30 open-source projects similar to lolbas-project/lolbas, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best LOLBAS alternative.
Nishang is a PowerShell-based offensive security framework designed for red teaming and penetration testing on Windows targets. It functions as a post-exploitation toolkit and payload generator to automate attacks and manage remote targets. The project provides specialized capabilities for bypassing security controls, such as disabling the Antimalware Scan Interface and employing in-memory execution to avoid disk-based detection. It includes a variety of stealthy command and control mechanisms, utilizing non-standard channels like DNS TXT records, ICMP traffic, and webmail for communication a
OffensiveNim is a red teaming framework and post-exploitation toolkit developed in Nim. It provides a collection of low-level primitives and a Windows API wrapper designed for offensive security operations, including malware development and shellcode loading. The project focuses on evasion and obfuscation through techniques such as API unhooking, direct system calls, and anti-debugging mechanisms. It features diverse payload delivery methods, including reflective binary loading, the execution of .NET assemblies via CLR hosting, and various shellcode injection techniques using fibers, COM obje
GTFOBins is a curated knowledge base documenting security-related techniques for Unix-based system binaries. It serves as a reference for offensive security research, detailing how standard, pre-installed system utilities can be repurposed to facilitate privilege escalation, restricted environment escapes, and post-exploitation workflows. The project distinguishes itself by cataloging insecure execution paths and misconfigured permissions inherent in common system tools. By identifying legitimate binary functions that can be leveraged to bypass security controls, the repository provides a str
Mimikatz is a Windows post-exploitation framework designed for extracting plaintext passwords, hashes, PIN codes, and security tokens from system memory and the registry. It functions as a credential extraction tool that targets the Local Security Authority Subsystem Service to retrieve cached credentials and sensitive account data. The project provides specialized capabilities for Active Directory penetration testing, including the simulation of domain controllers to replicate directory secrets. It features a Kerberos ticket manipulator capable of exporting, injecting, and forging authentica
K8tools is a multi-stage attack framework that combines memory-only payload execution, credential testing, port forwarding, privilege escalation, and physical USB-based keystroke injection for comprehensive system compromise. At its core, the Ladon PowerShell module loads a multi-function scanner directly into memory, enabling command execution without writing files to disk, while supporting memory-only payload delivery that downloads and runs obfuscated shellcode or PowerShell commands to evade antivirus detection. The framework distinguishes itself through its breadth of integrated capabili
ClamAV is an open-source antivirus engine and malware detection scanner. It identifies trojans, viruses, and other malicious software by scanning files and data streams against a database of known signatures. The system functions as a signature-based threat detector, allowing for the implementation of threat intelligence by turning malware samples into actionable signatures. It supports the creation of custom malware signatures to identify specific or specialized security threats. The engine provides capabilities for endpoint security monitoring and comprehensive malware detection scanning a
Mimikatz is a security research suite designed for auditing Windows authentication and managing system security configurations. It provides a comprehensive framework for extracting sensitive credentials, manipulating process privileges, and managing digital identity assets directly from system memory or offline memory dumps. The project distinguishes itself through advanced system-level exploitation techniques, including runtime process injection, API hooking, and the ability to bypass cryptographic export restrictions. It features a specialized toolkit for Kerberos protocol operations, allow
LaZagne is a cross-platform credential recovery tool designed to extract passwords and secrets from operating systems, browsers, and applications. It functions as a security utility for retrieving stored credentials from compromised systems during penetration testing. The tool provides capabilities for decrypting domain credentials and extracting sensitive data from system storage, including memory dumps, credential managers, keychains, and password hashes. It recovers stored passwords from common software by accessing plaintext files, APIs, and local databases. The project supports digital
BloodHound is an identity risk management platform and graph-based attack path analyzer used to map identity relationships and permissions in Active Directory. It functions as a security tool for auditing directory services, uncovering unintended privilege relationships, and visualizing sequences of permissions that can lead to domain compromise. The project differentiates itself as a comprehensive adversary emulation framework that coordinates remote agents and executes post-exploitation commands. It includes a reverse proxy for bypassing multi-factor authentication via real-time session hij
MSEdgeRedirect is a tool that intercepts specific Microsoft Edge processes — including News, Search, Widgets, and Weather — and redirects their content to open in the system's default browser instead. It operates by modifying Windows registry keys, using Image File Execution Options to intercept Edge executable launches and redirect them to the default browser protocol handler. The tool stores user preferences in the Windows registry for persistent configuration across sessions, and includes search engine customization that allows users to select from eight built-in search engines or specify
TIC-80 is a fantasy console platform and multi-language game engine that provides a virtual retro game development environment. It operates via a bytecode virtual machine that executes game logic within fixed memory and resolution constraints. The project distinguishes itself by offering integrated asset editors for pixel art, tile maps, and a pattern-based chiptune audio workstation all within a single environment. It supports multi-language scripting, allowing developers to write logic in Lua, JavaScript, or Ruby, and provides a standalone game exporter to package projects into native execu
Falco is an eBPF runtime security monitor and cloud native detection engine that identifies abnormal behavior and security threats across hosts and containers. It functions as a Linux kernel event auditor, capturing system calls and kernel events in real-time to detect malicious activity. The system distinguishes itself through a rule-based threat detection model that evaluates system activity against a library of community-maintained rules and custom security definitions. It enriches raw kernel events with container and Kubernetes metadata to provide observability into isolated environments
CrowdSec is a collaborative, distributed security engine designed for threat detection and infrastructure protection. It functions as an intrusion detection system that parses logs and network traffic to identify malicious patterns, utilizing a bucket-based threshold detection model to aggregate events and trigger alerts. The platform is built on a modular architecture that includes a centralized local API server for managing security signals and a relational database for persistent storage of remediation decisions. What distinguishes the project is its decoupled enforcement model, which offl
Godzilla is a post-exploitation toolkit and webshell management framework designed for remote administration, credential extraction, and memory shell injection. It provides a centralized platform to deploy, control, and monitor encrypted remote access scripts across multiple server environments. The project differentiates itself through a memory shell injector that loads binaries and shellcode directly into server memory to avoid disk-based detection. It also employs polyglot payload injection, deploying encrypted scripts across various language environments to maintain persistent connections
Caldera is an adversary emulation platform and command and control framework designed to simulate cyber attack patterns. It functions as an automated red team tool and threat framework orchestrator, executing attack sequences based on standardized cybersecurity threat frameworks to validate security defenses and detection capabilities. The platform distinguishes itself through the dynamic compilation of customized executable payloads and the use of framework-mapped adversary modeling to structure attack techniques. It manages asynchronous agents on targeted endpoints via a central server acce
Pupy is a command and control framework and post-exploitation suite used for remote administration and system management. It functions as a cross-platform tool for deploying payloads and controlling multiple remote agents through encrypted communication channels. The framework features a multi-platform payload generator that creates custom executable files using configurable network launchers. It employs a network traffic obfuscator that stacks encryption and obfuscation protocols to hide communication from observation. The system provides capabilities for in-memory code execution, remote pr
CUPP is a suite of tools for extracting default credentials from aggregated databases, generating password dictionaries from personal data, profiling targets interactively, and expanding wordlists from dictionary sources. It functions as a password dictionary generator and target profiling tool that collects personal details through interactive questions to build custom password lists for security testing. The project distinguishes itself through a modular command pipeline architecture that chains independent subcommands for downloading remote wordlists, parsing structured credential database
Maskphish is a comprehensive security toolkit that integrates capabilities for digital forensics, network vulnerability scanning, open-source intelligence, penetration testing, and social engineering. It functions as a multi-purpose framework for automating reconnaissance and executing security audits across diverse network environments. The project features a specialized phishing and social engineering toolkit used for cloning websites, masking URLs, and deploying deceptive pages to capture user credentials. It also includes a remote access Trojan builder for generating platform-specific exe
MicaForEveryone is a Windows 11 window customizer and styling tool designed to apply modern backdrop effects and transparency to the title bars of Win32 applications. It functions as a Desktop Window Manager extension that forces specific system materials onto application windows, regardless of whether the native application supports them. The tool specifically targets legacy Win32 application frames, modifying their visual properties to align with the contemporary Fluent Design system. This allows for a consistent visual style across the operating system by updating the appearance of older s
Sigma is a generic SIEM signature format and log event pattern standard used to describe malicious activity. It provides a vendor-neutral system for defining security event patterns in YAML, ensuring that detection logic remains portable across different monitoring platforms. The project maintains a curated library of peer-reviewed detection rules that identify threats and compliance violations. This standardized approach allows for the exchange of threat hunting logic and the translation of generic signatures into specific queries for various security information and event management systems
ReShade is a post-processing shader injector that hooks into DirectX, OpenGL, and Vulkan rendering pipelines to apply custom shaders in real time. It operates by injecting a DLL into the target process, intercepting graphics API calls, and inserting a configurable pipeline of user-selected shader effects that read color and depth buffers to alter the final output. The project distinguishes itself through depth buffer auto-detection, which automatically identifies the depth-stencil attachment in the rendering pipeline, enabling per-pixel depth effects such as ambient occlusion and depth-of-fie
Ladon is an internal network penetration scanner and vulnerability assessment tool designed to identify high-risk security flaws and assets across network segments. It operates as a fileless security scanner, executing its engine and modules directly in memory to avoid leaving a disk footprint on target systems. The project is distinguished by its integration as a plugin for command beacons, specifically within the Cobalt Strike framework. This allows for memory-resident network discovery and vulnerability detection. It further supports stealth operations through payload and script obfuscatio
SuperWeChatPC is a modifier for the WeChat desktop client that unlocks hidden features through memory patching and binary hooks. It functions as a multi-account messaging manager, a messaging data archiver, and a software interface that exposes internal messaging functions to external programs. The project enables the simultaneous operation of multiple independent client instances on a single computer through process isolation. It allows for the transmission of large attachments by bypassing standard file size restrictions and provides a wrapper for programmatic message automation. The tool
Seatbelt is a C# offensive security framework and host security auditor designed to perform endpoint surveys on Windows systems. It functions as a modular tool for identifying vulnerabilities, misconfigurations, and security-relevant artifacts on both local and remote hosts. The project distinguishes itself through a module-based check system that allows for the integration of custom security command units. It features a security event log parser to track logon and process activity, alongside a credential extraction utility for gathering browser history, saved passwords, and cloud credentials
MimiPenguin is a Linux memory credential extractor and password recovery tool designed to isolate and retrieve cleartext user login passwords from active process memory. It functions as a post-exploitation utility for extracting sensitive credentials from desktop user sessions during security assessments. The tool performs Linux memory forensics by analyzing system process memory to identify and isolate credentials. It is used for security penetration testing and evaluating risks associated with memory-based attacks, as well as testing for local privilege escalation. The system targets user-
Evil-WinRM is a penetration testing tool and interactive remote shell designed for managing and executing commands on remote Windows systems via the WinRM protocol. It functions as a security utility for auditing Windows environments through remote command execution and credential manipulation. The tool distinguishes itself through its authentication capabilities, acting as both a Kerberos authentication client using ticket-based files and an NTLM pass-the-hash client that accesses services using password hashes instead of plaintext credentials. To evade detection, it supports in-memory paylo
Empire is a post-exploitation command-and-control (C2) framework designed for red team operations. It deploys and manages agents written in PowerShell, Python, C#, Go, and C across Windows, Linux, and macOS, using encrypted communication channels over HTTP, HTTPS, and SMB. The framework executes over 400 built-in modules for reconnaissance, privilege escalation, credential theft, and lateral movement, and provides a modular engine for authoring custom attack modules. What sets Empire apart is its multi-language agent deployment system, which allows operators to choose implants that suit each
Tracee is a cloud-native runtime security and forensics tool that uses eBPF to capture system calls and kernel events in real time. It operates as a standalone binary or a Helm-deployable agent for Kubernetes, normalizing system calls, network events, and container activities into a unified event pipeline for consistent analysis. The tool distinguishes itself through policy-driven event filtering using YAML-based rules, allowing users to target specific workloads and reduce noise during monitoring. It includes built-in threat detection signatures that flag suspicious behavioral patterns witho
Empire is a command and control framework and post-exploitation toolkit used for network penetration testing. It serves as a centralized platform for coordinating remote agent communication and automating the delivery of security testing payloads to target systems. The project provides a suite of modules for host reconnaissance, lateral movement, and credential harvesting across corporate environments. It functions as a remote administration tool to maintain persistence and execute commands on compromised hosts. The framework incorporates capabilities for agent orchestration and the executio
This project is a post-exploitation framework and command and control platform designed for security research and penetration testing. It functions as a remote access tool consisting of a central command server and encrypted executable payloads that establish reverse shell connections. The system utilizes a web-based dashboard for multi-client administration, allowing for remote host monitoring and direct shell access through an in-browser terminal. It generates cross-platform, encrypted binaries that employ a multi-stage delivery chain and a key exchange mechanism to secure communications.