forked from mandiant/VM-Packages
-
Notifications
You must be signed in to change notification settings - Fork 0
Packages
vm-packages edited this page Jul 21, 2025
·
11 revisions
This page documents the available VM packages sorted by category. The packages in the FLARE-VM default configuration are marked in bold.
Note: This page is generated automatically. Do not edit it manually.
| Package | Description |
|---|---|
| c3.vm | C3 (Custom Command and Control) enables rapid prototyping of custom C2 channels, integrating with existing offensive toolkits. Link |
| covenant.vm | Covenant is a collaborative .NET C2 framework for red teamers. Link |
| merlin.vm | Merlin is a cross-platform post-exploitation Command and Control server and agent written in Go. |
| metasploit.vm | Metasploit is a penetration testing framework for finding vulnerabilities, penetration testing, and developing IDS signatures. Link |
| sliver.vm | Sliver is an open source cross-platform adversary emulation/red team framework. |
| wmimplant.vm | WMImplant is a PowerShell tool using WMI for remote actions and as a C2 channel. Link |
| Package | Description |
|---|---|
| adconnectdump.vm | This toolkit offers several ways to extract and decrypt stored Azure AD and Active Directory credentials from Azure AD Connect servers. |
| asreproast.vm | Project that retrieves crackable hashes from KRB5 AS-REP responses for users without kerberoast preauthentication enabled. |
| credninja.vm | This tool will tell you if the credentials you dumped are valid on the domain, and if you have local administrator access to a host. |
| dumpert.vm | Dumpert is a LSASS memory dumper using direct system calls and API unhooking. Link |
| getlapspasswords.vm | PowerShell function to pull the local admin passwords from LDAP, stored there by LAPS. |
| hashcat.vm | Hashcat is a fast password recovery utility. |
| internal-monologue.vm | Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS |
| inveigh.vm | Inveigh is a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers. |
| keethief.vm | Allows for the extraction of KeePass 2.X key material from memory, as well as the backdooring and enumeration of the KeePass trigger system. |
| kerbrute.vm | A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication |
| mailsniper.vm | MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms and performing password spraying. |
| mimikatz.vm | Mimikatz is an open-source application that allows users to view and save authentication credentials such as Kerberos tickets |
| nanodump.vm | A Beacon Object File that creates a minidump of the LSASS process. |
| rubeus.vm | Rubeus is a C# toolset for raw Kerberos interaction and abuses. |
| safetykatz.vm | SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader. |
| sharpcliphistory.vm | SharpClipHistory is a .NET 4.5 application written in C# that can be used to read the contents of a user's clipboard history in Windows 10 starting from the 1809 Build. |
| sharpdump.vm | SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality. |
| sharplaps.vm | This executable is made to be executed within Cobalt Strike session using execute-assembly. It will retrieve the LAPS password from the Active Directory. |
| sharpsecdump.vm | .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py |
| Package | Description |
|---|---|
| capesolo.vm | Capesolo is an standalone sandbox tool with unpacker and debugger. Link |
| ollydbg.plugin.ollydumpex.vm | Ollydumpex plugin is process memory dumper for OllyDbg and Immunity Debugger. Link |
| ollydbg.plugin.scyllahide.vm | ScyllaHide is an advanced open-source x64/x86 user mode Anti-Anti-Debug library. Link |
| ollydbg.vm | OllyDbg is a 32-bit assembler level analysing debugger for Windows. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. Link |
| ollydbg2.plugin.ollydumpex.vm | Ollydumpex plugin is process memory dumper for OllyDbg2 and Immunity Debugger. Link |
| ollydbg2.plugin.scyllahide.vm | ScyllaHide is an advanced open-source x64/x86 user mode Anti-Anti-Debug library. Link |
| ollydbg2.vm | OllyDbg2 is a 32-bit assembler level analysing debugger for Windows. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. Link |
| ttd.vm | TTD is a time travel debugging command line utility. Link |
| windbg.vm | WinDbg is a debugger that can be used to analyze crash dumps, debug live user-mode and kernel-mode code, and examine CPU registers and memory. Link |
| x64dbg.plugin.dbgchild.vm | DbgChild is an x64dbg plugin to automatically attach to spawned child processes. Link |
| x64dbg.plugin.ollydumpex.vm | Ollydumpex is process memory dumper for OllyDbg and Immunity Debugger. Link |
| x64dbg.plugin.scyllahide.vm | ScyllaHide is an advanced open-source x64/x86 user mode Anti-Anti-Debug library. Link |
| x64dbg.plugin.x64dbgpy.vm | X64dbgpy is a a plugin to access the API of x64dbg using Python. Link |
| x64dbg.vm | X64dbg is an open-source x64/x32 debugger for Windows. Link |
| Package | Description |
|---|---|
| idr.vm | IDR (Interactive Delphi Reconstructor) is a decompiler for Delphi-written Windows32 EXEs and DLLs. Link |
| Package | Description |
|---|---|
| binaryninja.vm | Binary Ninja is an interactive decompiler, disassembler, debugger, and binary analysis platform. Link |
| cutter.vm | Cutter is a FOSS dissassembler/decompiler. Link |
| ghidra.vm | Ghidra is a software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission. Link |
| idafree.vm | IDA Free is the free version of IDA Pro, a powerful Interactive DisAssembler and debugger. Link |
| idapro.vm | IDA Pro 9 is an interactive DisAssembler and debugger. Requires ida-pro_9*.exe (optional .hexlic) from https://hex-rays.com/ida-pro in the Desktop. Link
|
| Package | Description |
|---|---|
| didier-stevens-beta.vm | DidierStevensSuiteBeta is a collection of beta malware analysis tools by Didier Stevens. Link |
| didier-stevens-suite.vm | DidierStevensSuite is a collection of malware analysis tools by Didier Stevens. Link |
| ezviewer.vm | Ezviewer is a standalone, zero dependency document viewer and hex editor. Link |
| microsoft-office.vm | Microsoft Office ProPlus2024Retail. |
| offvis.vm | OffVis is an office visualization tool for understanding and deconstructing targeted attacks in .doc, .xls, and .ppt files. Link |
| onenoteanalyzer.vm | OneNoteAnalyzer is a C# based tool for analyzing malicious OneNote documents. Link |
| pdfstreamdumper.vm | PDFStreamDumper is a free, open source tool to analyze malicious PDF documents. Link |
| Package | Description |
|---|---|
| certify.vm | Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS). |
| microburst.vm | MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping. |
| petitpotam.vm | PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions |
| powermad.vm | Powermad includes a set of functions for exploiting ms-DS-MachineAccountQuota without attaching an actual system to AD |
| powersploit.vm | PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. |
| powerupsql.vm | PowerUpSQL helps with SQL Server discovery, weak config audits, privilege escalation, and post-exploitation OS command execution. Link |
| powerzure.vm | PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. |
| sharpdpapi.vm | SharpDPAPI is a C# port of some DPAPI functionality from @gentilkiwi's Mimikatz project. |
| sharpup.vm | SharpUp is a C# port of various PowerUp functionality for auditing potential privilege escalation paths. |
| spoolsample.vm | PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface. |
| sqlrecon.vm | MSSQL toolkit for reconnaissance and post-exploitation |
| teamfiltration.vm | TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts. |
| whisker.vm | Whisker is a C# tool for Active Directory account takeover via shadow credential injection through msDS-KeyCredentialLink manipulation. Link |
| Package | Description |
|---|---|
| bindiff.vm | BinDiff is a comparison tool for binary files that finds differences and similarities in disassembled code. Link |
| die.vm | DIE (Detect It Easy) is a tool for file type identification with signature-based and heuristic analysis. Link |
| exeinfope.vm | Exeinfo PE displays metadata for a variety of file types and identifies many executable packers. Link |
| exiftool.vm | ExifTool is a tool for reading, writing and manipulating metadata. Link |
| file.vm | file is a Windows port of the Linux file utility for checking header magics. Link
|
| floss.vm | FLOSS automatically deobfuscates strings in malware using advanced static analysis, enhancing basic static analysis like strings.exe. Link |
| hasher.vm | Hasher is a tool to calculate hashes. Link |
| hashmyfiles.vm | HashMyFiles calculates and exports various file hashes (MD5, SHA256, etc.) to clipboard and multiple file formats. Link |
| magika.vm | Magika is an AI powered file type detection tool that uses deep learning to provide accurate detection. Link |
| Package | Description |
|---|---|
| aleapp.vm | Android Logs Events And Protobuf Parser. |
| amcacheparser.vm | Amcache.hve parser with lots of extra features. Handles locked files |
| appcompatcacheparser.vm | AppCompatCache aka ShimCache parser. Handles locked files |
| arsenalimagemounter.vm | Mounts the contents of disk images as complete disks in Windows. |
| autopsy.vm | Autopsy is a graphical interface to The Sleuth Kit and other open source digital forensics tools. |
| chainsaw.vm | Chainsaw provides a powerful 'first-response' capability to quickly identify threats within Windows forensic artefacts such as Event Logs and the MFT file. |
| dcode.vm | Utility for converting data found on desktop and mobile devices into human-readable timestamps. |
| event-log-explorer.vm | Software solution for viewing, analyzing and monitoring events recorded in Microsoft Windows event logs. |
| evtxecmd.vm | Event log (evtx) parser with standardized CSV, XML, and json output! Custom maps, locked file support, and more! |
| ftk-imager.vm | FTK Imager is a data preview and imaging tool used to acquire electronic evidence in a forensically sound manner. Link |
| hayabusa.vm | Windows event log fast forensics timeline generator and threat hunting tool |
| jlecmd.vm | Jump List parser |
| jumplist_explorer.vm | GUI based Jump List viewer |
| kernel-ost-viewer.vm | Facilitates efficient OST file recovery with features such as advanced message search, snapshot management and diverse file format saving. |
| kernel-outlook-pst-viewer.vm | Standalone platform for opening PST files without installing MS Outlook. |
| lecmd.vm | Parse lnk files |
| logfileparser.vm | Decode and dump lots of transaction information from the $LogFile on NTFS. |
| memprocfs.vm | MemProcFS is an easy and convenient way of viewing physical memory as files in a virtual file system. |
| mft_explorer.vm | Graphical $MFT viewer |
| mftecmd.vm | $MFT, $Boot, $J, $SDS, $I30, and $LogFile (coming soon) parser. Handles locked files |
| pecmd.vm | Prefetch parser |
| rbcmd.vm | Recycle Bin artifact (INFO2/$I) parser |
| recentfilecacheparser.vm | RecentFileCache parser |
| recmd.vm | Powerful command line Registry tool searching, multi-hive support, plugins, and more |
| rla.vm | Replay transaction logs and update Registry hives so they are no longer dirty. Useful when tools do not know how to handle transaction logs |
| sbecmd.vm | ShellBags Explorer, command line edition, for exporting shellbag data |
| sdb_explorer.vm | Shim database GUI |
| shellbags_explorer.vm | GUI for browsing shellbags data. Handles locked files |
| sqlecmd.vm | Find and process SQLite files according to your needs with maps! |
| srumecmd.vm | Process SRUDB.dat and (optionally) SOFTWARE hive for network, process, and energy info! |
| sumecmd.vm | Process Microsoft User Access Logs found under "C:\Windows\System32\LogFiles\SUM" |
| testdisk.vm | A robust data recovery tool, TestDisk, specializes in restoring lost partitions across diverse filesystems and facilitates file undeletion within supported filesystems. |
| timeline_explorer.vm | View CSV and Excel files, filter, group, sort, etc. with ease |
| vscmount.vm | Mount all VSCs on a drive letter to a given mount point |
| wxtcmd.vm | Windows 10 Timeline database parser |
| Package | Description |
|---|---|
| goresym.vm | GoReSym is a Go symbol recovery tool. Link |
| gostringungarbler.vm | GoStringUngarbler deobfuscates strings in Go binaries obfuscated by garble. Link |
| Package | Description |
|---|---|
| 010editor.vm | 010 Editor is a text and hex editor with Binary Templates technology. Takes long to install. Link |
| hxd.vm | HxD is a fast hex editor for inspecting and editing large files, raw disks, and RAM. Link |
| imhex.vm | ImHex is a hex editor with a custom pattern language, data inspector, disassembler, and file diffing capabilities Link |
| Package | Description |
|---|---|
| ida.plugin.capa.vm | capa explorer is an IDAPython plugin that integrates capa with IDA Pro. Link |
| ida.plugin.comida.vm | ComIDA is an IDAPython Plugin that help analyzing modules using COM. Link |
| ida.plugin.dereferencing.vm | deREferencing is an IDAPython plugin that enhances registers and stack views by adding dereferenced pointers, colors, and other useful information. Link |
| ida.plugin.diaphora.vm | Diaphora is an IDAPython plugin that performs advanced program diffing by comparing assembler, pseudo-code, functions, and data structures. Link |
| ida.plugin.flare.vm | FLARE IDAPython plugins include Shellcode Hashes to find API calls from hashes and ApplyCalleeType to apply function prototypes to indirect calls. Link |
| ida.plugin.hashdb.vm | HashDB is an IDAPython plugin that connects to an online community library to look up hashes, identifying API names and strings in malware. Link |
| ida.plugin.hrtng.vm | hrtng is an IDA Pro plugin with features such as decryption, automation, deobfuscation, patching, lib code recognition and pseudocode transformations. Link |
| ida.plugin.ifl.vm | IFL (Interactive Functions List) is an IDAPython plugin for navigating function references and importing reports from tools like PE-sieve. Link |
| ida.plugin.lighthouse.vm | Lighthouse is an IDAPython plugin that explores code coverage, providing interactive controls to study execution maps. Link |
| ida.plugin.xray.vm | xray is an IDAPython plugin that filters and colorizes Hexrays decompiler output based on regular expressions to highlight interesting code patterns. Link |
| ida.plugin.xrefer.vm | XRefer is an IDAPython plugin that provides a custom navigation interface with path graphs and Gemini-powered descriptions to speed up analysis. Link |
| Package | Description |
|---|---|
| ifpstools.vm | IFPSTools.NET creates, modifies, assembles, and disassembles RemObjects compiled bytecode files. Link |
| innoextract.vm | innoextract unpacks Inno Setup installers and variants. Link |
| innounp.vm | innounp unpacks Inno Setup installers. Link |
| isd.vm | Inno Setup Decompiler provides a useful UI to analyze Inno Setup compiled code scripts. |
| Package | Description |
|---|---|
| apktool.vm | A tool for reverse engineering 3rd party, closed, binary Android apps. |
| bytecodeviewer.vm | A lightweight user-friendly Java/Android Bytecode Viewer, Decompiler and more. |
| dex2jar.vm | Tools to work with android .dex and java .class files. |
| openjdk.vm | Metapackage for OpenJDK to ensure all packages use the same OpenJDK version. |
| recaf.vm | java bytecode editor |
| Package | Description |
|---|---|
| js-beautify.vm | JavaScript beautifier and deobfuscator. |
| js-deobfuscator.vm | Deobfuscator to remove common JS obfuscation techniques. |
| malware-jail.vm | Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. |
| nodejs.vm | Metapackage for Node.js to ensure all packages use the same Node.js version. |
| obfuscator-io-deobfuscator.vm | A deobfuscator for scripts obfuscated by Obfuscator.io |
| Package | Description |
|---|---|
| invoke-thehash.vm | Invoke-TheHash contains PowerShell functions for performing pass the hash WMI and SMB tasks. |
| sharpexec.vm | SharpExec is an offensive security C# tool designed to aid with lateral movement. |
| Package | Description |
|---|---|
| hollowshunter.vm | Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches). |
| pesieve.vm | pe-sieve recognizes and dumps variety of implants within the scanned process. |
| processdump.vm | Process Dump is a Windows reverse-engineering command-line tool to dump malware memory components back to disk for analysis. |
| Package | Description |
|---|---|
| fakenet-ng.vm | FakeNet-NG is a dynamic network analysis tool. |
| fiddler.vm | Intercepts, decrypts, and analyzes HTTPS traffic |
| internet_detector.vm | Tool that changes the background and a taskbar icon if it detects internet connectivity |
| networkminer.vm | NetworkMiner is a network forensics tool for extracting artifacts (files, images, emails, passwords) from PCAP files and live traffic. Link |
| nmap.vm | Port scanning utility and nc replacement with extended features |
| npcap.vm | Npcap is an architecture for packet capture and network analysis for Windows operating systems, consisting of a software library and a network driver. |
| openvpn.vm | OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations. |
| powercat.vm | PowerShell implementation of netcat functionality |
| putty.vm | PuTTY is a free implementation of SSH and Telnet for Windows and Unix platforms, along with an xterm terminal emulator. |
| streamdivert.vm | StreamDivert is a tool to man-in-the-middle or relay in and outgoing network connections on a system. Link |
| telnet.vm | A network protocol used to virtually access a computer and to provide a two-way, collaborative and text-based communication channel between two machines |
| windump.vm | Windows version of tcpdump, the command line network analyzer for UNIX |
| wireshark.vm | Wireshark lets you capture and interactively browse the traffic running on a computer network. |
| Package | Description |
|---|---|
| dependencywalker.vm | Scans PE files and builds a hierarchical tree diagram of all dependent modules |
| dll-to-exe.vm | Converts a DLL into a ready-to-use EXE |
| explorersuite.vm | A suite of tools including CFF Explorer and a process viewer. |
| pdbs.pdbresym.vm | PDBs downloaded using PDBReSym. Requires substantial disk space. |
| pe_unmapper.vm | Small tool to convert beteween the PE alignments (raw and virtual) |
| peanatomist.vm | PE Analysis tool providing detailed information |
| pebear.vm | Delivers fast and flexible "first view" for malware analysts |
| peid.vm | PEiD detects most common packers, cryptors and compilers for PE files. |
| pestudio.vm | The goal of pestudio is to spot artifacts of executable files in order to ease and accelerate Malware Initial Assessment. |
| setdllcharacteristics.vm | A CLI tool for manipulating ASLR, DEP, and check signature flags of PE files |
| Package | Description |
|---|---|
| asar.vm | asar decompresses .asar archives |
| autoit-ripper.vm | Extracts compiled AutoIt scripts from PE executables. |
| pkg-unpacker.vm | Unpacker for pkg applications. |
| uniextract2.vm | Universal Extractor 2 is an unofficial updated and extended version of the original UniExtract by Jared Breland. |
| upx.vm | UPX is a free, secure, portable, extendable, high-performance executable packer for several executable formats. |
| Package | Description |
|---|---|
| badassmacros.vm | Proof of Concept tool to generate malicious macros leveraging techniques like VBA Purging and Shellcode Obfuscation to evade AV engines. |
| confuserex.vm | ConfuserEx is a open-source protector for .NET applications. It is the successor of Confuser project. |
| dotnettojscript.vm | A tool to generate a JScript which bootstraps an arbitrary .NET Assembly and class. |
| evilclippy.vm | A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. |
| gadgettojscript.vm | A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA scripts. |
| invokedosfuscation.vm | Invoke-DOSfuscation is a PowerShell v2.0+ compatible cmd.exe command obfuscation framework. |
| invokeobfuscation.vm | Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator. |
| stracciatella.vm | Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled. |
| syswhispers2.vm | SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls. |
| syswhispers3.vm | SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls. |
| unhook-bof.vm | This is a Beacon Object File to refresh DLLs and remove their hooks. The code is from Cylance's Universal Unhooking research. |
| Package | Description |
|---|---|
| juicypotato.vm | Juicy Potato is a local privilege escalation tool for Windows, allowing elevation from a service account to NT AUTHORITY\SYSTEM by abusing COM servers. Link |
| Package | Description |
|---|---|
| 7zip.vm | 7-zip build with nsis script decompiling |
| chrome.extensions.vm | A package for multiple useful chrome extensions from the Chrome webstore. |
| cmder.vm | Metapackage for cmder |
| cygwin.vm | Wrapper for cygwin and useful cygwin packages |
| dokan.vm | Dokan simplifies Windows custom file system creation, similar to Linux's FUSE, without requiring device drivers. Link |
| googlechrome.vm | Chrome is a popular web browser. |
| ipython.vm | A powerful interactive Python shell |
| nasm.vm | Netwide Assembler |
| notepadplusplus.vm | Wrapper for Notepad++ |
| notepadpp.plugin.compare.vm | ComparePlus plugin for Notepad++ |
| notepadpp.plugin.jstool.vm | A JavaScript (JSON) tool for Notepad++ (formerly JSMinNpp) |
| notepadpp.plugin.xmltools.vm | XML Tools plugin for Notepad++ |
| tor-browser.vm | The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world. |
| vcbuildtools.vm | Metapackage that requires the dependencies visualstudio2017buildtools and visualstudio2017-workload-vctools |
| vcredist140.vm | Metapackage for Python 3 to ensure all packages use the same Python version. |
| visualstudio.vm | Visual Studio is an IDE, installed with useful components and workloads. Takes long to install and requires substantial disk space. |
| vscode.extension.jupyter.vm | Jupyter notebook support, interactive programming and computing that supports Intellisense, debugging and more. |
| vscode.extension.python.vm | Python language support with extension access points for IntelliSense (Pylance), Debugging (Python Debugger), linting, formatting, refactoring, unit tests, and more. |
| vscode.vm | VSCode is a modern, open-source code editor. |
| windows-terminal.vm | Windows Terminal is a new, modern, feature-rich, productive terminal application for command-line users. |
| Package | Description |
|---|---|
| libraries.python3.vm | Python 3 libraries useful for common reverse engineering tasks. |
| pycdas.vm | pycdas is a Python byte-code disassembler. Link |
| pycdc.vm | pycdc is a Python decompiler. Link |
| python3.vm | Python 3. |
| uncompyle6.vm | uncompyle6 is a decompiler for Python 1.0-3.8. Link |
| unpyc3.vm | unpyc3 is a decompiler for Python 3.7+. Link |
| Package | Description |
|---|---|
| azurehound.vm | AzureHound is the BloodHound data collector for Microsoft Azure. |
| bloodhound-custom-queries.vm | Custom Query list for the Bloodhound GUI based off my cheatsheet |
| bloodhound.vm | BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. |
| egress-assess.vm | Egress-Assess is a tool used to test egress data detection capabilities. |
| gobuster.vm | Directory/file and DNS busting tool written in Go |
| gowitness.vm | gowitness uses Chrome Headless for website screenshots and provides a built-in report viewer. Link |
| group3r.vm | Group3r is a tool for pentesters and red teamers to rapidly enumerate relevant settings in AD Group Policy, and to identify exploitable misconfigurations. |
| ldapnomnom.vm | Anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP) |
| mfasweep.vm | MFASweep is a PowerShell script that attempts to log in to various Microsoft services using a provided set of credentials and will attempt to identify if MFA is enabled. |
| netgpppassword.vm | .NET/C# implementation of Get-GPPPassword. Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. |
| outflank-c2-tool-collection.vm | Contains a collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques. |
| routesixtysink.vm | Route Sixty-Sink identifies .NET assembly vulnerabilities using automated source-to-sink analysis. Link |
| seatbelt.vm | Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. |
| sharphound.vm | SharpHound is an Active Directory ingester tool for BloodHound. |
| sharpview.vm | .NET port of PowerView used for information gathering within Active Directory |
| sharpwmi.vm | SharpWMI is a C# implementation of various WMI functionality. |
| situational-awareness-bof.vm | Situational Awareness BOF offers basic host checks in a Beacon Object File, enabling pre-execution reconnaissance before more invasive commands. Link |
| snaffler.vm | Snaffler is a tool for enumerating accessible SMB shares in an Active Directory environment. |
| trustedsec-remote-ops-bof.vm | Addition to Situational Awareness BOFs intended for single task Windows primitives such as creating a task, stopping a service, etc. |
| Package | Description |
|---|---|
| reg_export.vm | A CLI that exports the raw content of a registry value to a file |
| regcool.vm | RegCool is a flexible editor for the Windows registry database. Link |
| registry_explorer.vm | Registry viewer with searching, multi-hive support, plugins, and more. Handles locked files |
| regshot.vm | Regshot is a registry comparison tool for tracking system changes by comparing registry snapshots. Link |
| total-registry.vm | Replacement for the Windows built-in Regedit.exe tool with improved features. |
| Package | Description |
|---|---|
| blobrunner.vm | BlobRunner is a simple tool to quickly debug shellcode extracted during malware analysis. |
| blobrunner64.vm | BlobRunner is a simple tool to quickly debug shellcode extracted during malware analysis. |
| scdbg.vm | scdbg is an emulation based shellcode API logger and debugger |
| sclauncher.vm | A small program to load 32-bit shellcode and allow for execution or debugging. Can also output PE files from shellcode. |
| sclauncher64.vm | A small program to load 64-bit shellcode and allow for execution or debugging. Can also output PE files from shellcode. |
| shellcode_launcher.vm | Shellcode launcher utility |
| Package | Description |
|---|---|
| angr.vm | angr is a multi-architecture binary analysis toolkit providing features like disassembly, IR lifting, program instrumentation, symbolic execution, and decompilation. |
| apimonitor.vm | API Monitor lets you monitor and control API calls made by applications and services. |
| bstrings.vm | Find them strings yo. Built in regex patterns. Handles locked files |
| capa-explorer-web.vm | Web interface for exploring and understanding capa results |
| capa.vm | capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. |
| cryptotester.vm | Utility tool for performing cryptanalysis with a focus on ransomware cryptography |
| cyberchef.vm | The Cyber Swiss Army Knife - a web app for encryption, encoding, compression, data analysis, and more. |
| keystone.vm | Keystone is a Python library providing a multi-platform, multi-architecture assembler. |
| map.vm | Handful of small utility type applications useful for analyzing malicious code. |
| pdbresym.vm | PDBReSym simplifies and optimizes interacting with the Microsoft Symbol Server to download PDBs. Link |
| pma-labs.vm | Binaries for the book Practical Malware Analysis |
| procdot.vm | Creates visual graphs from procmon output |
| rat-king-parser.vm | multi-family RAT config parser/extractor |
| resourcehacker.vm | Resource Hacker is a resource editor for 32bit and 64bit Windows applications. |
| rpcview.vm | RpcView is an open-source tool to explore and decompile all RPC functionalities present on a Microsoft system |
| sqlitebrowser.vm | Open source tool to create, design, and edit database files compatible with SQLite. |
| sysinternals.vm | Sysinternals suite. |
| systeminformer.vm | A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. |
| vnc-viewer.vm | Tool for connecting to and interacting with VNC servers. |
| winscp.vm | WinSCP is an open source free SFTP client, SCP client, FTPS client and FTP client for Windows. Its main function is file transfer between a local and a remote computer. |
| yara.vm | YARA helps identify and classify malware by creating rules based on textual or binary patterns. |
| Package | Description |
|---|---|
| vb-decompiler-lite.vm | VB Decompiler is a decompiler for Visual Basic, VB.NET and C# applications. Link |
| vbdec.vm | VBDec is a VB File format viewer, P-Code Disassembler and debugger. Link |
| Package | Description |
|---|---|
| burp-free.vm | Burp Suite Community Edition is the free version of the platform for web application security testing, used to find and exploit vulnerabilities. Link |
| Package | Description |
|---|---|
| fuzzdb.vm | FuzzDB is the most comprehensive open dictionary of fault injection patterns, predictable resource locations, and regex for matching server responses. |
| payloadsallthethings.vm | A list of useful payloads and bypasses for Web Application Security. |
| seclists.vm | SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. |
| statistically-likely-usernames.vm | This resource contains wordlists for creating statistically likely usernames for use in username-enumeration, simulated password-attacks and other security testing tasks. |
| Package | Description |
|---|---|
| codetrack.vm | CodeTrack is a free .NET Performance Profile and Execution Analyzer. Link |
| de4dot-cex.vm | de4dot CEx is a de4dot fork with full support for vanilla ConfuserEx. Link |
| dnlib.vm | dnlib is a .NET module/assembly reader/writer library. Link |
| dnspyex.vm | dnSpyEx is a unofficial continuation of the dnSpy project which is a debugger and .NET assembly editor. Link |
| dotdumper.vm | DotDumper is an automatic unpacker and logger for DotNet Framework targeting files. Link |
| dotnet-6.vm | .NET 6. |
| dotnet-8.vm | .NET 8. |
| dotnet-9.vm | .NET 9. |
| extreme_dumper.vm | ExtremeDumper is a .NET Assembly Dumper from memory of processes. Link |
| garbageman.vm | GarbageMan is a set of tools designed for .NET heap analysis. Link |
| ilspy.vm | ILSpy is a .NET assembly browser and decompiler. Link |
| net-reactor-slayer.vm | NETReactorSlayer is a deobfuscator and unpacker for Eziriz .NET Reactor. Link |
| psnotify.vm | psnotify is a POC tool to fight .NET anti-dumping tricks. Link |
| rundotnetdll.vm | RunDotNetDll is a utility to list all methods of a given .NET Assembly and to invoke them. Link |
| sfextract.vm | sfextract extracts contents (assemblies, configuration, etc.) from .NET single file bundles. Link |