9.10. 操作系统持久化

9.10.1. Windows

9.10.1.1. 凭证获取

  • mimikatz

  • RdpThief Extracting Clear Text Passwords from mstsc.exe using API Hooking

  • quarkspwdump Dump various types of Windows credentials without injecting in any process

  • SharpDump C# port of PowerSploit’s Out-Minidump.ps1 functionality

9.10.1.2. 权限提升

  • WindowsExploits

  • GTFOBins Curated list of Unix binaries that can be exploited to bypass system security restrictions

  • JAWS Just Another Windows (Enum) Script

9.10.1.3. UAC Bypass

9.10.1.4. 免杀

  • SigThief Stealing Signatures and Making One Invalid Signature at a Time

9.10.1.5. C2

  • SharpSploit .NET post-exploitation library written in C#

  • Koadic is a Windows post-exploitation rootkit

9.10.1.6. 隐藏

  • ProcessHider Post-exploitation tool for hiding processes from monitoring applications

  • Invoke Phant0m Windows Event Log Killer

  • EventCleaner A tool mainly to erase specified records from Windows event logs, with additional functionalities

9.10.1.7. DLL注入

  • sRDI Shellcode Reflective DLL Injection

9.10.1.8. rootkit

  • r77-rootkit Ring 3 rootkit with single file installer and fileless persistence that hides processes, files, network connections, etc

9.10.1.9. 伪造

  • parent PID spoofing Scripts for performing and detecting parent PID spoofing

  • GetSystem This is a C# implementation of making a process/executable run as NT AUTHORITY/SYSTEM. This is achieved through parent ID spoofing of almost any SYSTEM process.

9.10.1.10. MiTM

  • Seth Perform a MitM attack and extract clear text credentials from RDP connections

  • pyrdp RDP man-in-the-middle (mitm) and library for Python with the ability to watch connections live or after the fact

9.10.1.11. 综合工具

  • Nishang Offensive PowerShell for red team, penetration testing and offensive security

9.10.2. Linux

9.10.2.1. 权限提升

9.10.2.2. rootkit

  • rootkit

  • Diamorphine LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x (x86/x86_64 and ARM64)

9.10.2.3. 后门

  • prism is an user space stealth reverse shell backdoor

  • icmpsh Simple reverse ICMP shell

9.10.3. 综合

9.10.3.1. 凭证获取

  • sshLooterC program to steal passwords from ssh

  • keychaindump A proof-of-concept tool for reading OS X keychain passwords

  • LaZagne Credentials recovery project

  • SecretScanner Find secrets and passwords in container images and file systems

9.10.3.2. 权限提升

  • BeRoot Privilege Escalation Project - Windows / Linux / Mac

9.10.3.3. RAT

9.10.3.4. C2

  • Empire

  • pupy

  • Covenant is a collaborative .NET C2 framework for red teamers

  • Cooolis-ms 包含了Metasploit Payload Loader、Cobalt Strike External C2 Loader、Reflective DLL injection的代码执行工具

9.10.3.5. DNS Shell

  • DNS Shell DNS-Shell is an interactive Shell over DNS channel

  • Reverse DNS Shell A python reverse shell that uses DNS as the c2 channel

9.10.3.6. Cobalt Strike

9.10.3.7. 日志清除

  • Log killer Clear all logs in [linux/windows] servers

9.10.3.8. Botnet

  • byob Build Your Own Botnet

9.10.3.9. 免杀工具

  • AV Evasion Tool 掩日 - 免杀执行器生成工具

  • DKMC Dont kill my cat - Malicious payload evasion tool