Offensive Security Tools
Detects installation or execution of known offensive security, red team, and exploitation tools
49 rules in offensive_tools.yml
CRITICAL: 39 | HIGH: 10
| Rule ID | Severity | Title | Description | Refs |
|---|---|---|---|---|
adcs_ | CRITICAL | Certify / ADCS ESC Exploitation Tool | Installs or runs Certify.exe (or the Certipy Python port) with ESC1-8 flags - tools that abuse Active Directory Certificate Services template misconfigurations to issue certificates impersonating high-value accounts and pivot to Domain Admin. | |
adcs_ | CRITICAL | ADCS ESC1 - Certificate Template Enabled With enrollee-supplies-subject And Any-Purpose EKU | A task publishes or enables an Active Directory Certificate Services template where msPKI-Certificate-Name-Flag has CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT (0x1) AND the template EKU is Any Purpose, Client Authentication, or Smartcard Logon, AND low-privilege principals (Domain Users / Authenticated Users) have Enroll rights. This is ESC1 from SpecterOps Certified Pre-Owned - any domain user can request a cert with subjectAltName=<Domain Admin> and authenticate as that user forever (until the template is fixed, not the user’s password). | |
bloodhound_ | CRITICAL | BloodHound/SharpHound AD Enumeration | Installs or runs BloodHound or SharpHound for Active Directory attack path mapping | |
certipy_ | CRITICAL | Certipy AD Certificate Services Abuse | Installs or runs Certipy for exploiting Active Directory Certificate Services misconfigurations | |
cobalt_ | CRITICAL | Cobalt Strike / C2 Framework | References to Cobalt Strike beacons, Meterpreter, or other Command and Control frameworks | |
crackmapexec_ | CRITICAL | CrackMapExec / NetExec AD Attack Tool | Installs or runs CrackMapExec (or its successor NetExec/nxc) for Active Directory enumeration, credential spraying, and lateral movement | |
credential_ | CRITICAL | Credential Dumping Binary | References LaZagne, procdump, comsvcs.dll, lsass, the SAM database, or the SYSTEM hive. All five are credential-dumping primitives associated with active intrusion. | |
dcsync_ | CRITICAL | DCSync / DCShadow Invocation | Invokes Mimikatz lsadump::dcsync, Invoke-DCSync, or lsadump::dcshadow - techniques that abuse directory replication privileges to pull password hashes for every account in the domain, including krbtgt (golden ticket), or stealthily inject replicated objects. | |
dpapi_ | CRITICAL | DPAPI Credential Extraction Tooling | Installs or runs SharpDPAPI, SharpChrome, Mimikatz dpapi::* commands, or impacket dpapi.py - tools that decrypt Windows DPAPI-protected secrets (browser cookies/passwords, vault credentials, RDP credentials, WiFi keys) using extracted masterkeys. | |
enum4linux_ | CRITICAL | Enum4linux SMB/NetBIOS Enumeration | Runs enum4linux or enum4linux-ng for enumerating SMB shares, users, and policies from Windows/Samba hosts | |
evil_ | CRITICAL | Evil-WinRM Penetration Testing Shell | Installs or runs Evil-WinRM, a WinRM shell used for remote Windows exploitation | |
exploit_ | CRITICAL | Exploitation Framework | Installs or references exploitation frameworks or known exploit tools | |
feroxbuster_ | CRITICAL | Feroxbuster Recursive Directory Brute Forcer | Runs feroxbuster for recursive web directory and content discovery | |
ffuf_ | CRITICAL | FFUF Web Fuzzer | ffuf is invoked with -u/-w/FUZZ markers, the canonical web content-discovery and parameter-fuzzing shape used in offensive engagements. | |
firefox_ | CRITICAL | Firefox Decrypt Browser Credential Theft | Runs firefox_decrypt to extract saved passwords from Firefox browser profiles | |
gobuster_ | CRITICAL | Gobuster Directory and DNS Brute Forcer | gobuster is invoked with the dir/dns/vhost/fuzz subcommand. Each enumerates a different namespace and is a textbook reconnaissance tool. | |
golden_ | CRITICAL | Golden SAML Forgery - ADFS Token-Signing Private Key Exported Or Referenced | A task references the ADFS token-signing certificate private key (AdfsSigningCertificate with -Exportable, Export-PfxCertificate of the ADFS signing cert, or a reference to ADFS\Token-Signing with exportable=true). Once the token-signing private key leaves the ADFS server, an attacker can mint SAML assertions for any user in any federated relying party (Azure AD, AWS, Salesforce, Okta) indefinitely - this is the Golden SAML attack (Solorigate / SUNBURST). Even rotating the user’s password does not invalidate the forged tokens until the signing cert is rolled. | |
hashcat_ | CRITICAL | Password Cracking Tool | Installs or runs password cracking tools like hashcat or John the Ripper | |
impacket_ | CRITICAL | Impacket Attack Tools | Installs or invokes Impacket tools for network protocol attacks and lateral movement | |
jsteg_ | CRITICAL | jsteg JPEG Steganography | Uses jsteg to hide or reveal data inside JPEG images using DCT coefficients | |
kerbrute_ | CRITICAL | Kerbrute Kerberos Brute Force Tool | Installs or runs Kerbrute for Kerberos username enumeration and password brute forcing | |
linpeas_ | CRITICAL | Privilege Escalation Enumeration Script | Downloads or executes privilege escalation enumeration scripts | |
mimikatz_ | CRITICAL | Mimikatz Credential Dumping Tool | Installs or invokes Mimikatz, a tool for dumping Windows credentials from memory | |
nikto_ | CRITICAL | Nikto Web Vulnerability Scanner | Runs Nikto to scan web servers for known vulnerabilities and misconfigurations | |
ntdsutil_ | CRITICAL | NTDS.dit Database Extraction via ntdsutil | Uses ntdsutil to create IFM snapshots of the Active Directory database for offline credential extraction | |
nuclei_ | CRITICAL | Nuclei Template-Based Vulnerability Scanner | Runs Nuclei for automated vulnerability scanning using community and custom templates | |
powerview_ | CRITICAL | PowerView / PowerSploit AD Reconnaissance | Imports or invokes PowerView or PowerSploit for Active Directory enumeration and exploitation | |
pypykatz_ | CRITICAL | Pypykatz Python Mimikatz Implementation | Installs or runs pypykatz, a Python implementation of Mimikatz for credential extraction | |
reg_ | CRITICAL | Registry SAM/SYSTEM Hive Credential Dump | Uses ‘reg save’ to dump SAM, SYSTEM, or SECURITY registry hives for offline credential extraction | |
responder_ | CRITICAL | Responder LLMNR/NBT-NS Poisoning | Installs or runs Responder for capturing network credentials via LLMNR/NBT-NS poisoning | |
rubeus_ | CRITICAL | Rubeus Kerberos Attack Tool | Installs or runs Rubeus for Kerberos ticket manipulation and abuse | |
safetykatz_ | CRITICAL | SafetyKatz Signed-Binary Mimikatz Variant | Installs or runs SafetyKatz - a Mimikatz derivative that combines a minidump of lsass with a modified (and often signed) Mimikatz binary to bypass antivirus and extract credentials from memory. | |
seatbelt_ | CRITICAL | Seatbelt / SharpUp Situational Awareness | Executes Seatbelt or SharpUp for host enumeration and privilege escalation checks on Windows | |
sharpdpapi_ | CRITICAL | SharpDPAPI / DonPAPI DPAPI Credential Extraction | Runs SharpDPAPI or DonPAPI to extract secrets protected by Windows DPAPI (credentials, certificates, browser data) | |
steg_ | CRITICAL | Steganography Brute-Force Tool | Runs stegseek or stegcracker to brute-force steghide passwords on image files | |
steganography_ | CRITICAL | Steganography Data Extraction | Extracts hidden data from image or audio files using steganography tools | |
steganography_ | CRITICAL | Steganography Tool Usage | Runs steganography tools to hide or extract data inside images/audio/files | |
wireless_ | CRITICAL | Wireless/Network Attack Tools | Installs or runs aircrack-ng/airmon-ng/aireplay-ng/airodump-ng/wifite/bettercap/ettercap/mitmproxy/sslstrip. These are wireless or on-path attack tools, not legitimate ops tooling. | |
wmi_ | CRITICAL | WMI Permanent Event Subscription Persistence (ActiveScriptEventConsumer / CommandLineEventConsumer) | A task creates a WMI permanent event subscription by binding an __EventFilter to an ActiveScriptEventConsumer or CommandLineEventConsumer via __FilterToConsumerBinding. Permanent WMI subscriptions survive reboots, run as SYSTEM, and are not visible in Task Scheduler / Run keys - they are the canonical fileless-persistence primitive catalogued as MITRE T1546.003 and heavily used by APT29, Turla, and modern commodity loaders (Trickbot, Qakbot). There is no legitimate Ansible configuration-management reason to create one. | |
binwalk_ | HIGH | Binwalk Firmware/Embedded File Extraction | Uses binwalk to scan or extract embedded files and data from firmware or images | |
exiftool_ | HIGH | Exiftool Metadata Data Hiding | Uses exiftool to write arbitrary data into image metadata fields for covert storage or exfiltration | |
ldapsearch_ | HIGH | LDAP Directory Enumeration | Uses ldapsearch to query Active Directory or LDAP directories for users, groups, and configuration | |
nbtscan_ | HIGH | NBTScan NetBIOS Scanner | Runs nbtscan to enumerate NetBIOS names and MAC addresses across a network | |
rpcclient_ | HIGH | RPC Client Enumeration | Uses rpcclient for RPC-based enumeration of users, groups, and shares on Windows/Samba hosts | |
rustscan_ | HIGH | RustScan Fast Port Scanner | Runs RustScan for high-speed port scanning of network targets | |
smbclient_ | HIGH | SMB Share Enumeration and Access Tools | Uses smbclient or smbmap to enumerate or access SMB shares on remote hosts | |
snmp_ | HIGH | SNMP Enumeration Tools | Runs snmpwalk or onesixtyone for SNMP service enumeration and community string brute forcing | |
ssl_ | HIGH | SSL/TLS Scanning Tools | Runs testssl.sh or sslscan to probe SSL/TLS configurations for weaknesses | |
stegoveritas_ | HIGH | StegOveritas Steganography Analysis | Runs stegoveritas all-in-one image steganography analysis tool |