| Command Name | Version | Type | Help | | | --------------------------- | ------- | --------- | --------------------------------------------------------------------------------------------------------------------------------------- | ---------- | | bof-roast | v0.0.2 | Extension | Beacon Object File repo for roasting Active Directory | | | bof-servicemove | v0.0.1 | Extension | Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking | | | c2tc-addmachineaccount | v0.0.9 | Extension | AddMachineAccount [Computername] [Password <Optional>] | | | c2tc-askcreds | v0.0.9 | Extension | Collect passwords using CredUIPromptForWindowsCredentialsName | | | c2tc-domaininfo | v0.0.9 | Extension | enumerate domain information using Active Directory Domain Services | | | c2tc-kerberoast | v0.0.9 | Extension | A BOF tool to list all SPN enabled user/service accounts or request service tickets (TGS-REP) | | | c2tc-kerbhash | v0.0.9 | Extension | port of the Mimikatz/Rubeus hash command | | | c2tc-klist | v0.0.9 | Extension | Displays a list of currently cached Kerberos tickets. | | | c2tc-lapsdump | v0.0.9 | Extension | Dump LAPS passwords from specified computers within Active Directory | | | c2tc-petitpotam | v0.0.9 | Extension | PetitPotam <capture server ip or hostname> <target server ip or hostname> | | | c2tc-psc | v0.0.9 | Extension | show detailed information from processes with established TCP and RDP connections | | | c2tc-psk | v0.0.9 | Extension | show detailed information from the windows kernel and loaded driver modules | | | c2tc-psm | v0.0.9 | Extension | show detailed information from a specific process id | | | c2tc-psw | v0.0.9 | Extension | Show Window titles from processes with active Windows | | | c2tc-psx | v0.0.9 | Extension | show (detailed) information from all processes running on the system | | | c2tc-smbinfo | v0.0.9 | Extension | Gather remote system version info using the NetWkstaGetInfo API | | | c2tc-spray-ad | v0.0.9 | Extension | Perform a Kerberos or ldap password spraying attack against Active Directory | | | c2tc-startwebclient | v0.0.9 | Extension | Starting WebClient Service Programmatically | | | c2tc-wdtoggle | v0.0.9 | Extension | Patch lsass to enable WDigest credential caching | | | c2tc-winver | v0.0.9 | Extension | Display the version of Windows that is running, the build number and patch release (Update Build Revision) | | | certify | v0.0.3 | Alias | Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services | | | chromiumkeydump | v0.0.2 | Extension | Dump Chrome/Edge Masterkey | | | coff-loader | v1.0.14 | Extension | Load and execute Beacon Object Files (BOFs) in memory. | | | credman | v1.0.7 | Extension | Dump credentials using the CredsBackupCredentials API | | | delegationbof | v0.0.2 | Extension | LDAP checks for RBCD, Constrained, Constrained w/Protocol Transition, Unconstrained Delegation, ASREP, and Kerberoastable SPNs | | | find-module | v0.0.2 | Extension | Uses direct system calls to enumerate processes for specific modules | | | find-proc-handle | v0.0.2 | Extension | Uses direct system calls to enumerate processes for specific process handles | | | handlekatz | v0.0.1 | Extension | Implementation of handlekatz as a BOF (x64 only) | | | hashdump | v1.0.0 | Extension | Dump local SAM password hashes | | | hollow | v0.0.1 | Extension | EarlyBird process hollowing technique | | | inject-amsi-bypass | v0.0.2 | Extension | Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. | | | inject-clipboard | v0.0.9 | Extension | inject into a process | | | inject-conhost | v0.0.9 | Extension | inject into a process | | | inject-createremotethread | v0.0.9 | Extension | inject into a process | | | inject-ctray | v0.0.9 | Extension | inject into a process | | | inject-dde | v0.0.9 | Extension | inject into a process | | | inject-etw-bypass | v0.0.3 | Extension | Inject ETW Bypass into Remote Process via Syscalls (HellsGate | HalosGate) | | inject-kernelcallbacktable | v0.0.9 | Extension | inject into a process | | | inject-ntcreatethread | v0.0.9 | Extension | inject into a process | | | inject-ntqueueapcthread | v0.0.9 | Extension | inject into a process | | | inject-setthreadcontext | v0.0.9 | Extension | inject into a process | | | inject-svcctrl | v0.0.9 | Extension | inject into a process | | | inject-tooltip | v0.0.9 | Extension | inject into a process | | | inject-uxsubclassinfo | v0.0.9 | Extension | inject into a process | | | inline-execute-assembly | v0.0.1 | Extension | in process .NET assembly execution | | | jump-psexec | v0.0.2 | Extension | psexec lateral movement module | | | jump-wmiexec | v0.0.2 | Extension | wmiexec lateral movement module | | | kerbrute | v0.0.1 | Extension | A tool to perform Kerberos pre-auth bruteforcing | | | krbrelayup | v0.0.1 | Alias | A universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings). | | | ldapsigncheck | v0.0.1 | Extension | check LDAP signing | | | mimikatz | v0.0.1 | Extension | A little tool to play with Windows security | | | nanodump | v0.0.5 | Extension | A Beacon Object File that creates a minidump of the LSASS process. | | | nanorobeus | v0.0.2 | Extension | Beacon Object File for managing Kerberos tickets | | | nps | v0.0.2 | Alias | PowerShell rebuilt in C# for Red Teaming purposes | | | patchit | v0.0.1 | Extension | patch, check and revert AMSI and ETW for x64 process | | | raw-keylogger | 0.0.0 | Extension | Logs keystrokes using the raw input interface | | | remote-adcs-request | v0.0.9 | Extension | Request an certificate from an AD certificate server | | | remote-adduser | v0.0.9 | Extension | Add a new user to a machine | | | remote-addusertogroup | v0.0.9 | Extension | Add the specified user to the domain group | | | remote-chrome-key | v0.0.9 | Extension | Get Decryption key usable with Chlonium (https://github.com/rxwx/chlonium) | | | remote-enable-user | v0.0.9 | Extension | Unlock and enable a local / remote user account | | | remote-get_priv | v0.0.9 | Extension | Activate the specified token privledge, more for non-cobalt strike users | | | remote-ghost_task | v0.0.9 | Extension | direct registry manipulation to create scheduled tasks without triggering the usual event logs | | | remote-lastpass | v0.0.9 | Extension | Searches memory for LastPass passwords and hashes | | | remote-office-tokens | v0.0.9 | Extension | Searches memory for Office JWT Access Tokens | | | remote-procdump | v0.0.9 | Extension | Dumps the specified process to the specified output file | | | remote-process-destroy | v0.0.9 | Extension | Attempt to crash a local process by cutting all handles in it. | | | remote-process-list-handles | v0.0.9 | Extension | list the various handles a process has open | | | remote-reg-delete | v0.0.9 | Extension | Delete a registry key or value | | | remote-reg-save | v0.0.9 | Extension | backup a registry have to a file on disk (requires Enabled SEBackup Priv) | | | remote-reg-set | v0.0.9 | Extension | Dumps the specified process to the specified output file | | | remote-sc-config | v0.0.9 | Extension | configure an existing service | | | remote-sc-create | v0.0.9 | Extension | Create a new service on a windows system | | | remote-sc-delete | v0.0.9 | Extension | delete a service from a windows based computer | | | remote-sc-description | v0.0.9 | Extension | change description of a server | | | remote-sc-failure | v0.0.9 | Extension | sc_failure | | | remote-sc-start | v0.0.9 | Extension | Start service on a windows based system | | | remote-sc-stop | v0.0.9 | Extension | stop service on a windows based system | | | remote-schtasks-delete | v0.0.9 | Extension | Delete a scheduled task | | | remote-schtasks-stop | v0.0.9 | Extension | stop a running scheduled task | | | remote-schtaskscreate | v0.0.9 | Extension | Unlock and enable a local / remote user account | | | remote-schtasksrun | v0.0.9 | Extension | run a scheduled task | | | remote-setuserpass | v0.0.9 | Extension | set the password for a given user account | | | remote-shspawnas | v0.0.9 | Extension | spawn / inject as specified user | | | remote-slack_cookie | v0.0.9 | Extension | Collect the Slack authentication cookie from a Slack process | | | remote-suspendresume | v0.0.9 | Extension | uspend a process by pid | | | remote-unexpireuser | v0.0.9 | Extension | Enables and unlocks the specified user account | | | rubeus | v0.0.24 | Alias | Rubeus is a C# tool set for raw Kerberos interaction and abuses. | | | sa-adcs-enum | v0.0.21 | Extension | Enumerates CAs and templates in the AD using Win32 functions | | | sa-adcs-enum-com | v0.0.21 | Extension | Enumerates CAs and templates in the AD using ICertConfig COM object | | | sa-adcs-enum-com2 | v0.0.21 | Extension | Enumerates CAs and templates in the AD using IX509PolicyServerListManager COM object | | | sa-adv-audit-policies | v0.0.21 | Extension | Retrieves advanced security audit policies | | | sa-arp | v0.0.21 | Extension | Lists ARP table | | | sa-cacls | v0.0.21 | Extension | Lists user permissions for the specified file, wildcards supported | | | sa-driversigs | v0.0.21 | Extension | Enumerate installed services Image paths | | | sa-enum-filter-driver | v0.0.21 | Extension | Enumerates all the filter drivers | | | sa-enum-local-sessions | v0.0.21 | Extension | Enumerate the currently attached user sessions both local and over rdp | | | sa-env | v0.0.21 | Extension | List process environment variables | | | sa-find-loaded-module | v0.0.21 | Extension | Finds what processes *modulepart* is loaded into, optionally searching just *procnamepart* | | | sa-get-netsession | v0.0.21 | Extension | Enumerates all sessions on the specified computer or the local one | | | sa-get-netsession2 | v0.0.21 | Extension | Modified version of netsession that supports BOFHound | | | sa-get-password-policy | v0.0.21 | Extension | Gets target server or domain's configured password policy and lockouts | | | sa-ipconfig | v0.0.21 | Extension | Simply gets ipv4 addresses, hostname and dns server | | | sa-ldapsearch | v0.0.21 | Extension | Execute LDAP searches (non paged) | | | sa-list_firewall_rules | v0.0.21 | Extension | List Windows firewall rules | | | sa-listdns | v0.0.21 | Extension | Pulls dns cache entries, attempts to query and resolve each | | | sa-listmods | v0.0.21 | Extension | List a process' modules (DLL) | | | sa-locale | v0.0.21 | Extension | List system locale language, locale ID, date, time, and country | | | sa-netgroup | v0.0.21 | Extension | Lists Groups from the default (or specified) domain | | | sa-netlocalgroup | v0.0.21 | Extension | List local groups from the local (or specified) computer | | | sa-netlocalgroup2 | v0.0.21 | Extension | List server group members | | | sa-netloggedon | v0.0.21 | Extension | Return users logged on the local or remote computer | | | sa-netloggedon2 | v0.0.21 | Extension | Modified version of netloggedon that supports BOFHound | | | sa-netshares | v0.0.21 | Extension | List shares on local or remote computer | | | sa-netstat | v0.0.21 | Extension | TCP / UDP IPv4 netstat listing | | | sa-nettime | v0.0.21 | Extension | Display time on remote computer | | | sa-netuptime | v0.0.21 | Extension | Return information about the boot time on the local or remote computer | | | sa-netview | v0.0.21 | Extension | Net view | | | sa-notepad | v0.0.21 | Extension | Search for open notepad and notepad++ windows and grab text from the editor control object | | | sa-nslookup | v0.0.21 | Extension | Makes a dns query. NOTE: Some situations are limited due to observed crashes | | | sa-probe | v0.0.21 | Extension | Check if a specific port is open | | | sa-reg-query | v0.0.21 | Extension | Query the Windows registry | | | sa-regsession | v0.0.21 | Extension | Return logged on user SIDs by enumerating HKEY_USERS | | | sa-routeprint | v0.0.21 | Extension | Prints IPv4 configured routes | | | sa-sc-enum | v0.0.21 | Extension | Enumerate Windows services | | | sa-sc-qc | v0.0.21 | Extension | Queries the configuration information for a specified service. | | | sa-sc-qdescription | v0.0.21 | Extension | sc qdescription implementation in bof | | | sa-sc-qfailure | v0.0.21 | Extension | sc qfailure implementation in bof | | | sa-sc-qtriggerinfo | v0.0.21 | Extension | Queries a service for trigger conditions. | | | sa-sc-query | v0.0.21 | Extension | sc query implementation in bof | | | sa-schtasksenum | v0.0.21 | Extension | Enumerates all scheduled tasks on the local or if provided remote machine | | | sa-schtasksquery | v0.0.21 | Extension | Queries the given task from the local or if provided remote machine | | | sa-tasklist | v0.0.21 | Extension | Get a list of running processes including PID, PPID and CommandLine (uses wmi) | | | sa-uptime | v0.0.21 | Extension | Prints system boot time and how long it's been since then | | | sa-vssenum | v0.0.21 | Extension | Enumerates shadow copies on some server 2012+ machines | | | sa-whoami | v0.0.21 | Extension | Simulates whoami /all | | | sa-windowlist | v0.0.21 | Extension | Lists visible windows in the current users session | | | sa-wmi-query | v0.0.21 | Extension | Lists visible windows in the current users session | | | scshell | v0.0.2 | Extension | Fileless lateral movement | | | seatbelt | v0.0.5 | Alias | Seatbelt is a C# project that performs a number of security oriented host-survey 'safety checks' | | | secinject | v0.0.1 | Extension | Section Mapping Process Injection | | | sharp-hound-3 | v0.0.2 | Alias | C# based BloodHound Ingestor | | | sharp-hound-4 | v0.0.2 | Alias | C# based BloodHound Ingestor | | | sharp-smbexec | v0.0.3 | Alias | A native C# conversion of the Invoke-SMBExec powershell script | | | sharp-wmi | v0.0.2 | Alias | C# implementation of various WMI functionality | | | sharpchrome | v0.0.3 | Alias | adaptation of work from @gentilkiwi and @djhohnstein, specifically his SharpChrome project | | | sharpdpapi | v0.0.3 | Alias | # port of some DPAPI functionality from @gentilkiwi's Mimikatz project | | | sharpmapexec | v0.0.1 | Alias | A sharpen version of CrackMapExec | | | sharplaps | v0.0.1 | Alias | Retrieve LAPS password from LDAP | | | sharpersist | v0.0.2 | Alias | Windows persistence toolkit | | | sharprdp | v0.0.1 | Alias | Remote Desktop Protocol .NET Console Application for Authenticated Command Execution | | | sharpsccm | v0.0.2 | Alias | A C# utility for interacting with SCCM | | | sharpsecdump | v0.0.1 | Alias | C# port of impacket's secretsdump.py functionality | | | sharpsh | v0.0.1 | Alias | C# .Net Framework program that uses RunspaceFactory for Powershell command execution. | | | sharpup | v0.0.1 | Alias | C# port of various PowerUp functionality | | | sharpview | v0.0.1 | Alias | C# implementation of harmj0y's PowerView | | | sqlrecon | v0.0.3 | Alias | MS SQL toolkit designed for offensive reconnaissance and post-exploitation | | | syscalls_shinject | v0.0.1 | Extension | Inject shellcode (either custom or beacon) into remote process using Syscalls | | | tgtdelegation | v0.0.4 | Extension | tgtdelegation: Obtain a usable Kerberos TGT | | | threadless-inject | v0.0.1 | Extension | Execute shellcode within a remote process via hooking function calls. | | | unhook-bof | v0.0.2 | Extension | Remove API hooks from a Beacon process. | | | winrm | v0.0.1 | Extension | Execute commands remotely via WinRM | | --- | Name | Contains | |---------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | .net-execute | sharp-smbexec, sharp-wmi, sharpmapexec, sharpersist, nopowershell, sharprdp<br>sharpsh, sharpsccm | | .net-pivot | krbrelayup, rubeus, certify, sharpsecdump, sharpchrome, sharpdpapi<br>sqlrecon, sharplaps | | .net-recon | seatbelt, sharp-hound-3, sharpup, sharpview, sharp-hound-4 | | c2-tool-collection | c2tc-addmachineaccount, c2tc-askcreds, c2tc-domaininfo, c2tc-kerberoast, c2tc-kerbhash, c2tc-klist<br>c2tc-lapsdump, c2tc-petitpotam, c2tc-psc, c2tc-psk, c2tc-psm<br>c2tc-psw, c2tc-psx, c2tc-smbinfo, c2tc-spray-ad, c2tc-startwebclient<br>c2tc-wdtoggle, c2tc-winver | | cs-remote-ops-bofs | remote-adcs-request, remote-adduser, remote-addusertogroup, remote-chrome-key, remote-enable-user, remote-lastpass<br>remote-office-tokens, remote-procdump, remote-process-destroy, remote-process-list-handles, remote-reg-delete<br>remote-reg-save, remote-reg-set, remote-sc-config, remote-sc-create, remote-sc-delete<br>remote-sc-description, remote-sc-start, remote-sc-stop, remote-schtasks-delete, remote-schtasks-stop<br>remote-schtaskscreate, remote-schtasksrun, remote-setuserpass, remote-shspawnas, remote-suspendresume<br>remote-unexpireuser, remote-get_priv, remote-ghost_task, remote-sc_failure, remote-slack_cookie | | kerberos | bof-roast, delegationbof, c2tc-kerberoast, tgtdelegation, kerbrute, nanorobeus | | situational-awareness | sa-adcs-enum, sa-adcs-enum-com, sa-adcs-enum-com2, sa-adv-audit-policies, sa-arp, sa-cacls<br>sa-driversigs, sa-enum-filter-driver, sa-enum-local-sessions, sa-find-loaded-module, sa-get-password-policy<br>sa-get-netsession, sa-ipconfig, sa-ldapsearch, sa-listdns, sa-listmods<br>sa-netgroup, sa-netlocalgroup, sa-netshares, sa-netstat, sa-netview<br>sa-nslookup, sa-reg-query, sa-routeprint, sa-sc-enum, sa-sc-qc<br>sa-sc-qdescription, sa-sc-qfailure, sa-sc-qtriggerinfo, sa-sc-query, sa-schtasksenum<br>sa-schtasksquery, sa-tasklist, sa-uptime, sa-vssenum, sa-whoami<br>sa-windowlist, sa-wmi-query, sa-env, sa-get-netsession2, sa-list_firewall_rules<br>sa-locale, sa-netlocalgroup2, sa-netloggedon, sa-netloggedon2, sa-nettime<br>sa-netuptime, sa-ldapsearch, sa-notepad, sa-probe, sa-regsession | | windows-bypass | inject-etw-bypass, inject-amsi-bypass, unhook-bof, patchit | | windows-credentials | nanodump, credman, chromiumkeydump, handlekatz, mimikatz | | windows-inject | hollow, secinject, syscalls_shinject, threadless-inject, inject-tooltip, inject-kernelcallbacktable<br>inject-uxsubclassinfo, inject-ntcreatethread, inject-dde, inject-ntqueueapcthread, inject-conhost<br>inject-svcctrl, inject-ctray, inject-createremotethread, inject-setthreadcontext, inject-clipboard | | windows-pivot | scshell, bof-servicemove, winrm, jump-wmiexec, jump-psexec |