🔴 Offensive Security & Red Team Operations Guide 2026
Ultimate Red Teaming Toolkit 2026
The most comprehensive collection of open-source red teaming and adversary simulation tools in 2026 — covering reconnaissance, initial access, C2 frameworks, credential dumping, privilege escalation, defense evasion, lateral movement, exfiltration, and much more.
Professional Red Team Educational Resource
⚠️ Legal & Ethical Disclaimer:
All tools and techniques listed in this guide are intended strictly for authorized penetration testing, adversary simulation, red team operations, cybersecurity research, and defensive threat hunting. Using these tools against systems you do not own or have explicit written permission to test is illegal and may result in serious criminal penalties. Always operate within the boundaries of the law and your engagement scope.
What is Red Teaming?
Red teaming is a structured adversary simulation exercise where a skilled offensive security team (the red team) simulates the full attack lifecycle of a real-world threat actor — including APT groups and Human-Operated Ransomware (HumOR) operators — against an organization's people, processes, and technology.
Unlike traditional penetration testing, red team operations are goal-based, stealth-focused, and designed to test an organization's detection and response capabilities. This toolkit aggregates the most effective open-source tools (OST) used by professional red teamers and threat hunters worldwide.
MITRE ATT&CK
Adversary Simulation
Threat Hunting
EDR Bypass
C2 Frameworks
Post-Exploitation
OSINT
Credential Dumping
📋 Table of Contents
- Reconnaissance
- Initial Access
- Delivery & Phishing
- Command & Control (C2)
- Situational Awareness
- Credential Dumping
- Privilege Escalation
- Defense Evasion
- Persistence
- Lateral Movement
- Exfiltration
- Cloud Security (AWS / Azure)
- Adversary Emulation
- AI Red Teaming
- Living Off The Land
- Miscellaneous & Reporting
1. Reconnaissance
What is Reconnaissance?
Reconnaissance is the first phase of any red team engagement. The goal is to gather as much intelligence as possible about the target — infrastructure, employees, domains, cloud assets, exposed secrets, and attack surface — without triggering alerts.
- Passive OSINT and active scanning
- Domain & subdomain enumeration
- Cloud asset discovery (AWS, Azure, GCP)
- Email harvesting & LinkedIn recon
- Secret scanning in public repos
- Email spoofing configuration checks
| Tool | Description | GitHub / URL |
|---|---|---|
| RustScan | The Modern Port Scanner — find open ports in seconds. Supports Python, Lua, and Shell scripting engine. | github.com/RustScan/RustScan |
| Amass | In-depth Attack Surface Mapping and Asset Discovery by OWASP. | github.com/OWASP/Amass |
| gitleaks | SAST tool for detecting hardcoded secrets like passwords, API keys, and tokens in git repositories. | github.com/zricethezav/gitleaks |
| S3Scanner | Scan for open S3 buckets and dump their contents. | github.com/sa7mon/S3Scanner |
| cloud_enum | Multi-cloud OSINT tool to enumerate public resources in AWS, Azure, and Google Cloud. | github.com/initstring/cloud_enum |
| Recon-ng | Open Source Intelligence gathering framework aimed at reducing time spent harvesting from open sources. | github.com/lanmaster53/recon-ng |
| buster | Advanced tool for email reconnaissance. | github.com/sham00n/buster |
| linkedin2username | OSINT tool to generate username lists for companies on LinkedIn. | github.com/initstring/linkedin2username |
| WitnessMe | Web Inventory tool — takes screenshots of webpages using headless Chrome and provides enumeration extras. | github.com/byt3bl33d3r/WitnessMe |
| pagodo | Passive Google Dork — automate Google Hacking Database scraping and searching. | github.com/opsdisk/pagodo |
| AttackSurfaceMapper | Automates the reconnaissance process for attack surface discovery. | github.com/superhedgy/AttackSurfaceMapper |
| SpiderFoot | Open source OSINT automation — integrates with virtually every data source available. | github.com/smicallef/spiderfoot |
| dnscan | Python wordlist-based DNS subdomain scanner. | github.com/rbsec/dnscan |
| spoofcheck | Checks if a domain can be spoofed by analyzing SPF and DMARC record configurations. | github.com/BishopFox/spoofcheck |
| LinkedInt | LinkedIn Recon Tool for gathering organizational intelligence. | github.com/vysecurity/LinkedInt |
| BBOT | Recursive internet scanner inspired by Spiderfoot — faster, more reliable, friendlier to pentesters. | github.com/blacklanternsecurity/bbot |
| Gato | GitHub Attack Toolkit — enumerate and exploit pipeline vulnerabilities in GitHub organizations. | github.com/praetorian-inc/gato |
2. Initial Access
🔑 Brute Force & Password Spraying
| Tool | Description | GitHub / URL |
|---|---|---|
| SprayingToolkit | Scripts to make password spraying attacks against Lync/S4B, OWA & O365 quicker and more efficient. | github.com/byt3bl33d3r/SprayingToolkit |
| o365recon | Retrieve information via O365 with a valid credential set. | github.com/nyxgeek/o365recon |
| CredMaster | Refactored CredKing password spraying tool using FireProx APIs to rotate IPs and stay anonymous. | github.com/knavesec/CredMaster |
💣 Payload Development
| Tool | Description | GitHub / URL |
|---|---|---|
| Ivy | Payload creation framework for executing arbitrary VBA (macro) source code directly in memory. | github.com/optiv/Ivy |
| PEzor | Open-Source PE Packer for payload obfuscation. | github.com/phra/PEzor |
| GadgetToJScript | Generates .NET serialized gadgets that trigger .NET assembly execution from JS/VBS/VBA scripts. | github.com/med0x2e/GadgetToJScript |
| ScareCrow | Payload creation framework designed specifically around EDR bypass. | github.com/optiv/ScareCrow |
| Donut | Position-independent shellcode for in-memory execution of VBScript, JScript, EXE, DLL, and .NET assemblies. | github.com/TheWover/donut |
| Mystikal | macOS Initial Access Payload Generator. | github.com/D00MFist/Mystikal |
| charlotte | C++ fully undetected shellcode launcher. | github.com/9emin1/charlotte |
| InvisibilityCloak | Proof-of-concept obfuscation toolkit for C# post-exploitation tools. | github.com/xforcered/InvisibilityCloak |
| EvilClippy | Cross-platform assistant for creating malicious MS Office documents — hides VBA macros and stomps P-Code. | github.com/outflanknl/EvilClippy |
| ThreatCheck | Identifies the exact bytes that Microsoft Defender / AMSI flags on. | github.com/rasta-mouse/ThreatCheck |
| SharpShooter | Payload creation framework for CSharp source code retrieval and execution in HTA, JS, VBS, and WSF formats. | github.com/mdsecactivebreach/SharpShooter |
| macro_pack | Automates obfuscation and generation of MS Office documents and VB scripts for pentest assessments. | github.com/sevagas/macro_pack |
| inceptor | Template-Driven AV/EDR Evasion Framework. | github.com/klezVirus/inceptor |
| Freeze | Payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods. | github.com/optiv/Freeze |
| ProtectMyTooling | Multi-Packer wrapper for daisy-chaining packers, obfuscators, and red team weaponry with watermarking. | github.com/mgeeky/ProtectMyTooling |
| DllShimmer | Weaponize DLL hijacking easily — backdoor any function in any DLL. | github.com/Print3M/DllShimmer |
3. Delivery & Phishing
Phishing Frameworks
Modern phishing has evolved far beyond simple email spoofing. These tools enable real-time credential capture, session cookie theft, OAuth abuse, and adversary-in-the-middle attacks against MFA-protected accounts.
- Reverse proxy phishing (MFA bypass)
- OAuth consent grant abuse
- O365 / Azure AD targeting
- Browser exploitation via watering holes
| Tool | Description | GitHub / URL |
|---|---|---|
| Evilginx2 | Man-in-the-middle attack framework for phishing credentials and session cookies of any web service — bypasses MFA. | github.com/kgretzky/evilginx2 |
| Gophish | Open-source phishing toolkit for businesses and pentesters — setup and execute phishing engagements easily. | github.com/gophish/gophish |
| o365-attack-toolkit | A toolkit to attack Office 365 environments. | github.com/mdsecactivebreach/o365-attack-toolkit |
| PwnAuth | Web application framework for launching and managing OAuth abuse campaigns. | github.com/fireeye/PwnAuth |
| Modlishka | Flexible and powerful reverse proxy for ethical phishing campaigns — next-level credential harvesting. | github.com/drk1wi/Modlishka |
| BeEF | The Browser Exploitation Framework — penetration testing tool focused on the web browser and watering hole attacks. | github.com/beefproject/beef |
4. Command & Control (C2)
🖥️ Remote Access Tools & C2 Frameworks
C2 Frameworks Overview
Command and Control frameworks are the backbone of any red team operation. They enable post-exploitation, tasking, lateral movement, and data exfiltration from compromised systems while maintaining stealth against blue team detection.
- Encrypted beacon communications
- Malleable C2 profiles for traffic shaping
- Cross-platform agent support
- Modular post-exploitation capabilities
- EDR/AV evasion built-in
| Tool | Description | GitHub / URL |
|---|---|---|
| Cobalt Strike | Industry-standard software for Adversary Simulations and Red Team Operations. | cobaltstrike.com |
| Sliver | General purpose cross-platform implant framework supporting C2 over mTLS, HTTP(S), and DNS. | github.com/BishopFox/sliver |
| Havoc | Modern and malleable post-exploitation C2 framework by @C5pider. | github.com/HavocFramework/Havoc |
| Mythic | Cross-platform post-exploit red teaming framework built with Python3, Docker, and a web browser UI. | github.com/its-a-feature/Mythic |
| Brute Ratel C4 | Advanced Red Team & Adversary Simulation Software with strong EDR evasion capabilities. | bruteratel.com |
| Empire | Post-exploitation framework with pure-PowerShell Windows agent and Python 3.x Linux/macOS agents. | github.com/BC-SECURITY/Empire |
| PoshC2 | Proxy-aware C2 framework for red teaming, post-exploitation, and lateral movement. | github.com/nettitude/PoshC2 |
| Covenant | .NET command and control framework highlighting the .NET attack surface with collaborative team features. | github.com/cobbr/Covenant |
| Merlin | Cross-platform post-exploitation C2 server and agent written in Go. | github.com/Ne0nd0g/merlin |
| Pupy | Open-source cross-platform (Windows, Linux, macOS, Android) RAT and post-exploitation tool in Python. | github.com/n1nj4sec/pupy |
| NimPlant | Light first-stage C2 implant written in Nim and Python. | github.com/chvancooten/NimPlant |
| SharpC2 | C2 framework written in C# with ASP.NET Core Team Server and .NET Framework implant. | github.com/rasta-mouse/SharpC2 |
| AdaptixC2 | Extensible post-exploitation and adversarial emulation framework — server written in Golang. | github.com/Adaptix-Framework/AdaptixC2 |
| Nimhawk | Powerful, modular, lightweight C2 framework written in Nim. | github.com/hdbreaker/Nimhawk |
| SILENTTRINITY | Asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR. | github.com/byt3bl33d3r/SILENTTRINITY |
| SpecterInsight | Cross-platform post-exploitation C2 framework based on .NET with ELK dashboards for operation analysis. | practicalsecurityanalytics.com |
🏗️ C2 Staging & Infrastructure
| Tool | Description | GitHub / URL |
|---|---|---|
| pwndrop | Self-deployable file hosting for red teamers — upload and share payloads over HTTP and WebDAV. | github.com/kgretzky/pwndrop |
| C2concealer | Command line tool that generates randomized C2 malleable profiles for Cobalt Strike. | github.com/FortyNorthSecurity/C2concealer |
| Domain Hunter | Checks expired domains for categorization/reputation to find good C2 and phishing candidates. | github.com/threatexpress/domainhunter |
| RedWarden | Flexible CobaltStrike Malleable Redirector for traffic control. | github.com/mgeeky/RedWarden |
| AzureC2Relay | Azure Function that validates and relays Cobalt Strike beacon traffic via Malleable C2 profile verification. | github.com/Flangvik/AzureC2Relay |
| C3 | Custom Command and Control — allows Red Teams to rapidly develop esoteric C2 channels. | github.com/FSecureLABS/C3 |
| RedGuard | C2 front flow control tool — avoid Blue Teams, AVs, and EDR checks. | github.com/wikiZ/RedGuard |
| GraphStrike | Cobalt Strike HTTPS beaconing over the Microsoft Graph API. | github.com/RedSiege/GraphStrike |
| SourcePoint | C2 profile generator for Cobalt Strike designed to ensure evasion. | github.com/Tylous/SourcePoint |
| skyhook | Round-trip obfuscated HTTP file transfer built to bypass IDS detections. | github.com/blackhillsinfosec/skyhook |
📊 Log Aggregation & Red Team SIEM
| Tool | Description | GitHub / URL |
|---|---|---|
| RedELK | Red Team's SIEM — tracks Blue Team activities and provides better usability for long-term operations. | github.com/outflanknl/RedELK |
| Elastic for Red Teaming | Resources for configuring a Red Team SIEM using Elastic. | github.com/SecurityRiskAdvisors/RedTeamSIEM |
| RedEye | Visual analytic tool supporting both Red & Blue Team operations. | github.com/cisagov/RedEye |
5. Situational Awareness
🖥️ Host Situational Awareness
| Tool | Description | GitHub / URL |
|---|---|---|
| Seatbelt | C# project performing security-oriented host-survey "safety checks" from both offensive and defensive perspectives. | github.com/GhostPack/Seatbelt |
| SharpEDRChecker | Checks processes, DLLs, drivers, and services for known defensive products like AVs and EDRs. | github.com/PwnDexter/SharpEDRChecker |
| Situational Awareness BOF | Basic situational awareness commands implemented as Beacon Object Files for Cobalt Strike. | github.com/trustedsec/CS-Situational-Awareness-BOF |
| SauronEye | Search tool for finding files containing specific keywords — aids red teams in data discovery. | github.com/vivami/SauronEye |
| SharpShares | Multithreaded C# .NET Assembly to enumerate accessible network shares in a domain. | github.com/mitchmoser/SharpShares |
| AggressiveProxy | Enumerates proxy configurations and communicates with C2 over HTTP(S) via discovered proxies. | github.com/EncodeGroup/AggressiveProxy |
| Gopher | C# tool to discover low-hanging fruit during post-exploitation. | github.com/EncodeGroup/Gopher |
🌐 Domain Situational Awareness (Active Directory)
| Tool | Description | GitHub / URL |
|---|---|---|
| BloodHound | Six Degrees of Domain Admin — maps Active Directory attack paths using graph theory. | github.com/BloodHoundAD/BloodHound |
| Rubeus | C# toolset for raw Kerberos interaction and abuses — Kerberoasting, AS-REP roasting, pass-the-ticket. | github.com/GhostPack/Rubeus |
| ADRecon | Gathers Active Directory information and generates a holistic report of the target AD environment. | github.com/adrecon/ADRecon |
| StandIn | Small AD post-compromise toolkit — Resource Based Constrained Delegation and more. | github.com/FuzzySecurity/StandIn |
| SharpView | C# implementation of PowerView for AD enumeration without PowerShell. | github.com/tevora-threat/SharpView |
| PSPKIAudit | PowerShell toolkit for auditing Active Directory Certificate Services (AD CS) misconfigurations. | github.com/GhostPack/PSPKIAudit |
| ADCSPwn | Escalates privileges via Petitpotam coercion and certificate service relay attacks. | github.com/bats3c/ADCSPwn |
| ImproHound | Identifies attack paths in BloodHound that break AD tiering models. | github.com/improsec/ImproHound |
| nanorobeus | Minimalistic tool for managing Kerberos tickets — supports red team frameworks. | github.com/wavvs/nanorobeus |
6. Credential Dumping
| Tool | Description | GitHub / URL |
|---|---|---|
| Mimikatz | The classic credential dumping tool — extracts Kerberos tickets, NTLM hashes, and plaintext passwords from Windows memory. | github.com/gentilkiwi/mimikatz |
| nanodump | Beacon Object File that creates a minidump of the LSASS process stealthily. | github.com/helpsystems/nanodump |
| Dumpert | LSASS memory dumper using direct system calls and API unhooking. | github.com/outflanknl/Dumpert |
| PPLBlade | Protected Process Dumper with memory dump obfuscation and remote transfer capabilities. | github.com/tastypepperoni/PPLBlade |
| PPLKiller | Tool to bypass LSA Protection (Protected Process Light). | github.com/RedCursorSecurityConsulting/PPLKiller |
| LaZagne | Open source application to retrieve passwords stored locally on a computer from dozens of sources. | github.com/AlessandroZ/LaZagne |
| SharpDPAPI | C# port of Mimikatz DPAPI functionality for credential decryption. | github.com/GhostPack/SharpDPAPI |
| KeeThief | Extracts KeePass 2.X key material from memory and enables backdooring of the trigger system. | github.com/GhostPack/KeeThief |
| SharpChromium | .NET project to retrieve Chromium cookies, history, and saved logins. | github.com/djhohnstein/SharpChromium |
| pypykatz | Mimikatz implementation in pure Python for cross-platform credential extraction. | github.com/skelsec/pypykatz |
| SafetyKatz | Combination of Mimikatz and a .NET PE Loader for safer in-memory execution. | github.com/GhostPack/SafetyKatz |
| CredBandit | BOF using static x64 syscalls for complete in-memory process dump via Beacon communication channel. | github.com/xforcered/CredBandit |
| TrickDump | Dumps LSASS using only NTAPIs — generates JSON files and creates Minidump offline. | github.com/ricardojoserf/TrickDump |
| RemoteMonologue | Windows credential harvesting via Interactive User RunAs key and NTLM coercion through DCOM. | github.com/3lp4tr0n/RemoteMonologue |
| SharpLAPS | Retrieve LAPS password from LDAP — useful in environments with local admin password solution deployed. | github.com/swisskyrepo/SharpLAPS |
| Net-GPPPassword | .NET implementation of Get-GPPPassword — retrieves plaintext passwords from Group Policy Preferences. | github.com/outflanknl/Net-GPPPassword |
7. Privilege Escalation
| Tool | Description | GitHub / URL |
|---|---|---|
| GodPotato | SYSTEM escalation via ImpersonatePrivilege — "As Long as You Have ImpersonatePrivilege, You Are SYSTEM!" | github.com/BeichenDream/GodPotato |
| SweetPotato | Collection of native Windows privilege escalation techniques from service accounts to SYSTEM. | github.com/CCob/SweetPotato |
| MultiPotato | Another Potato to get SYSTEM via SeImpersonate privileges — multiple techniques. | github.com/S3cur3Th1sSh1t/MultiPotato |
| KrbRelayUp | Universal no-fix local privilege escalation in Windows domain environments without LDAP signing. | github.com/Dec0ne/KrbRelayUp |
| PEASS | Privilege Escalation Awesome Scripts SUITE — WinPEAS and LinPEAS for Windows and Linux. | github.com/carlospolop/PEASS-ng |
| Watson | .NET tool to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities. | github.com/rasta-mouse/Watson |
| SharpUp | C# port of PowerUp functionality — checks for common privilege escalation misconfigurations. | github.com/GhostPack/SharpUp |
| dazzleUP | Detects privilege escalation vulnerabilities caused by misconfigurations and missing Windows updates. | github.com/hlldz/dazzleUP |
| ElevateKit | Demonstrates third-party privilege escalation attacks with Cobalt Strike's Beacon payload. | github.com/rsmudge/ElevateKit |
| PrivKit | Beacon Object File that detects privilege escalation vulnerabilities caused by Windows misconfigurations. | github.com/mertdas/PrivKit |
8. Defense Evasion
EDR / AV Bypass Techniques
Defense Evasion is one of the most critical phases of a red team engagement. Modern EDRs use userland hooks, kernel callbacks, and ETW telemetry to detect malicious activity. These tools help operators bypass each layer.
- Userland hook bypassing (unhooking NTDLL)
- Kernel callback removal via BYOVD
- ETW telemetry blocking
- Event log manipulation
- Process injection alternatives
- Memory scanner evasion
| Tool | Description | GitHub / URL |
|---|---|---|
| EDRSandBlast | Weaponizes a vulnerable signed driver to bypass EDR kernel callbacks and ETW TI provider. | github.com/wavestone-cdt/EDRSandblast |
| EDRSilencer | Uses Windows Filtering Platform (WFP) to block EDR agents from reporting events to their server. | github.com/netero1010/EDRSilencer |
| Backstab | Tool to kill antimalware-protected processes. | github.com/Yaxser/Backstab |
| Blackout | Kill anti-malware protected processes using BYOVD (Bring Your Own Vulnerable Driver). | github.com/ZeroMemoryEx/Blackout |
| RefleXXion | Utility designed to aid in bypassing user-mode hooks used by AV/EPP/EDR products. | github.com/hlldz/RefleXXion |
| SharpUnhooker | C# Universal API Unhooker — automatically unhooks ntdll, kernel32, user32, advapi32, kernelbase. | github.com/GetRektBoy724/SharpUnhooker |
| EvtMute | Apply filters to events reported by Windows Event Logging — suppress detection telemetry. | github.com/bats3c/EvtMute |
| Phant0m | Windows Event Log Killer — terminates Event Log service threads. | github.com/hlldz/Phant0m |
| BlockETW | .NET 3.5/4.5 Assembly to block ETW telemetry in a process. | github.com/Soledge/BlockEtw |
| NetLoader | Loads any C# binary from filepath or URL while patching AMSI and bypassing Windows Defender at runtime. | github.com/Flangvik/NetLoader |
| Mangle | Manipulates compiled executables (.exe or DLL) to avoid EDR detection. | github.com/optiv/Mangle |
| SigFlip | Patches authenticode-signed PE files without invalidating the existing signature. | github.com/med0x2e/SigFlip |
| ShellGhost | Memory-based evasion technique making shellcode invisible from process start to end. | github.com/lem0nSec/ShellGhost |
| AceLdr | Cobalt Strike UDRL (User-Defined Reflective Loader) for memory scanner evasion. | github.com/kyleavery/AceLdr |
| PoolPartyBof | BOF implementation of PoolParty Process Injection via Windows Thread Pools. | github.com/0xEr3bus/PoolPartyBof |
| InlineExecute-Assembly | BOF for in-process .NET assembly execution as an alternative to fork-and-run. | github.com/xforcered/InlineExecute-Assembly |
| EDR-Freeze | Puts EDR and AntiMalware processes into a coma/suspended state. | github.com/TwoSevenOneT/EDR-Freeze |
| DarkLoadLibrary | LoadLibrary replacement for offensive operations — evades detection. | github.com/bats3c/DarkLoadLibrary |
9. Persistence
| Tool | Description | GitHub / URL |
|---|---|---|
| SharPersist | Windows persistence toolkit written in C# — registry, scheduled tasks, services, and more. | github.com/fireeye/SharPersist |
| SharpStay | .NET project for installing a wide variety of persistence mechanisms. | github.com/0xthirteen/SharpStay |
| SharpHide | Tool to create hidden registry keys that are invisible to standard registry viewers. | github.com/outflanknl/SharpHide |
| DAMP | Persistence through host-based Security Descriptor Modification — Discretionary ACL manipulation. | github.com/HarmJ0y/DAMP |
| IIS-Raid | Native backdoor module for Microsoft IIS (Internet Information Services). | github.com/0x09AL/IIS-Raid |
| ScheduleRunner | C# tool for customizing scheduled tasks for both persistence and lateral movement in red team ops. | github.com/netero1010/ScheduleRunner |
| SharpEventPersist | Persistence by writing and reading shellcode from Windows Event Log. | github.com/improsec/SharpEventPersist |
| SharPyShell | Tiny and obfuscated ASP.NET webshell for C# web applications. | github.com/antonioCoco/SharPyShell |
| Kraken | Modular multi-language webshell framework. | github.com/kraken-ng/Kraken |
| HiddenDesktop | HVNC (Hidden Virtual Network Computing) for Cobalt Strike. | github.com/WKL-Sec/HiddenDesktop |
| reGeorg | Successor to reDuh — creates SOCKS proxies through the DMZ via compromised web servers. | github.com/sensepost/reGeorg |
10. Lateral Movement
| Tool | Description | GitHub / URL |
|---|---|---|
| CrackMapExec | A swiss army knife for pentesting networks — SMB, WinRM, LDAP, MSSQL enumeration and exploitation. | github.com/byt3bl33d3r/CrackMapExec |
| impacket | Python classes for working with network protocols — SMB, MSRPC, Kerberos, LDAP attack library. | github.com/SecureAuthCorp/impacket |
| Responder / MultiRelay | LLMNR/NBT-NS/mDNS Poisoner and NTLMv1/2 Relay — capture and relay Net-NTLMv2 hashes. | github.com/lgandx/Responder |
| kerbrute | Quickly bruteforce and enumerate valid Active Directory accounts via Kerberos Pre-Authentication. | github.com/ropnop/kerbrute |
| SharpRDP | RDP Console Application for Authenticated Command Execution without spawning visible sessions. | github.com/0xthirteen/SharpRDP |
| SCShell | Fileless lateral movement tool that relies on ChangeServiceConfigA to run commands remotely. | github.com/Mr-Un1k0d3r/SCShell |
| PowerUpSQL | PowerShell Toolkit for Attacking Microsoft SQL Server in AD environments. | github.com/NetSPI/PowerUpSQL |
| SQLRecon | C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation. | github.com/skahwah/SQLRecon |
| Coercer | Python script to automatically coerce a Windows server to authenticate via 9 different methods. | github.com/p0dalirius/Coercer |
| SharpGPOAbuse | Exploits user edit rights on Group Policy Objects (GPO) to compromise managed AD objects. | github.com/FSecureLABS/SharpGPOAbuse |
| MoveKit | Extension of Cobalt Strike lateral movement using SharpMove and SharpRDP .NET assemblies. | github.com/0xthirteen/MoveKit |
| Invoke-TheHash | PowerShell Pass-The-Hash utilities for lateral movement without cracking NTLM hashes. | github.com/Kevin-Robertson/Invoke-TheHash |
| LiquidSnake | Fileless lateral movement using WMI Event Subscriptions and GadgetToJScript. | github.com/RiccardoAncarani/LiquidSnake |
| orpheus | Bypasses Kerberoast detections using modified KDC options and encryption types. | github.com/trustedsec/orpheus |
| goexec | New take on remote execution methods for Windows — largely unrealized with significant OPSEC improvements. | github.com/FalconOpsLLC/goexec |
| BitlockMove | Lateral Movement via Bitlocker DCOM interfaces and COM Hijacking. | github.com/rtecCyberSec/BitlockMove |
| MalSCCM | Abuse local or remote SCCM servers to deploy malicious applications to managed hosts. | github.com/nettitude/MalSCCM |
| SharpNoPSExec | File-less command execution for lateral movement without dropping PsExec. | github.com/juliourena/SharpNoPSExec |
🔗 Tunneling
| Tool | Description | GitHub / URL |
|---|---|---|
| Chisel | Fast TCP/UDP tunnel over HTTP secured via SSH — single executable for client and server. | github.com/jpillora/chisel |
| ligolo-ng | Advanced tunneling tool using a TUN interface — simple and reliable for complex pivot networks. | github.com/nicocha30/ligolo-ng |
| frp | Fast reverse proxy to expose local servers behind NAT or firewall to the internet. | github.com/fatedier/frp |
| SockTail | Joins a device to a Tailscale network and exposes a local SOCKS5 proxy — stealthy red team pivoting. | github.com/Yeeb1/SockTail |
11. Exfiltration
| Tool | Description | GitHub / URL |
|---|---|---|
| SharpExfiltrate | Modular C# framework to exfiltrate data over secure and trusted channels. | github.com/Flangvik/SharpExfiltrate |
| DNSExfiltrator | Data exfiltration over DNS request covert channel — bypasses most network controls. | github.com/Arno0x/DNSExfiltrator |
| Egress-Assess | Tool used to test egress data detection capabilities of security controls. | github.com/FortyNorthSecurity/Egress-Assess |
| VeilTransfer | Data exfiltration utility simulating real-world techniques used by advanced threat actors. | github.com/infosecn1nja/VeilTransfer |
12. Cloud Security (AWS & Azure)
Amazon Web Services (AWS)
Microsoft Azure
- ROADtools — The Azure AD exploration framework. GitHub
- AADInternals — PowerShell module for administering Azure AD and Office 365. GitHub
- TeamFiltration — Cross-platform framework for enumerating, spraying, and exfiltrating O365 AAD accounts. GitHub
- MicroBurst — PowerShell toolkit for assessing Microsoft Azure security. GitHub
- MAAD Attack Framework — Simple, fast & effective security testing of M365 & Azure AD. GitHub
- GraphRunner — Post-exploitation toolset for interacting with the Microsoft Graph API. GitHub
- Maestro — Post-exploitation tool for Intune/EntraID interaction from a C2 agent. GitHub
- TokenTactics — Azure JWT Token Manipulation Toolset. GitHub
- ADOKit — Attacks Azure DevOps Services via the available REST API. GitHub
13. Adversary Emulation
| Tool | Description | GitHub / URL |
|---|---|---|
| Atomic Red Team | Small and highly portable detection tests mapped to the MITRE ATT&CK Framework. | github.com/redcanaryco/atomic-red-team |
| Caldera | Automated adversary emulation system performing post-compromise adversarial behavior in Windows environments. | github.com/mitre/caldera |
| Stratus Red Team | "Atomic Red Team for the cloud" — granular and self-contained cloud attack emulation. | github.com/DataDog/stratus-red-team |
| APTSimulator | Windows Batch script using tools and output files to make a system appear compromised by an APT. | github.com/NextronSystems/APTSimulator |
| Network Flight Simulator | Generates malicious network traffic to help security teams evaluate controls and network visibility. | github.com/alphasoc/flightsim |
| Metta | Security preparedness tool for adversarial simulation exercises. | github.com/uber-common/metta |
| Red Team Automation (RTA) | Framework of scripts allowing blue teams to test detection capabilities against MITRE ATT&CK tradecraft. | github.com/endgameinc/RTA |
| TTPForge | Framework for development, automation, and execution of Tactics, Techniques, and Procedures (TTPs). | github.com/facebookincubator/TTPForge |
| Prelude Operator | Developer-first advanced security platform for mimicking real adversarial attacks. | preludesecurity.com |
14. AI Red Teaming & Offensive AI Agents
AI Red Teaming Tools
The emergence of LLMs in production environments has created an entirely new attack surface. These tools help security teams evaluate, test, and red-team AI systems for jailbreaks, prompt injection, and unsafe behaviors.
| Tool | Description | URL |
|---|---|---|
| promptfoo | CLI and framework for evaluating, testing, and red-teaming LLM applications and prompts. | GitHub |
| Garak | LLM vulnerability scanner — probes for weaknesses, jailbreaks, and unsafe model behaviors. | GitHub |
| PyRIT | Microsoft's Python Risk Identification Tool for identifying risks in generative AI systems. | GitHub |
| FuzzyAI | Powerful automated LLM fuzzer for identifying jailbreaks and security vulnerabilities in LLM APIs. | GitHub |
| deepeval | Simple open-source LLM evaluation framework for large-language model system assessments. | GitHub |
Offensive AI Agents
Next-generation autonomous AI agent frameworks for automated penetration testing, from reconnaissance all the way through post-exploitation — with zero or minimal human intervention.
| Tool | Description | URL |
|---|---|---|
| PentAGI | Fully autonomous AI Agents system capable of performing complex penetration testing tasks. | GitHub |
| HexStrike AI | Advanced MCP server letting AI agents autonomously run 150+ cybersecurity tools. | GitHub |
| CAI | Lightweight open-source framework for building AI-powered offensive and defensive automation. | GitHub |
| RedAmon | AI-powered agentic red team framework automating full offensive operations with zero human intervention. | GitHub |
| raptor | Turns Claude Code into a general-purpose AI offensive/defensive security agent. | GitHub |
15. Living Off The Land (LOL)
LOL Resources
Living Off the Land techniques use legitimate, trusted system binaries and tools to evade detection. These curated reference databases help both red teamers identify abuse opportunities and defenders understand the risks.
- LOLBAS — Every binary, script, and library for LOL techniques on Windows. lolbas-project.github.io
- GTFOBins — Unix binaries for bypassing local security restrictions. gtfobins.github.io
- LOOBins — macOS binaries abusable by threat actors. loobins.io
- Living Off The Land Drivers — Windows drivers used by adversaries to bypass security controls. loldrivers.io
- Living Off Trusted Sites (LOTS) — Legitimate domains abused for phishing, C2, and exfiltration. lots-project.com
- Filesec — Latest file extensions being used by attackers. filesec.io
- Hijack Libs — Curated list of DLL Hijacking candidates. hijacklibs.net
- WTFBins — Benign applications that exhibit suspicious/malware-like behavior. wtfbins.wtf
16. Miscellaneous — Reporting, Intelligence & Infrastructure
Reporting & Tracking
- Ghostwriter — Django-based web app for red team operators — reporting and operation tracking. GitHub
- VECTR — Tracks red and blue team testing activities to measure detection across attack scenarios. GitHub
- PurpleOps — Open-source self-hosted purple team management web application. GitHub
- Nemesis — Offensive data enrichment pipeline and operator support system. GitHub
Threat Intelligence
- APT REPORT — Interesting APT report collection and IOC repository. GitHub
- Awesome Threat Intelligence — Curated list of threat intelligence resources. GitHub
- deepdarkCTI — CTI sources from the deep and dark web. GitHub
- CTI Dashboard — Real-time cybersecurity threat intelligence from multiple vendors in one place. start.me
- Hudson Rock — Free cybercrime intelligence toolset — check if emails/domains were compromised in Infostealer attacks. hudsonrock.com
- Tidal Cyber — Helps organizations define, measure, and improve defenses against prioritized adversary behaviors. tidalcyber.com
Red Team Tool Category Overview
| Category | Tool Count | Key Tools | Primary Use | Skill Level |
|---|---|---|---|---|
| Reconnaissance | 17+ | Amass, BBOT, SpiderFoot | Target profiling & OSINT | Beginner–Medium |
| Command & Control | 20+ | Sliver, Havoc, Cobalt Strike | Post-exploitation & tasking | Advanced |
| Credential Dumping | 18+ | Mimikatz, nanodump, LaZagne | Credential harvesting | Medium–Advanced |
| Defense Evasion | 20+ | EDRSandBlast, Mangle, SigFlip | AV/EDR bypass | Advanced |
| Lateral Movement | 22+ | CrackMapExec, impacket, Coercer | Network traversal | Medium–Advanced |
| Privilege Escalation | 10+ | GodPotato, PEASS, Watson | Gaining higher privileges | Medium |
| Cloud (AWS/Azure) | 14+ | pacu, ROADtools, MAAD-AF | Cloud environment testing | Advanced |
| AI Red Teaming | 10+ | promptfoo, Garak, PyRIT | LLM security evaluation | Medium |
