BloodHound Community Edition uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment.

Nemesis is a centralized data processing platform that ingests, enriches, and performs analytics on offensive security assessment data. It ingests data from a variety of sources (C2 frameworks, manual file uploads, Chrome downloads, etc.) and performs a number of automations and analytics on the collected data. It is a SpecterOps R&D project aiming to automate a number of repetitive tasks operators encounter on engagements, empower operators' analytic capabilities and collective knowledge, and create data stores of as much operational data as possible to help guide future research and facilitate offensive data analysis.

Ghostwriter is a part of your team. It helps you manage clients, projects, reports, and infrastructure in one application. It does not replace some of the more common or traditional project management tools, such as CRMs. Still, it does consolidate all relevant project information in a way for users to easily curate every aspect of their projects.

A cross-platform, post-exploit, red teaming framework built with python3, docker, docker-compose, and a web browser UI. It's designed to provide a collaborative and user friendly interface for operators, managers, and reporting throughout red teaming.

Merlin is a cross-platform post-exploitation Command & Control server and agent written in Go.

A C# Command & Control framework

SharpSCCM is a post-exploitation tool designed to leverage Microsoft Endpoint Configuration Manager (a.k.a. ConfigMgr, formerly SCCM) for lateral movement and credential gathering without requiring access to the SCCM administration console GUI.

Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance.

This project converts a Cobalt Strike profile to a functional mod_rewrite .htaccess or Nginx config file to support HTTP reverse proxy redirection to a Cobalt Strike teamserver. The use of reverse proxies provides protection to backend C2 servers from profiling, investigation, and general internet background radiation.

Cobalt Strike Malleable C2 Design and Reference Guide

Remote Desktop Protocol .NET Console Application for Authenticated Command Execution

Cobalt Strike kit for Persistence

Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.

SharpSploit is a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers.

PowerSploit - A PowerShell Post-Exploitation Framework

Empire is a post-exploitation framework with a pure-PowerShell 2.0 Windows agent and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptological-secure communications and a flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. PowerShell Empire premiered at BSidesLV in 2015, and Python EmPyre premiered at HackMiami in 2016.

The project was retired in 2019, but the code is still available for reference. You can learn more about the end of the project here: https://mobile.twitter.com/specterops/status/1156650932421050368