SpecterOps Projects =================== At SpecterOps, we believe that we can influence our industry's maturation by contributing to the collective knowledge base. We do this by opening our ideas and hypotheses…
SpecterOps Projects
===================
  
At SpecterOps, we believe that we can influence our industry's maturation by contributing to the collective knowledge base. We do this by opening our ideas and hypotheses to inspection and criticism. That includes publishing our development works and contributing to the open-source community.
SpecterOps employees control their projects and maintain intellectual property rights and licenses, so most of the projects sponsored by SpecterOps are spread out over many individual GitHub profiles and organizations. We have organized these projects here for your perusal.
You can read more about our commitment to transparency here: A Push Toward Transparency
Featured Projects
The following projects are some of the larger open-source projects SpecterOps has, and continues to, sponsor and support. We hope you find them useful!BloodHound
!license !Project Type !Slack !forks !stargazers More Info  > BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment.|Resource|Link|
| :--- | :--- |
|GitHub||
|Documentation|https://bloodhound.readthedocs.io/en/latest/index.html|
Ghostwriter
!license !Project Type !Slack !forks !stargazers More Info  > Ghostwriter is a part of your team. It helps you manage clients, projects, reports, and infrastructure in one application. It does not replace some of the more common or traditional project management tools, such as CRMs. Still, it does consolidate all relevant project information in a way for users to easily curate every aspect of their projects.|Resource|Link|
| :--- | :--- |
|GitHub||
|Homepage||
|Documentation|https://www.ghostwriter.wiki/|
Mythic
!license !Project Type !Slack !forks !stargazers More Info  > A cross-platform, post-exploit, red teaming framework built with python3, docker, docker-compose, and a web browser UI. It's designed to provide a collaborative and user friendly interface for operators, managers, and reporting throughout red teaming.|Resource|Link|
| :--- | :--- |
|GitHub||
|Documentation|https://docs.mythic-c2.net/|
Merlin
!license !Project Type !Slack !forks !stargazers More Info  > Merlin is a cross-platform post-exploitation Command & Control server and agent written in Go.|Resource|Link|
| :--- | :--- |
|GitHub||
Covenant
!license !Project Type !Slack !forks !stargazers More Info  > Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.|Resource|Link|
| :--- | :--- |
|GitHub||
|Homepage||
|Documentation|https://github.com/cobbr/Covenant/wiki|
HardHatC2
!Project Type !Slack !forks !stargazers More Info  > A C# Command & Control framework|Resource|Link|
| :--- | :--- |
|GitHub||
SharpSploit
!license !Project Type !Slack !forks !stargazers More Info > SharpSploit is a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers.|Resource|Link|
| :--- | :--- |
|GitHub||
|Homepage||
SharpSCCM
!license !Project Type !Slack !forks !stargazers More Info > SharpSCCM is a post-exploitation tool designed to leverage Microsoft Endpoint Configuration Manager (a.k.a. ConfigMgr, formerly SCCM) for lateral movement and credential gathering without requiring access to the SCCM administration console GUI.|Resource|Link|
| :--- | :--- |
|GitHub||
CS2ModRewrite
!license !Project Type !Slack !forks !stargazers More Info > This project converts a Cobalt Strike profile to a functional mod_rewrite .htaccess or Nginx config file to support HTTP reverse proxy redirection to a Cobalt Strike teamserver. The use of reverse proxies provides protection to backend C2 servers from profiling, investigation, and general internet background radiation.|Resource|Link|
| :--- | :--- |
|GitHub||
DomainHunter
!license !Project Type !Slack !forks !stargazers More Info > Checks expired domains for categorization/reputation and Archive.org history to determine good candidates for phishing and C2 domain names|Resource|Link|
| :--- | :--- |
|GitHub||
|Homepage||
KeeThief
!license !Project Type !Slack !forks !stargazers More Info > Methods for attacking KeePass 2.X databases, including extracting of encryption key material from memory.|Resource|Link|
| :--- | :--- |
|GitHub||
Malleable C2
!license !Project Type !Slack !forks !stargazers More Info > Cobalt Strike Malleable C2 Design and Reference Guide|Resource|Link|
| :--- | :--- |
|GitHub||
SharpRDP
!license !Project Type !Slack !forks !stargazers More Info > Remote Desktop Protocol .NET Console Application for Authenticated Command Execution|Resource|Link|
| :--- | :--- |
|GitHub||
StayKit
!license !Project Type !Slack !forks !stargazers More Info > Cobalt Strike kit for Persistence|Resource|Link|
| :--- | :--- |
|GitHub||
PowerSploit (Retired)
!license !Project Type !Slack !forks !stargazers More Info > PowerSploit - A PowerShell Post-Exploitation Framework|Resource|Link|
| :--- | :--- |
|GitHub||
Empire (Retired)
!license !Project Type !Slack !forks !stargazers More Info  > Empire is a post-exploitation framework with a pure-PowerShell 2.0 Windows agent and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptological-secure communications and a flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. PowerShell Empire premiered at BSidesLV in 2015, and Python EmPyre premiered at HackMiami in 2016. > > The project was retired in 2019, but the code is still available for reference. You can learn more about the end of the project here:|Resource|Link|
| :--- | :--- |
|GitHub||
|Homepage||
Other Projects
SpecterOps employees have also created and contributed to many other projects, too numerous to list in detail here. These projects are listed below, sorted by the owner's profile. - Apfell implant written in C#. - A collection of useful scripts for Cobalt Strike - Playing around with token manipulation in C#. - C# application for compressing files and directories - A collection of C# utilities intended to be used with Cobalt Strike's execute-assembly - C# application for interacting with Windows Firewall - A simple script that edits the XML of a macro-enabled Word document (.docm or Word 97 document) to add a reference to a remote stylesheet. - Simple C# for checking for the existence of credential files related to AWS, Microsoft Azure, and Google Compute. - Automated network asset, email,…
Members
-
BloodHound-Legacy
Six Degrees of Domain Admin
PowerShell ★ 11k 3mo agoExplain → -
BloodHound
Six Degrees of Domain Admin
Go ★ 3.1k 2d agoExplain → -
at-ps
Adversary Tactics - PowerShell Training
PowerShell ★ 1.6k 6y agoExplain → -
SharpHound
C# Data Collector for BloodHound
C# ★ 1.3k 25d agoExplain → -
Nemesis
An offensive data enrichment pipeline
Python ★ 976 3d agoExplain → -
AzureHound
Azure Data Exporter for BloodHound
Go ★ 921 5d agoExplain → -
MSSQLHound
Go (formerly PowerShell) collector for adding MSSQL attack paths to BloodHound with OpenGraph
Go ★ 335 3d agoExplain → -
TierZeroTable
Table of AD and Azure assets and whether they belong to Tier Zero
HTML ★ 266 3mo agoExplain → -
presentations
SpecterOps Presentations
★ 226 17d agoExplain → -
BloodHoundQueryLibrary
A community-driven collection of BloodHound queries
Python ★ 194 12d agoExplain → -
cred1py
A Python POC for CRED1 over SOCKS5
Python ★ 171 1y agoExplain → -
GitHound
No description.
PowerShell ★ 139 2d agoExplain → -
JamfHound
JamfHound is a python3 project designed to collect and identify attack paths in Jamf Pro tenants based on existing object permissions by outputting data as JSON for ingestion into BloodHound.
Python ★ 134 1mo agoExplain → -
bloodhound-cli
No description.
Go ★ 114 8d agoExplain → -
SharpHoundCommon
Common library used by SharpHound.
C# ★ 102 4d agoExplain → -
ConfigManBearPig
PowerShell collector for adding SCCM attack paths to BloodHound with OpenGraph
PowerShell ★ 93 2mo agoExplain → -
Janus
Janus analyzes C2 telemetry to surface failure patterns, operator friction, and automation opportunities across engagements.
Python ★ 52 4d agoExplain → -
SCOMHound
No description.
Python ★ 43 6mo agoExplain → -
DeepPass2
Multilayered secret detection tool
Python ★ 43 4mo agoExplain → -
ipc-research
Inter-Process Communication Mechanisms
Jupyter Notebook ★ 28 5y agoExplain → -
bloodhound-docs
Official documentation for BloodHound
Python ★ 27 2d agoExplain → -
SnowHound
No description.
PowerShell ★ 23 1mo agoExplain → -
1PassHound
No description.
PowerShell ★ 19 3mo agoExplain → -
DAWGS
No description.
Go ★ 17 3d agoExplain → -
EntraSSSOHound
A small collector to model out abusable Seamless Single Sign On edges
Python ★ 15 4mo agoExplain → -
OktaHound
Okta Data Collector for BloodHound Community
C# ★ 15 2mo agoExplain → -
chronology
SpecterOps Historical Records
★ 15 2y agoExplain → -
ghost_scout
AI Assisted Phishing Agent
HTML ★ 13 1mo agoExplain → -
OpenHound
No description.
Python ★ 12 2d agoExplain → -
CredentialShuffle
Credential Shuffle was created by SpecterOps to teach players about BloodHound’s nodes and edges, attack paths, detection possibilities, and remediation strategies in a fun, engaging way. It’s like learning cybersecurity concepts by playing a fast-paced card game!
★ 9 1y agoExplain → -
specterops
No description.
Python ★ 9 3y agoExplain → -
chow
BloodHound Payload Validator
Go ★ 8 19d agoExplain → -
terminal_sync ⑂
A standalone tool for logging shell commands to GhostWriter automatically
★ 7 1y agoExplain → -
bloodhound-python-sdk
No description.
Python ★ 7 1mo agoExplain → -
og-docs-automation
Documentation automation for OpenGraph extensions
PowerShell ★ 5 1mo agoExplain → -
SpecterOpsDocs
No description.
MDX ★ 2 2mo agoExplain → -
OpenHound-template
Extensions template for OpenFech
Python ★ 2 1mo agoExplain → -
CLA
The Contibutor License Agreement and record of signatures
★ 2 1mo agoExplain → -
bloodhound-scim-extension
System for Cross-domain Identity Management (SCIM) schema extension for BloodHound
★ 2 2mo agoExplain → -
bloodhound-go-sdk
No description.
Go ★ 2 1y agoExplain → -
openhound-jamf
No description.
Python ★ 1 3d agoExplain → -
specterops.github.io
No description.
HTML ★ 1 2mo agoExplain → -
ghostwriter-oplog-populate
No description.
Python ★ 1 1y agoExplain → -
openhound-github
No description.
Python ★ 0 22h agoExplain → -
openhound-okta
No description.
Python ★ 0 2d agoExplain → -
go-repl
No description.
Go ★ 0 1mo agoExplain → -
.github
No description.
CSS ★ 0 1mo agoExplain → -
bhe-code-exercise
No description.
C# ★ 0 7mo agoExplain → -
abstractionmaps
No description.
★ 0 6y agoExplain →
No repos match these filters.