruler: Tool that allows you to interact with Exchange servers remotely.
• DueDLLigence: Shellcode runner framework for application whitelisting bypasses and DLL side-loading.
• RuralBishop: P/Invoke calls replaced with D/Invoke.
• TikiTorch: Spawns a new process, allocates memory, then uses CreateRemoteThread to run shellcode.
• SharpShooter: Payload creation framework for the retrieval and execution of arbitrary CSharp source code.
• SharpSploit: .NET post-exploitation library written in C#.
• MSBuildAPICaller: MSBuild Without MSBuild.exe.
• macro_pack: Tool used to automatize obfuscation and generation of MS Office documents, VB scripts, etc.
• inceptor: Template-Driven AV/EDR Evasion Framework.
• mortar: Evasion technique to defeat and divert detection and prevention of security products.
• ProtectMyTooling: Multi-Packer wrapper letting us daisy-chain various packers, obfuscators.
• Freeze: Payload toolkit for bypassing EDRs using suspended processes, direct syscalls.
• Shhhloader: Shellcode loader that compiles a C++ stub to bypass AV/EDR.
• DllShimmer: Weaponize DLL hijacking easily.
• moonwalk: Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps.

Levering is de overdracht van het wapen naar de doelomgeving.

Phishing Tools

• Gophish: Open-source phishing toolkit designed for businesses and penetration testers.
• Evilginx2: Man-in-the-middle attack framework used for phishing credentials and session cookies.
• Modlishka: Flexible and powerful reverse proxy for ethical phishing campaigns.
• o365-attack-toolkit: A toolkit to attack Office365.
• PwnAuth: Web application framework for launching and managing OAuth abuse campaigns.
• goblin: A simulation phishing system suitable for red-blue confrontation.
• Social-Engineer Toolkit (SET): Open-source penetration testing framework designed for social engineering.

Andere Levering & Interactie Tools

• Interactsh: ProjectDiscovery's OOB interaction server. Critical for blind SSRF/XXE/RCE testing.
• BeEF: The Browser Exploitation Framework. Focuses on the web browser.

Exploitatie activeert de code van de aanvaller. Deze fase richt zich op kwetsbaarheden om controle te krijgen of code uit te voeren.

Exploitatie Kaders & Tools

• Metasploit Framework: The world's most used penetration testing framework.
• Burp Suite: The quintessential web app hacking tool.
• Caido.io: The lightweight, Rust-based alternative to Burp Suite.
• sqlmap: Automates the process of detecting and exploiting SQL injection flaws.
• W3AF: Web Application Attack and Audit Framework.
• Routersploit: Exploitation framework for embedded devices.
• Commix: Automated all-in-one OS command injection and exploitation tool.
• Pacu: The "Metasploit for Cloud." An exploitation framework specifically for AWS.
• ExploitDB: The official repository of The Exploit Database.
• traitor: Automatic Linux privesc via exploitation of low-hanging fruit.
• yakit: Cyber Security ALL-IN-ONE Platform (Exploit, Scanner, Hacking).
• Shannon: Volledig autonome AI-pentester die daadwerkelijke exploits levert, niet alleen waarschuwingen.

Web & API Exploitatie

• ZAP (Zed Attack Proxy): Integrated penetration testing tool for finding vulnerabilities in web applications.
• Acunetix: Automated web application and API security platform.
• Invicti: Enterprise-grade web application and API security platform.
• Kiterunner: The best tool for API endpoint discovery (finding hidden/shadow routes).
• Arjun: Specialized in finding hidden HTTP parameters that other scanners miss.
• Dalfox: Fast, modern XSS scanner.
• SSRFTest: SSRF testing tool.
• Jsluice: Extract URLs, paths, secrets, and other interesting data from JavaScript source code.
• ActiveScan++: Burp Suite extension that extends active and passive scanning capabilities.
• Autorize: Burp Suite extension to detect authorization vulnerabilities.
• Logger++: Multi-threaded logging extension for Burp Suite.
• Wpscan: Black box WordPress security scanner.
• Infection Monkey: A semi automatic pen testing tool for mapping/pen-testing networks.
• ACSTIS: AngularJS Client-Side Template Injection scanner.
• padding-oracle-attacker: CLI tool to execute padding oracle attacks.
• is-website-vulnerable: Finds publicly known security vulnerabilities in a website's frontend JavaScript libraries.
• PhpSploit: Full-featured C2 framework which silently persists on webserver via evil PHP oneliner.

Initiële Toegang & Privilege Escalatie

• PEASS-ng: Privilege Escalation Awesome Scripts SUITE.
• NetExec (nxc): The successor to CrackMapExec. The #1 tool for network pentesting (SMB/WinRM spraying, AD enumeration).
• SprayingToolkit: Scripts to make password spraying attacks.
• CredMaster: Refactored & improved CredKing password spraying tool.
• Kraken: All-in-One Toolkit for BruteForce Attacks.
• SweetPotato: Collection of various native Windows privilege escalation techniques.
• GodPotato: Privilege escalation using ImpersonatePrivilege.
• PrivKit: Detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS.
• Watson: Enumerate missing KBs and suggest exploits.
• SharpUp: C# port of various PowerUp functionality.
• dazzleUP: Detects privilege escalation vulnerabilities caused by misconfigurations.

Installatie stelt de tegenstander in staat om persistentie in de omgeving te behouden.

Persistentie Tools

• SharPersist: Windows persistence toolkit written in C#.
• SharpStay: .NET project for installing Persistence.
• SharpHide: Tool to create hidden registry keys.
• ScheduleRunner: C# tool to customize scheduled task for persistence.
• SharpEventPersist: Persistence by writing/reading shellcode from Event Log.
• IIS-Raid: A native backdoor module for Microsoft IIS.
• SharPyShell: Tiny and obfuscated ASP.NET webshell for C# web applications.
• Kraken: Modular multi-language webshell.
• HiddenDesktop: HVNC for Cobalt Strike.
• DAMP: The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification.
• reGeorg: The successor to reDuh, pwn a bastion webserver and create SOCKS proxies.
• ABPTTS: TCP tunneling over HTTP for web application servers.
• pivotnacci: A tool to make socks connections through HTTP agents.

Command & Control (C2) kanalen stellen de aanvaller in staat instructies te geven aan de gecompromitteerde apparaten.

Remote Access Tools (RAT) & C2 Kaders

• Cobalt Strike: Software for Adversary Simulations and Red Team Operations.
• Villain: High level stage 0/1 C2 framework that can handle multiple reverse TCP & HoaxShell-based shells.
• Kubesploit: Cross-platform post-exploitation HTTP/2 Command & Control server and agent focused on containerized environments.
• Sliver: General purpose cross-platform implant framework.
• Havoc: Modern and malleable post-exploitation command and control framework.
• Empire: Post-exploitation framework that includes a pure-PowerShell Windows agent.
• PoshC2: Proxy aware C2 framework.
• Covenant: .NET command and control framework.
• Mythic: Cross-platform, post-exploit, red teaming framework.
• Brute Ratel C4: Advanced Red Team & Adversary Simulation Software.
• merlin: Cross-platform post-exploitation C2 server and agent written in Go.
• shad0w: Post exploitation framework designed to operate covertly.
• Pupy: Cross-platform remote administration and post-exploitation tool.
• NimPlant: Light first-stage C2 implant written in Nim and Python.
• SharpC2: C2 framework written in C#.
• Nimhawk: Powerful, modular, lightweight and efficient command & control framework written in Nim.
• AdaptixC2: Extensible post-exploitation and adversarial emulation framework.
• Loki: Node.js Command & Control for Script-Jacking Vulnerable Electron Applications.
• SILENTTRINITY: Asynchronous, collaborative post-exploitation agent powered by Python and .NET.

Legitieme Remote Access Tools

• ManageEngine Remote Access Plus: Comprehensive remote desktop tool offering advanced troubleshooting.
• VNC Connect: Cross-platform remote access solution.
• ISL Online: Cloud-based remote desktop solution.
• Remote Desktop Manager: Centralizes remote connections and credentials.
• Supremo: Lightweight, secure remote control software.
• SolarWinds Dameware Remote Support: Robust remote support tool.
• AnyDesk: Fast and lightweight remote desktop application.
• Zoho Assist: Cloud-based remote support and remote access tool.
• Citrix DaaS: Desktop-as-a-service solution offering secure remote access.
• Microsoft Quick Assist: Simple Windows-based tool for remote assistance.
• NinjaOne: IT management platform with remote access.
• Atera: Remote monitoring and management (RMM) platform.

Staging & Redirectors

• RedWarden: Flexible CobaltStrike Malleable Redirector.
• AzureC2Relay: Azure Function that validates and relays Cobalt Strike beacon traffic.
• C2concealer: Generates randomized C2 malleable profiles.
• FindFrontableDomains: Search for potential frontable domains.
• Domain Hunter: Checks expired domains for reputation.
• pwndrop: Self-deployable file hosting service for red teamers.
• C3: Custom Command and Control tool.
• Chameleon: Tool for evading Proxy categorisation.
• redirect.rules: Dynamic redirect.rules generator.
• SourcePoint: C2 profile generator for Cobalt Strike.
• RedGuard: C2 front flow control tool.
• skyhook: Round-trip obfuscated HTTP file transfer setup.
• GraphStrike: Cobalt Strike HTTPS beaconing over Microsoft Graph API.

Acties op Doelen is de laatste fase waarin indringers acties ondernemen om hun oorspronkelijke doelen te bereiken, zoals data-exfiltratie of laterale verplaatsing.

Exfiltratie

• SharpExfiltrate: Modular C# framework to exfiltrate loot over secure channels.
• DNSExfiltrator: Data exfiltration over DNS request covert channel.
• Egress-Assess: Tool used to test egress data detection capabilities.
• VeilTransfer: Data exfiltration utility designed to test and enhance detection capabilities.

Referenties Dumpen

• NetExec (nxc): The successor to CrackMapExec. The #1 tool for network pentesting (SMB/WinRM spraying, AD enumeration).
• TruffleHog: The modern standard for finding secrets (API keys, creds) in code. Replaces gitGraber/Shhgit.
• Hashcat: The industry standard for password cracking (GPU-based).
• John the Ripper: Free and Open Source software, distributed primarily in a source code form.
• Mimikatz: Allows users to view and save authentication credentials.
• LaZagne: Retrieve lots of passwords stored on a local computer.
• Dumpert: LSASS memory dumper using direct system calls and API unhooking.
• CredBandit: BOF to perform a complete in memory dump of a process.
• CloneVault: Export and import entries from Windows Credential Manager.
• SharpLAPS: Retrieve LAPS password from LDAP.
• SharpDPAPI: C# port of some DPAPI functionality from Mimikatz.
• KeeThief: Extraction of KeePass 2.X key material from memory.
• SafetyKatz: Combination of Mimikatz and .NET PE Loader.
• forkatz: Credential dump using forshaw technique.
• PPLKiller: Tool to bypass LSA Protection.
• AndrewSpecial: Dumping lsass' memory stealthily.
• Net-GPPPassword: .NET implementation of Get-GPPPassword.
• SharpChromium: Retrieve Chromium data, such as cookies, history and saved logins.
• Chlonium: Application designed for cloning Chromium Cookies.
• SharpCloud: Simple C# utility for checking for the existence of credential files.
• pypykatz: Mimikatz implementation in pure Python.
• nanodump: A Beacon Object File that creates a minidump of the LSASS process.
• Koh: C# and BOF toolset to capture user credential material.
• PPLBlade: Protected Process Dumper Tool.
• TrickDump: Dump lsass using only NTAPIS.
• RemoteMonologue: Windows credential harvesting technique leveraging Interactive User RunAs key.

Laterale Verplaatsing

• Ligolo-ng: The new standard for pivoting/tunneling. Replaces clunky VPN/proxychains setups.
• Responder: Essential for poisoning LLMNR/NBT-NS protocols to capture hashes.
• Liquid Snake: Fileless lateral movement using WMI Event Subscriptions.
• PowerUpSQL: PowerShell Toolkit for Attacking SQL Server.
• SQLRecon: C# MS SQL toolkit designed for offensive reconnaissance.
• SCShell: Fileless lateral movement tool that relies on ChangeServiceConfigA.
• SharpRDP: RDP Console Application for Authenticated Command Execution.
• MoveKit: Extension of built in Cobalt Strike lateral movement.
• SharpNoPSExec: File less command execution for lateral movement.
• impacket: Collection of Python classes for working with network protocols.
• Farmer: Project for collecting NetNTLM hashes.
• CIMplant: C# port of WMImplant.
• PowerLessShell: Rely on MSBuild.exe to remotely execute PowerShell scripts.
• SharpGPOAbuse: Take advantage of a user's edit rights on a Group Policy Object.
• kerbrute: Quickly bruteforce and enumerate valid Active Directory accounts.
• mssqlproxy: Toolkit to perform lateral movement through Microsoft SQL Server.
• Invoke-TheHash: PowerShell Pass The Hash Utils.
• InveighZero: .NET IPv4/IPv6 machine-in-the-middle tool.
• SharpSpray: Password spraying attack against all users of a domain.
• CrackMapExec: A swiss army knife for pentesting networks.
• SharpAllowedToAct: C# implementation of a computer object takeover through RBCD.
• SharpRDPHijack: RDP session hijack utility for disconnected sessions.
• CheeseTools: Tools based on MiscTool.
• LatLoader: Automated lateral movement with Havoc C2.
• MalSCCM: Abuse local or remote SCCM servers.
• Coercer: Coerce a Windows server to authenticate on an arbitrary machine.
• orpheus: Bypassing Kerberoast Detections.
• goexec: Remote execution on Windows devices.
• BitlockMove: Lateral Movement via Bitlocker DCOM interfaces & COM Hijacking.

Tunneling

• Chisel: Fast TCP/UDP tunnel, transported over HTTP, secured via SSH.
• frp: Fast reverse proxy.
• SockTail: Joins a device to a Tailscale network and exposes a local SOCKS5 proxy.

Netwerk & Analyse

• Wireshark: Network protocol analyzer.
• Ettercap: Open-source network security tool for man-in-the-middle attacks.
• Bettercap: The "Swiss Army knife" for network attacks and monitoring.
• FoxyProxy: Advanced proxy management tool.
• CyberChef: The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis.