Powershell

Ultimate AppLocker Bypass List

A repository documenting AppLocker bypass techniques with verified methods, legacy DLL execution approaches, and a PowerShell module for identifying AppLocker weaknesses.

FLARE-VM

FLARE-VM is a Windows virtual machine setup tool that automates the installation and configuration of reverse engineering and malware analysis software using Chocolatey and Boxstarter technologies.

PSRecon

A PowerShell-based incident response and live forensic data acquisition tool for Windows hosts.

Meerkat

A collection of PowerShell modules for artifact gathering and reconnaissance of Windows-based endpoints.

CimSweep

CimSweep is a suite of CIM/WMI-based tools for incident response and hunting operations on Windows systems without the need to deploy an agent.

PowerShell Cheat Sheet v. 4.0

A comprehensive PowerShell cheat sheet covering various tasks and techniques for file management, process management, network operations, and system administration.

Active Directory Security

A comprehensive resource for securing Active Directory, including attack methods and effective defenses.

Ebowla

Ebowla is a tool for generating payloads in Python, GO, and PowerShell with support for Reflective DLLs.

Sherlock PowerShell Script

Powerful PowerShell script for identifying missing software patches for local privilege escalation vulnerabilities.

MicroBurst

A PowerShell toolkit for penetration testing Microsoft Azure environments, providing discovery, configuration auditing, and post-exploitation capabilities.

PSHunt

Powershell Threat Hunting Module for scanning remote endpoints and collecting comprehensive information.

Active Directory Exploitation Cheat Sheet

Cheat sheet with common enumeration and attack methods for Windows Active Directory.

Posh-VirusTotal PowerShell Module

A PowerShell module for interacting with VirusTotal to analyze suspicious files and URLs.

Executing Commands and Bypassing AppLocker with PowerShell Diagnostic Scripts

A blog post about bypassing AppLocker using PowerShell diagnostic scripts

Invoke-ATTACKAPI [DEPRECATED]

A PowerShell script to interact with the MITRE ATT&CK Framework via its own API using the deprecated MediaWiki API.

Kansa

A modular incident response framework in Powershell that uses Powershell Remoting to collect data for incident response and breach hunts.

Windows EVTX Samples [200 EVTX examples]

Container of 200 Windows EVTX samples for testing detection scripts and training on DFIR.

WMI Monitor

Monitor WMI consumers and processes for potential malicious activity