Question

10.11. 操作系统持久化

10.11.1. Windows

10.11.1.1. 凭证获取

• mimikatz
• RdpThief Extracting Clear Text Passwords from mstsc.exe using API Hooking
• quarkspwdump Dump various types of Windows credentials without injecting in any process
• SharpDump C# port of PowerSploit's Out-Minidump.ps1 functionality

10.11.1.2. 权限提升

• WindowsExploits
• GTFOBins Curated list of Unix binaries that can be exploited to bypass system security restrictions
• JAWS Just Another Windows (Enum) Script

10.11.1.3. UAC Bypass

• WinPwnage UAC bypass, Elevate, Persistence and Execution methods
• UACME Defeating Windows User Account Control
• UAC Bypass In The Wild

10.11.1.4. 免杀

• SigThief Stealing Signatures and Making One Invalid Signature at a Time

10.11.1.5. C2

• SharpSploit .NET post-exploitation library written in C#
• SharpBeacon 用.net重写了CobaltStrike stager及Beacon，其中包括正常上线、文件管理、进程管理、令牌管理、结合SysCall进行注入、原生端口转发、关ETW等一系列功能
• Koadic is a Windows post-exploitation rootkit
• PoshC2 A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement

10.11.1.6. 隐藏

• ProcessHider Post-exploitation tool for hiding processes from monitoring applications
• Invoke Phant0m Windows Event Log Killer
• EventCleaner A tool mainly to erase specified records from Windows event logs, with additional functionalities

10.11.1.7. DLL注入

• sRDI Shellcode Reflective DLL Injection

10.11.1.8. rootkit

• r77-rootkit Ring 3 rootkit with single file installer and fileless persistence that hides processes, files, network connections, etc

10.11.1.9. 伪造

• parent PID spoofing Scripts for performing and detecting parent PID spoofing
• GetSystem This is a C# implementation of making a process/executable run as NT AUTHORITY/SYSTEM. This is achieved through parent ID spoofing of almost any SYSTEM process.

10.11.1.10. MiTM

• Seth Perform a MitM attack and extract clear text credentials from RDP connections
• pyrdp RDP man-in-the-middle (mitm) and library for Python with the ability to watch connections live or after the fact

10.11.1.11. 综合工具

• Nishang Offensive PowerShell for red team, penetration testing and offensive security
• SharPersist Windows persistence toolkit written in C#

10.11.2. Linux

10.11.2.1. 权限提升

• linux exploit suggester
• LinEnum Scripted Local Linux Enumeration & Privilege Escalation Checks
• AutoLocalPrivilegeEscalation
• traitor Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins, pwnkit, dirty pipe, +w docker.sock

10.11.2.2. rootkit

• rootkit
• Diamorphine LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x (x86/x86_64 and ARM64)

10.11.2.3. 后门

• prism is an user space stealth reverse shell backdoor
• icmpsh Simple reverse ICMP shell

10.11.3. 综合

10.11.3.1. 凭证获取

• sshLooterC program to steal passwords from ssh
• keychaindump A proof-of-concept tool for reading OS X keychain passwords
• LaZagne Credentials recovery project
• SecretScanner Find secrets and passwords in container images and file systems

10.11.3.2. 权限提升

• BeRoot Privilege Escalation Project - Windows / Linux / Mac

10.11.3.3. RAT

• QuasarRAT

10.11.3.4. C2

• Empire
• pupy
• Covenant is a collaborative .NET C2 framework for red teamers
• Cooolis-ms 包含了Metasploit Payload Loader、Cobalt Strike External C2 Loader、Reflective DLL injection的代码执行工具

10.11.3.5. DNS Shell

• DNS Shell DNS-Shell is an interactive Shell over DNS channel
• Reverse DNS Shell A python reverse shell that uses DNS as the c2 channel

10.11.3.6. Cobalt Strike

• Cobalt Strike
• CrossC2 generate CobaltStrike's cross-platform payload
• Cobalt Strike Aggressor Scripts

10.11.3.7. 日志清除

• Log killer Clear all logs in [linux/windows] servers

10.11.3.8. Botnet

• byob Build Your Own Botnet

10.11.3.9. 免杀工具

• AV Evasion Tool 掩日 - 免杀执行器生成工具
• DKMC Dont kill my cat - Malicious payload evasion tool