search

Red Team and Blue Team Tools

A curated list of commonly used Red Team and Blue Team tools, grouped by attack lifecycle and defensive function.

hashtag
🔴 Red Team Tools

hashtag
Collection

  • BloodHound – Active Directory visualisation

  • linWinPwn – Active Directory enumeration and vulnerability checks

  • Snaffler – Active Directory credential collector

hashtag
Command and Control

  • Brute Ratel – Command and control framework ($$$)

  • Covenant – Command and control framework (.NET)

  • Havoc – Command and control framework

  • Merlin – Command and control framework (Golang)

  • Metasploit Framework – Command and control framework (Ruby)

  • Pupy – Command and control framework (Python)

hashtag
Credential Access

  • Mimikatz – Windows credential extractor

  • LaZagne – Local password extractor

  • hashcat – Password hash cracking

  • John the Ripper – Password hash cracking

  • SCOMDecrypt – SCOM credential decryption tool

  • nanodump – LSASS process minidump creation

  • eviltree – Tree remake for credential discovery

  • SeeYouCM-Thief – Cisco phone configuration file parsing

  • MailSniper – Microsoft Exchange mail searcher

hashtag
Defense Evasion

  • Alcatraz – GUI x64 binary obfuscator

  • AMSI Fail – PowerShell snippets that disable AMSI

  • Invoke-Obfuscation – Script obfuscator

  • Mangle – Compiled executable manipulation

  • SharpBlock – EDR bypass via entry point execution prevention

  • Veil – Metasploit payload obfuscator

hashtag
Discovery

  • adidnsdump – AD-integrated DNS dumping

  • ADRecon – Active Directory reconnaissance

  • PCredz – Credential discovery from PCAP/live traffic

  • PingCastle – Active Directory security assessor

  • Seatbelt – Local vulnerability scanner

  • scavenger – Scanning tool for scavenging systems

hashtag
Execution

  • demiguise – HTA encryption tool

  • Donut – In-memory .NET execution

  • evil-winrm – WinRM shell

  • Macro_pack – Macro obfuscation

  • PowerSploit – PowerShell exploitation framework

  • Responder – LLMNR, NBT-NS, MDNS poisoner

  • Rubeus – Active Directory abuse tool

  • secretsdump – Remote hash dumper

  • SharpUp – Windows vulnerability identifier

  • SQLRecon – Offensive MS-SQL toolkit

  • StarFighters – JavaScript/VBScript Empire launcher

  • UltimateAppLockerByPassList – AppLocker bypass techniques

hashtag
Exfiltration

  • GD-Thief – Google Drive exfiltration

  • Cloakify – Data transformation for exfiltration

  • Dnscat2 – DNS tunneling C2

  • Powershell RAT – Python-based backdoor

  • PyExfil – Data exfiltration proof-of-concept

hashtag
Impact

  • Conti Pentester Guide Leak – Conti ransomware affiliate toolkit

  • SlowLoris – Denial-of-service tool

  • usbkill – Anti-forensic kill switch

hashtag
Initial Access

  • Bash Bunny – USB attack platform

  • EvilGoPhish – Phishing campaign framework

  • Hydra – Brute-force tool

  • King Phisher – Phishing campaign framework

  • SquarePhish – OAuth/QR phishing framework

  • The Social-Engineer Toolkit – Phishing framework

hashtag
Lateral Movement

  • ADFSpoof – Forge AD FS tokens

  • crackmapexec – Active Directory lateral movement toolkit

  • Coercer – Force Windows authentication

  • Enabling RDP – RDP enable command

  • Forwarding Ports – Local port forwarding

  • Jenkins reverse shell – Jenkins shell command

  • kerbrute – Kerberos brute forcing

  • LiquidSnake – Fileless lateral movement

  • PowerLessShell – Remote PowerShell without PowerShell

  • PsExec – Remote command execution

  • Upgrading shell to meterpreter – Reverse shell upgrade

  • WMIOps – WMI remote commands

hashtag
Persistence

  • Empire – Post-exploitation framework

  • Impacket – Python networking toolkit

  • ligolo-ng – Tunneling tool using TUN interface

  • SharPersist – Windows persistence toolkit

hashtag
Privilege Escalation

  • ADFSDump – AD FS dump tool

  • Certify – Active Directory privilege escalation

  • Get-GPPPassword – Windows password extraction

  • ImpulsiveDLLHijack – DLL hijack tool

  • LinPEAS – Linux privilege escalation

  • linux-smart-enumeration – Linux privilege escalation

  • Sherlock – PowerShell privilege escalation

  • Watson – Windows privilege escalation

  • WinPEAS – Windows privilege escalation

hashtag
Reconnaissance

  • AORT – Subdomain enumeration

  • AWSBucketDump – S3 bucket enumeration

  • certSniff – Certificate transparency sniffer

  • CloudBrute – Cloud infrastructure brute forcing

  • crt.sh → httprobe → EyeWitness – Automated domain screenshotting

  • Dismap – Asset discovery

  • dnsrecon – DNS enumeration

  • enum4linux – Windows/Samba enumeration

  • feroxbuster – Content discovery

  • GitHarvester – GitHub credential search

  • Gitrob – GitHub sensitive data scanner

  • gobuster – Path brute forcing

  • gowitness – Web screenshot utility

  • jsendpoints – DOM link extraction

  • Metabigor – OSINT tool

  • nuclei – Vulnerability scanner

  • Shodan.io – Internet-exposed asset search

  • skanuvaty – High-speed network scanner

  • spoofcheck – SPF/DMARC checker

  • truffleHog – GitHub credential scanner

hashtag
Resource Development

  • Chimera – PowerShell obfuscation

  • Freeze – Payload creation (EDR evasion)

  • HTA – HTA payloads

  • msfvenom – Payload generation

  • Shellter – Dynamic shellcode injection

  • VBA – VBA payloads

  • WordSteal – NTLM hash stealing via Word

  • WSH – Windows Script Host payloads

hashtag
🔵 Blue Team Tools

hashtag
Communication and Collaboration

  • Facebook ThreatExchange – Malicious indicator sharing

  • Cyber Security Accounts (Twitter)

hashtag
Data Recovery

  • Extundelete – ext3/ext4 recovery

  • Recuva – File recovery

  • TestDisk – Data recovery

hashtag
Digital Forensics

  • Autopsy – Digital forensics platform

  • SANS SIFT – Forensics toolkit

  • The Sleuth Kit – Disk image analysis

hashtag
Incident Response Planning

  • Incident Response Plan

  • NIST Cybersecurity Framework

  • Ransomware Response Plan

hashtag
Malware Detection and Analysis

  • Ghidra – Reverse engineering

  • IDA – Disassembler/debugger

  • VirusTotal – IOC sharing platform

hashtag
Network Discovery and Mapping

  • Angry IP Scanner

  • Masscan

  • Nmap

  • Nuclei

  • Shodan

  • ZMap

hashtag
Security Monitoring

  • AutorunsToWinEventLog – Autoruns event parsing

  • Kibana – Data visualization

  • Logstash – Data collection

  • maltrail – Malicious traffic detection

  • parsedmarc – DMARC visualization

  • Phishing Catcher – Certstream phishing detection

  • procfilter – YARA-based process denial

  • Sysmon – System monitoring

  • SysmonSearch – Sysmon log analysis

  • velociraptor – Endpoint visibility

hashtag
Threat Intelligence

  • Maltego – Threat intelligence platform

  • MISP – Malware information sharing

  • ThreatConnect – Threat data aggregation

hashtag
Threat Tools and Techniques

  • chainsaw – Windows forensic artefact search

  • EmailAnalyzer – Suspicious email analysis

  • filesec.io – Attacker file extensions

  • freq – DGA malware detection

  • gtfobins.github.io – Linux LOLBins

  • KQL Search – KQL query aggregator

  • lolbas-project.github.io – Windows LOLBins

  • Unprotect Project – Malware evasion techniques

  • VCG – Code security scanning

  • yarGen – YARA rule generator

hashtag
Vulnerability Management

  • HackerOne – Bug bounty management

  • Nessus Essentials – Vulnerability scanner

  • Nexpose – Vulnerability management

  • OpenVAS – Open-source vulnerability scanner

PreviousLow Level Keylogger ArchitectureNextInitial Access

Last updated