red-team-adversary-emulation.md

Red Teaming, Adversary Simulation and Offensive Security

Collection of resources related to offensive security (red teaming and adversary simulation) with a focus on Linux environments.

Content

• Backdoors
• C2 Frameworks
• Libraries
• Malwares
• Misc
• Networking
• Resources
• Rootkits
• Tools

Backdoors

• BDF: The Backdoor Factory.
• ReCmd: Remote Command executor
• Tiny Shell: An open-source UNIX backdoor

C2 Frameworks

• C2 matrix: C2 frameworks comparison.
  • Spreadsheet
• Emp3r0r: Linux/Windows post-exploitation framework made by linux user.
• empire: PowerShell and Python 3.x post-exploitation framework.
• Havoc: modern and malleable post-exploitation command and control framework.
• Heroinn: Rust cross platform C2/post-exploitation framework.
• Link: command and control framework written in rust.
• pupy: cross-platform remote administration and post-exploitation tool.
• sliver: Adversary Emulation Framework.
• pwncat: reverse and bind shell handler.
• Stitch: python Remote Administration Tool.
• TheFatRat: generate backdoor and easy tool to post exploitation attack.
• veil: generate metasploit payloads that bypass common anti-virus solutions.

Libraries

• ColdFire: malware development library.
• Houdini: rust library that allows you to delete your executable while it's running.
• Impacket: collection of Python classes for working with network protocols.
• Intruducer: Rust crate to load a shared library into a Linux process without using ptrace.

Malwares

• Linux Malware: tracking interesting Linux (and UNIX) malware.
  • ATT&CK mapping: linux malware to ATTACK.
  • elfloader: architecture-agnostic ELF file flattener for shellcode.
• Dumpers:
  • pamspy: Credentials Dumper for Linux using eBPF.
• Log Cleaners:
  • Moonwalk: Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps.
• Malware Source Code: collection of malware source code for a variety of platforms.
• Obfuscation:
  • Bashfuscator: configurable and extendable Bash obfuscation framework.
• Packers:
  • oxide: PoC packer written in Rust.
  • UPX: free, portable, extendable, high-performance executable packer.
• Pafish: testing tool that uses different techniques to detect virtual machines and malware analysis environments.

Misc

• antiscan: scan service similar to virustotal

Networking

• File Transfer:
  • croc: easily and securely send things from one computer to another.
  • pcp: peer-to-peer data transfer tool based on libp2p.
• Proxies:
  • frp: fast reverse proxy.
  • leaf: versatile and efficient proxy framework.
  • mitmproxy: interactive HTTPS proxy.
  • ngrok: introspected tunnels to localhost.
  • Proxiechain: a tool that forces any TCP connection made by any given application to follow through proxies.
  • rathole: lightweight and high-performance reverse proxy for NAT traversal, written in Rust.
  • Shadowsocks: fast tunnel proxy that helps you bypass firewalls.
  • socat: relay for bidirectional data transfer.
• Remote/Reverse Shells:
  • GTRS: Google Translator Reverse Shell.
  • hershell: multiplatform reverse shell generator.
  • icmpsh: reverse ICMP shell.
  • Platypus: modern multiple reverse shell sessions manager written in go.
  • rpty: tricking shells into interactive mode when local PTY's are not available.
  • rsg: tool to generate various ways to do a reverse shell.
  • rtty: access your terminal from anywhere via the web.
  • rustcat: modern Port listener and Reverse shell.
  • tunshell: remote shell into ephemeral environments.
  • wash: a cloud-native shell for bringing remote infrastructure to your terminal.
• Tunnelling:
  • bore: simple CLI tool for making tunnels to localhost.
  • chisel: fast TCP/UDP tunnel over HTTP.
  • clash: rule-based tunnel in Go.
  • dog-tunnel: p2p tunnel.
    • kcp: a Fast and Reliable ARQ Protocol.
  • gost: a simple tunnel written in golang.
  • gsocket: connect like there is no firewall. Securely.
  • icmptunnel: tunnel your IP traffic through ICMP echo and reply packets.
  • iodine: tunnel IPv4 data through a DNS server.
  • pingtunnel: tool that send TCP/UDP traffic over ICMP.
  • ssf: Secure Socket Funneling.
  • Stowaway: Multi-hop Proxy Tool for pentesters.
  • udp2raw: tunnel which Turns UDP Traffic into Encrypted UDP/FakeTCP/ICMP Traffic.

Resources

• ATT&CK: knowledge base of adversary tactics and techniques.
• GTFOBins: curated list of Unix binaries that can be used to bypass local security restrictions.
• HackTricks: hacking trick/technique/whatever
• Linode Red Teaming Series
• LOLBAS: Living Off The Land Binaries, Scripts and Libraries.
• Offensive Security: Tools & Interesting Things for RedTeam Ops.
• PayloadAllTheThings: list of useful payloads and bypass for Web Application Security and Pentest/CTF.
• PayloadBox: list of attack payloads.
• Red Teaming: List of Awesome Red Teaming Resources.
• Red team cheatsheet: Red Team Cheatsheet in constant expansion.
• Red Team Infrastructure: Red Team infrastructure hardening resources.
• RedTeam-Tools: Tools and Techniques for Red Team
• Red Teaming Toolkit: cutting-edge open-source security tools (OST) for a red teamer and threat hunter.
• RedTeaming-TT: Red Teaming Tactics and Techniques
• SecList: collection of multiple types of lists used during security assessments.
• Standards:
  • NIST: Framework for Improving Critical Infrastructure Cybersecurity.
  • OSSTMM: Open Source Security Testing Methodology Manual.
  • PTES: Penetration Testing Methodologies and Standards.
  • TIBER: Threat Intelligence-Based Ethical Red Teaming Framework.
  • STG: OWASP testing methodologies.

Rootkits

• Kernel
  • Awesome Linux Rootkits.
  • Diamorphine: LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x and ARM64.
  • Pinkit: LKM rootkit that executes a reverse TCP netcat shell with root privileges.
  • Reptile: LKM Linux rootkit.
  • Research rootkit: LibZeroEvil & the Research Rootkit project.
  • Rootkit: rootkit for Ubuntu 16.04 and 10.04 (Linux Kernels 4.4.0 and 2.6.32), both i386 and amd64.
  • Rootkit list download: list of rootkits (includes also userspace rootkits).
  • Sutekh: rootkit that gives a userland process root permissions.
  • TripleCross: Linux eBPF rootkit.
• Resources
  • xcellerator: Linux kernel rootkit series

Tools

• airgeddon: multi-use bash script for Linux systems to audit wireless networks.
• Beshark: Bash post exploitation toolkit.
• Bettercap: networks reconnaissance and MITM attacks.
• BloodHound: Six Degrees of Domain Admin.
• CrackMapExec: evaluates and exploits vulnerabilities in an active directory environment.
• HashCat: password recovery utility.
• LaZagne: retrieve passowrds.
• Linux Exploit Suggester: Linux privilege escalation auditing tool.
• Metasploit Framework: penetration testing framework.
  • Venom: metasploit Shellcode generator/compiller.
• NoseyParker: command-line program that finds secrets and sensitive information in textual data and Git history.
• PEASS-ng: Privilege Escalation Awesome Scripts SUITE.
• pixload: set of tools for creating/injecting payload into images.
• Sherlock: hunt down social media accounts by username across social networks.
• SSH weaponization:
  • reverse-ssh: Statically-linked ssh server with reverse shell
  • reverse_ssh: SSH based reverse shell.
  • sshimpanzee: static reverse ssh server functionality.
• traitor: automatic Linux privesc via exploitation of low-hanging fruit.