Armory
| Command Name | Version | Type | Help | |
|---|---|---|---|---|
| bof-roast | v0.0.2 | Extension | Beacon Object File repo for roasting Active Directory | |
| bof-servicemove | v0.0.1 | Extension | Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking | |
| c2tc-addmachineaccount | v0.0.9 | Extension | AddMachineAccount [Computername] [Password |
|
| c2tc-askcreds | v0.0.9 | Extension | Collect passwords using CredUIPromptForWindowsCredentialsName | |
| c2tc-domaininfo | v0.0.9 | Extension | enumerate domain information using Active Directory Domain Services | |
| c2tc-kerberoast | v0.0.9 | Extension | A BOF tool to list all SPN enabled user/service accounts or request service tickets (TGS-REP) | |
| c2tc-kerbhash | v0.0.9 | Extension | port of the Mimikatz/Rubeus hash command | |
| c2tc-klist | v0.0.9 | Extension | Displays a list of currently cached Kerberos tickets. | |
| c2tc-lapsdump | v0.0.9 | Extension | Dump LAPS passwords from specified computers within Active Directory | |
| c2tc-petitpotam | v0.0.9 | Extension | PetitPotam |
|
| c2tc-psc | v0.0.9 | Extension | show detailed information from processes with established TCP and RDP connections | |
| c2tc-psk | v0.0.9 | Extension | show detailed information from the windows kernel and loaded driver modules | |
| c2tc-psm | v0.0.9 | Extension | show detailed information from a specific process id | |
| c2tc-psw | v0.0.9 | Extension | Show Window titles from processes with active Windows | |
| c2tc-psx | v0.0.9 | Extension | show (detailed) information from all processes running on the system | |
| c2tc-smbinfo | v0.0.9 | Extension | Gather remote system version info using the NetWkstaGetInfo API | |
| c2tc-spray-ad | v0.0.9 | Extension | Perform a Kerberos or ldap password spraying attack against Active Directory | |
| c2tc-startwebclient | v0.0.9 | Extension | Starting WebClient Service Programmatically | |
| c2tc-wdtoggle | v0.0.9 | Extension | Patch lsass to enable WDigest credential caching | |
| c2tc-winver | v0.0.9 | Extension | Display the version of Windows that is running, the build number and patch release (Update Build Revision) | |
| certify | v0.0.3 | Alias | Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services | |
| chromiumkeydump | v0.0.2 | Extension | Dump Chrome/Edge Masterkey | |
| coff-loader | v1.0.14 | Extension | Load and execute Beacon Object Files (BOFs) in memory. | |
| credman | v1.0.7 | Extension | Dump credentials using the CredsBackupCredentials API | |
| delegationbof | v0.0.2 | Extension | LDAP checks for RBCD, Constrained, Constrained w/Protocol Transition, Unconstrained Delegation, ASREP, and Kerberoastable SPNs | |
| find-module | v0.0.2 | Extension | Uses direct system calls to enumerate processes for specific modules | |
| find-proc-handle | v0.0.2 | Extension | Uses direct system calls to enumerate processes for specific process handles | |
| handlekatz | v0.0.1 | Extension | Implementation of handlekatz as a BOF (x64 only) | |
| hashdump | v1.0.0 | Extension | Dump local SAM password hashes | |
| hollow | v0.0.1 | Extension | EarlyBird process hollowing technique | |
| inject-amsi-bypass | v0.0.2 | Extension | Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. | |
| inject-clipboard | v0.0.9 | Extension | inject into a process | |
| inject-conhost | v0.0.9 | Extension | inject into a process | |
| inject-createremotethread | v0.0.9 | Extension | inject into a process | |
| inject-ctray | v0.0.9 | Extension | inject into a process | |
| inject-dde | v0.0.9 | Extension | inject into a process | |
| inject-etw-bypass | v0.0.3 | Extension | Inject ETW Bypass into Remote Process via Syscalls (HellsGate | HalosGate) |
| inject-kernelcallbacktable | v0.0.9 | Extension | inject into a process | |
| inject-ntcreatethread | v0.0.9 | Extension | inject into a process | |
| inject-ntqueueapcthread | v0.0.9 | Extension | inject into a process | |
| inject-setthreadcontext | v0.0.9 | Extension | inject into a process | |
| inject-svcctrl | v0.0.9 | Extension | inject into a process | |
| inject-tooltip | v0.0.9 | Extension | inject into a process | |
| inject-uxsubclassinfo | v0.0.9 | Extension | inject into a process | |
| inline-execute-assembly | v0.0.1 | Extension | in process .NET assembly execution | |
| jump-psexec | v0.0.2 | Extension | psexec lateral movement module | |
| jump-wmiexec | v0.0.2 | Extension | wmiexec lateral movement module | |
| kerbrute | v0.0.1 | Extension | A tool to perform Kerberos pre-auth bruteforcing | |
| krbrelayup | v0.0.1 | Alias | A universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings). | |
| ldapsigncheck | v0.0.1 | Extension | check LDAP signing | |
| mimikatz | v0.0.1 | Extension | A little tool to play with Windows security | |
| nanodump | v0.0.5 | Extension | A Beacon Object File that creates a minidump of the LSASS process. | |
| nanorobeus | v0.0.2 | Extension | Beacon Object File for managing Kerberos tickets | |
| nps | v0.0.2 | Alias | PowerShell rebuilt in C# for Red Teaming purposes | |
| patchit | v0.0.1 | Extension | patch, check and revert AMSI and ETW for x64 process | |
| raw-keylogger | 0.0.0 | Extension | Logs keystrokes using the raw input interface | |
| remote-adcs-request | v0.0.9 | Extension | Request an certificate from an AD certificate server | |
| remote-adduser | v0.0.9 | Extension | Add a new user to a machine | |
| remote-addusertogroup | v0.0.9 | Extension | Add the specified user to the domain group | |
| remote-chrome-key | v0.0.9 | Extension | Get Decryption key usable with Chlonium (https://github.com/rxwx/chlonium) | |
| remote-enable-user | v0.0.9 | Extension | Unlock and enable a local / remote user account | |
| remote-get_priv | v0.0.9 | Extension | Activate the specified token privledge, more for non-cobalt strike users | |
| remote-ghost_task | v0.0.9 | Extension | direct registry manipulation to create scheduled tasks without triggering the usual event logs | |
| remote-lastpass | v0.0.9 | Extension | Searches memory for LastPass passwords and hashes | |
| remote-office-tokens | v0.0.9 | Extension | Searches memory for Office JWT Access Tokens | |
| remote-procdump | v0.0.9 | Extension | Dumps the specified process to the specified output file | |
| remote-process-destroy | v0.0.9 | Extension | Attempt to crash a local process by cutting all handles in it. | |
| remote-process-list-handles | v0.0.9 | Extension | list the various handles a process has open | |
| remote-reg-delete | v0.0.9 | Extension | Delete a registry key or value | |
| remote-reg-save | v0.0.9 | Extension | backup a registry have to a file on disk (requires Enabled SEBackup Priv) | |
| remote-reg-set | v0.0.9 | Extension | Dumps the specified process to the specified output file | |
| remote-sc-config | v0.0.9 | Extension | configure an existing service | |
| remote-sc-create | v0.0.9 | Extension | Create a new service on a windows system | |
| remote-sc-delete | v0.0.9 | Extension | delete a service from a windows based computer | |
| remote-sc-description | v0.0.9 | Extension | change description of a server | |
| remote-sc-failure | v0.0.9 | Extension | sc_failure | |
| remote-sc-start | v0.0.9 | Extension | Start service on a windows based system | |
| remote-sc-stop | v0.0.9 | Extension | stop service on a windows based system | |
| remote-schtasks-delete | v0.0.9 | Extension | Delete a scheduled task | |
| remote-schtasks-stop | v0.0.9 | Extension | stop a running scheduled task | |
| remote-schtaskscreate | v0.0.9 | Extension | Unlock and enable a local / remote user account | |
| remote-schtasksrun | v0.0.9 | Extension | run a scheduled task | |
| remote-setuserpass | v0.0.9 | Extension | set the password for a given user account | |
| remote-shspawnas | v0.0.9 | Extension | spawn / inject as specified user | |
| remote-slack_cookie | v0.0.9 | Extension | Collect the Slack authentication cookie from a Slack process | |
| remote-suspendresume | v0.0.9 | Extension | uspend a process by pid | |
| remote-unexpireuser | v0.0.9 | Extension | Enables and unlocks the specified user account | |
| rubeus | v0.0.24 | Alias | Rubeus is a C# tool set for raw Kerberos interaction and abuses. | |
| sa-adcs-enum | v0.0.21 | Extension | Enumerates CAs and templates in the AD using Win32 functions | |
| sa-adcs-enum-com | v0.0.21 | Extension | Enumerates CAs and templates in the AD using ICertConfig COM object | |
| sa-adcs-enum-com2 | v0.0.21 | Extension | Enumerates CAs and templates in the AD using IX509PolicyServerListManager COM object | |
| sa-adv-audit-policies | v0.0.21 | Extension | Retrieves advanced security audit policies | |
| sa-arp | v0.0.21 | Extension | Lists ARP table | |
| sa-cacls | v0.0.21 | Extension | Lists user permissions for the specified file, wildcards supported | |
| sa-driversigs | v0.0.21 | Extension | Enumerate installed services Image paths | |
| sa-enum-filter-driver | v0.0.21 | Extension | Enumerates all the filter drivers | |
| sa-enum-local-sessions | v0.0.21 | Extension | Enumerate the currently attached user sessions both local and over rdp | |
| sa-env | v0.0.21 | Extension | List process environment variables | |
| sa-find-loaded-module | v0.0.21 | Extension | Finds what processes modulepart is loaded into, optionally searching just procnamepart | |
| sa-get-netsession | v0.0.21 | Extension | Enumerates all sessions on the specified computer or the local one | |
| sa-get-netsession2 | v0.0.21 | Extension | Modified version of netsession that supports BOFHound | |
| sa-get-password-policy | v0.0.21 | Extension | Gets target server or domain's configured password policy and lockouts | |
| sa-ipconfig | v0.0.21 | Extension | Simply gets ipv4 addresses, hostname and dns server | |
| sa-ldapsearch | v0.0.21 | Extension | Execute LDAP searches (non paged) | |
| sa-list_firewall_rules | v0.0.21 | Extension | List Windows firewall rules | |
| sa-listdns | v0.0.21 | Extension | Pulls dns cache entries, attempts to query and resolve each | |
| sa-listmods | v0.0.21 | Extension | List a process' modules (DLL) | |
| sa-locale | v0.0.21 | Extension | List system locale language, locale ID, date, time, and country | |
| sa-netgroup | v0.0.21 | Extension | Lists Groups from the default (or specified) domain | |
| sa-netlocalgroup | v0.0.21 | Extension | List local groups from the local (or specified) computer | |
| sa-netlocalgroup2 | v0.0.21 | Extension | List server group members | |
| sa-netloggedon | v0.0.21 | Extension | Return users logged on the local or remote computer | |
| sa-netloggedon2 | v0.0.21 | Extension | Modified version of netloggedon that supports BOFHound | |
| sa-netshares | v0.0.21 | Extension | List shares on local or remote computer | |
| sa-netstat | v0.0.21 | Extension | TCP / UDP IPv4 netstat listing | |
| sa-nettime | v0.0.21 | Extension | Display time on remote computer | |
| sa-netuptime | v0.0.21 | Extension | Return information about the boot time on the local or remote computer | |
| sa-netview | v0.0.21 | Extension | Net view | |
| sa-notepad | v0.0.21 | Extension | Search for open notepad and notepad++ windows and grab text from the editor control object | |
| sa-nslookup | v0.0.21 | Extension | Makes a dns query. NOTE: Some situations are limited due to observed crashes | |
| sa-probe | v0.0.21 | Extension | Check if a specific port is open | |
| sa-reg-query | v0.0.21 | Extension | Query the Windows registry | |
| sa-regsession | v0.0.21 | Extension | Return logged on user SIDs by enumerating HKEY_USERS | |
| sa-routeprint | v0.0.21 | Extension | Prints IPv4 configured routes | |
| sa-sc-enum | v0.0.21 | Extension | Enumerate Windows services | |
| sa-sc-qc | v0.0.21 | Extension | Queries the configuration information for a specified service. | |
| sa-sc-qdescription | v0.0.21 | Extension | sc qdescription implementation in bof | |
| sa-sc-qfailure | v0.0.21 | Extension | sc qfailure implementation in bof | |
| sa-sc-qtriggerinfo | v0.0.21 | Extension | Queries a service for trigger conditions. | |
| sa-sc-query | v0.0.21 | Extension | sc query implementation in bof | |
| sa-schtasksenum | v0.0.21 | Extension | Enumerates all scheduled tasks on the local or if provided remote machine | |
| sa-schtasksquery | v0.0.21 | Extension | Queries the given task from the local or if provided remote machine | |
| sa-tasklist | v0.0.21 | Extension | Get a list of running processes including PID, PPID and CommandLine (uses wmi) | |
| sa-uptime | v0.0.21 | Extension | Prints system boot time and how long it's been since then | |
| sa-vssenum | v0.0.21 | Extension | Enumerates shadow copies on some server 2012+ machines | |
| sa-whoami | v0.0.21 | Extension | Simulates whoami /all | |
| sa-windowlist | v0.0.21 | Extension | Lists visible windows in the current users session | |
| sa-wmi-query | v0.0.21 | Extension | Lists visible windows in the current users session | |
| scshell | v0.0.2 | Extension | Fileless lateral movement | |
| seatbelt | v0.0.5 | Alias | Seatbelt is a C# project that performs a number of security oriented host-survey 'safety checks' | |
| secinject | v0.0.1 | Extension | Section Mapping Process Injection | |
| sharp-hound-3 | v0.0.2 | Alias | C# based BloodHound Ingestor | |
| sharp-hound-4 | v0.0.2 | Alias | C# based BloodHound Ingestor | |
| sharp-smbexec | v0.0.3 | Alias | A native C# conversion of the Invoke-SMBExec powershell script | |
| sharp-wmi | v0.0.2 | Alias | C# implementation of various WMI functionality | |
| sharpchrome | v0.0.3 | Alias | adaptation of work from @gentilkiwi and @djhohnstein, specifically his SharpChrome project | |
| sharpdpapi | v0.0.3 | Alias | # port of some DPAPI functionality from @gentilkiwi's Mimikatz project | |
| sharpmapexec | v0.0.1 | Alias | A sharpen version of CrackMapExec | |
| sharplaps | v0.0.1 | Alias | Retrieve LAPS password from LDAP | |
| sharpersist | v0.0.2 | Alias | Windows persistence toolkit | |
| sharprdp | v0.0.1 | Alias | Remote Desktop Protocol .NET Console Application for Authenticated Command Execution | |
| sharpsccm | v0.0.2 | Alias | A C# utility for interacting with SCCM | |
| sharpsecdump | v0.0.1 | Alias | C# port of impacket's secretsdump.py functionality | |
| sharpsh | v0.0.1 | Alias | C# .Net Framework program that uses RunspaceFactory for Powershell command execution. | |
| sharpup | v0.0.1 | Alias | C# port of various PowerUp functionality | |
| sharpview | v0.0.1 | Alias | C# implementation of harmj0y's PowerView | |
| sqlrecon | v0.0.3 | Alias | MS SQL toolkit designed for offensive reconnaissance and post-exploitation | |
| syscalls_shinject | v0.0.1 | Extension | Inject shellcode (either custom or beacon) into remote process using Syscalls | |
| tgtdelegation | v0.0.4 | Extension | tgtdelegation: Obtain a usable Kerberos TGT | |
| threadless-inject | v0.0.1 | Extension | Execute shellcode within a remote process via hooking function calls. | |
| unhook-bof | v0.0.2 | Extension | Remove API hooks from a Beacon process. | |
| winrm | v0.0.1 | Extension | Execute commands remotely via WinRM |
| Name | Contains |
|---|---|
| .net-execute | sharp-smbexec, sharp-wmi, sharpmapexec, sharpersist, nopowershell, sharprdp sharpsh, sharpsccm |
| .net-pivot | krbrelayup, rubeus, certify, sharpsecdump, sharpchrome, sharpdpapi sqlrecon, sharplaps |
| .net-recon | seatbelt, sharp-hound-3, sharpup, sharpview, sharp-hound-4 |
| c2-tool-collection | c2tc-addmachineaccount, c2tc-askcreds, c2tc-domaininfo, c2tc-kerberoast, c2tc-kerbhash, c2tc-klist c2tc-lapsdump, c2tc-petitpotam, c2tc-psc, c2tc-psk, c2tc-psm c2tc-psw, c2tc-psx, c2tc-smbinfo, c2tc-spray-ad, c2tc-startwebclient c2tc-wdtoggle, c2tc-winver |
| cs-remote-ops-bofs | remote-adcs-request, remote-adduser, remote-addusertogroup, remote-chrome-key, remote-enable-user, remote-lastpass remote-office-tokens, remote-procdump, remote-process-destroy, remote-process-list-handles, remote-reg-delete remote-reg-save, remote-reg-set, remote-sc-config, remote-sc-create, remote-sc-delete remote-sc-description, remote-sc-start, remote-sc-stop, remote-schtasks-delete, remote-schtasks-stop remote-schtaskscreate, remote-schtasksrun, remote-setuserpass, remote-shspawnas, remote-suspendresume remote-unexpireuser, remote-get_priv, remote-ghost_task, remote-sc_failure, remote-slack_cookie |
| kerberos | bof-roast, delegationbof, c2tc-kerberoast, tgtdelegation, kerbrute, nanorobeus |
| situational-awareness | sa-adcs-enum, sa-adcs-enum-com, sa-adcs-enum-com2, sa-adv-audit-policies, sa-arp, sa-cacls sa-driversigs, sa-enum-filter-driver, sa-enum-local-sessions, sa-find-loaded-module, sa-get-password-policy sa-get-netsession, sa-ipconfig, sa-ldapsearch, sa-listdns, sa-listmods sa-netgroup, sa-netlocalgroup, sa-netshares, sa-netstat, sa-netview sa-nslookup, sa-reg-query, sa-routeprint, sa-sc-enum, sa-sc-qc sa-sc-qdescription, sa-sc-qfailure, sa-sc-qtriggerinfo, sa-sc-query, sa-schtasksenum sa-schtasksquery, sa-tasklist, sa-uptime, sa-vssenum, sa-whoami sa-windowlist, sa-wmi-query, sa-env, sa-get-netsession2, sa-list_firewall_rules sa-locale, sa-netlocalgroup2, sa-netloggedon, sa-netloggedon2, sa-nettime sa-netuptime, sa-ldapsearch, sa-notepad, sa-probe, sa-regsession |
| windows-bypass | inject-etw-bypass, inject-amsi-bypass, unhook-bof, patchit |
| windows-credentials | nanodump, credman, chromiumkeydump, handlekatz, mimikatz |
| windows-inject | hollow, secinject, syscalls_shinject, threadless-inject, inject-tooltip, inject-kernelcallbacktable inject-uxsubclassinfo, inject-ntcreatethread, inject-dde, inject-ntqueueapcthread, inject-conhost inject-svcctrl, inject-ctray, inject-createremotethread, inject-setthreadcontext, inject-clipboard |
| windows-pivot | scshell, bof-servicemove, winrm, jump-wmiexec, jump-psexec |