Windows

Windows anti-forensics USB monitoring tool with the ability to shutdown the computer upon detecting the unplugging of a specified USB device.

A tool that exposes the functionality of the Volume Shadow Copy Service (VSS) for creation, enumeration, and manipulation of volume shadow copies, with features for persistence and evasion.

A digital forensics tool that extracts and analyzes Windows AppCompat and AmCache registry data for enterprise-scale forensic investigations.

A combination of honeypot, monitoring tool, and alerting system for detecting insecure configurations.

A 32-bit assembler level analyzing debugger for Microsoft Windows.

Tool to identify and understand code-injection vulnerabilities in Windows 7 UAC whitelist system.

A cross-platform security application that functions as a laptop kill cord, automatically locking or shutting down your computer when physically separated from you via a USB connection.

A utility package that monitors hard drive health through SMART technology to detect and prevent disk failures before data loss occurs.

A repository documenting AppLocker bypass techniques with verified methods, legacy DLL execution approaches, and a PowerShell module for identifying AppLocker weaknesses.

A library to access and parse Windows Shortcut File (LNK) format.

Darkarmour is an open-source Windows antivirus evasion framework that enables security professionals to bypass antivirus detection through customizable obfuscation and anti-analysis techniques.

A library for accessing and parsing Microsoft Internet Explorer cache files (index.dat) to extract URLs, timestamps, and cached content for digital forensic analysis.

A suite of console tools for working with timestamps in Windows with 100-nanosecond precision.

minikube is a local Kubernetes cluster management tool that enables developers to run and test Kubernetes applications on their local machines across multiple operating systems.

FLARE-VM is a Windows virtual machine setup tool that automates the installation and configuration of reverse engineering and malware analysis software using Chocolatey and Boxstarter technologies.

A comprehensive repository of payloads and bypass techniques for web application security testing and penetration testing across multiple platforms and attack vectors.

BlueTeam.Lab provides Terraform and Ansible scripts to deploy an orchestrated detection laboratory for testing attacks and forensic artifacts in a SOC-like Windows environment.

A collection of PowerShell modules for artifact gathering and reconnaissance of Windows-based endpoints.

A Windows-based workflow automation and case management application that integrates with CrowdStrike Falcon APIs to streamline security operations and incident response processes.

KFSensor is an advanced Windows honeypot system for detecting hackers and worms by simulating vulnerable system services.

A powerful tool for extracting passwords and performing various Windows security operations.

A comprehensive utility that shows what programs are configured to run during system bootup or login, and when you start various built-in Windows applications.

PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

CimSweep is a suite of CIM/WMI-based tools for incident response and hunting operations on Windows systems without the need to deploy an agent.