Skip to main content
SpecterOps Banner
Slack

Welcome

Welcome to the SpecterOps open source toolkit documentation. This collection represents years of offensive security research and tool development, covering command and control frameworks, Active Directory security, reconnaissance platforms, and specialized attack tools.
All tools are provided for legitimate security research, penetration testing, and red team operations. Always obtain proper authorization before use.

🎯 Command & Control Frameworks

Enterprise-grade C2 platforms for red team operations and adversary emulation.
mythic

Mythic

Author: Cody Thomas (@its_a_feature_)Platform: Cross-platformMultiplayer command and control platform with plug-n-play architecture. Supports multiple agents, communication profiles, and real-time collaboration.
Merlin-transparent

Merlin

Author: Russel Van Tuyl (@Ne0nd0g)Platform: Cross-platformPost-exploitation C2 framework supporting HTTP/1.1, HTTP/2, and HTTP/3 protocols with modular architecture.

🤖 Mythic Agents

Comprehensive collection of Mythic agents for post-exploitation, system integration, and command augmentation. View all Mythic agents →

Payload Agents

apollo

Apollo

Platform: WindowsC# agent designed for training with advanced OPSEC capabilities, process injection, and extensive post-exploitation commands.
poseidon

Poseidon

Platform: macOS, LinuxPython-based agent with robust command execution, file operations, and credential harvesting capabilities.
apfell

Apfell

Platform: macOS, LinuxPython agent focused on cross-platform post-exploitation with emphasis on stealth and flexibility.
Merlin-transparent

Merlin

Platform: Windows, Linux, macOSGolang agent with advanced execution and credential manipulation features across all major platforms.
arachne

Arachne

Type: Webshell.NET spider agent for BloodHound SharpHound-based Active Directory enumeration and reconnaissance.

Service & Integration Agents

bloodhound

Bloodhound

Type: BloodHound IntegrationService agent providing seamless integration with BloodHound Community Edition for AD analysis.
nemesis

Nemesis

Type: File EnrichmentService agent for automatic file processing, triage, and credential extraction via Nemesis platform.
ghostwriter

Ghostwriter

Type: Project ManagementService agent integrating with Ghostwriter for collaborative operations and automated report generation.
sage

Sage

Type: AI/LLM IntegrationVirtual agent providing AI capabilities supporting Anthropic, OpenAI, AWS Bedrock, and ollama.
forge

Forge

Type: BOF & .NET ExecutorCommand augmentation providing BOF and .NET assembly execution across multiple Mythic agents. Pre-configured with SharpCollection and Sliver Armory.

👻 GhostPack Suite

Collection of C# offensive security tools for Windows and Active Directory environments by @harmj0y and team.

Rubeus

Focus: Kerberos AttacksRaw Kerberos interaction and abuses: ticket requests, extraction, manipulation, roasting, and forgery operations.

Certify

Focus: AD CS AttacksComprehensive toolkit for Active Directory Certificate Services enumeration and exploitation (ESC1-ESC16).

SharpDPAPI

Focus: Credential TheftDPAPI credential extraction from vaults, Chrome, RDG files, KeePass, certificates, and SCCM secrets.

Seatbelt

Focus: Host EnumerationComprehensive Windows security enumeration with 120+ commands for system reconnaissance and situational awareness.

SharpUp

Focus: Privilege EscalationWindows privilege escalation enumeration with 15 checks for services, registry, credentials, and misconfigurations.

SharpWMI

Focus: WMI OperationsWMI-based enumeration and lateral movement with AMSI evasion and multiple authentication methods.

🖥️ SCCM Security

Specialized tools for attacking and defending Microsoft Configuration Manager (SCCM) environments.
sharpsccm

SharpSCCM

Author: Chris Thompson (@_Mayyhem)Language: C#/.NETPost-exploitation tool for SCCM lateral movement and credential gathering without requiring admin console access.
sccmhunter

SCCMHunter

Author: Garrett Foster (@garrfoster)Language: PythonPost-exploitation tool for identifying, profiling, and attacking SCCM infrastructure in Active Directory domains.
misconfiguration_manager

Misconfiguration Manager

Author: Duane Michael (@subat0mik)Type: Knowledge BaseCentral repository for SCCM attack techniques, tradecraft, defensive guidance, and hardening recommendations.

🔍 Reconnaissance & OSINT

Tools for intelligence gathering, social engineering preparation, and offensive reconnaissance operations.

AtlasReaper

Author: (@werdhaihai)Language: C#Target: Confluence & JiraOffensive reconnaissance tool for Atlassian platforms. Enumerate spaces, search for secrets, harvest credentials, and perform social engineering via embedded content.

Ghost Scout

Language: Node.jsFeatures: LLM-AssistedTarget: Companies & EmployeesOSINT and phishing preparation platform. Automated employee discovery, profile enrichment, and AI-generated personalized pretexts for phishing campaigns.

🎣 Phishing Infrastructure

Comprehensive phishing platforms for social engineering assessments and credential harvesting operations.
CuddlePhish

CuddlePhish

Author: Forrest Kasler (@fkasler)Type: Browser-in-the-Middle (BitM)Multi-user reverse proxy for bypassing MFA on high-value web applications through real-time session hijacking.

Phishmonger

Author: Forrest Kasler (@fkasler)Type: Campaign ManagementFull-featured phishing platform for crafting, templating, scheduling, and tracking phishing campaigns at scale.

Ghost Scout

Type: OSINT & Pretext GenerationAutomated reconnaissance and AI-powered phishing content creation. Discovers targets and generates personalized pretexts.

🛠️ Operations Support

Supporting tools for data enrichment, analysis, and operational efficiency during engagements.
nemesis-black

Nemesis

Authors: Will Schroeder (@harmj0y) & Lee Chagolla-Christensen (@tifkin)Purpose: File Enrichment PipelineAutomated file triage and enrichment platform for processing captured data during red team operations. Extracts credentials, metadata, and intelligence from common file formats.
misconfiguration_manager

Misconfiguration Manager

Author: Duane Michael (@subat0mik)Purpose: Knowledge RepositoryComprehensive database of SCCM attack techniques (CRED, TAKEOVER, ELEVATE, EXEC, etc.) with both offensive and defensive documentation.
logo

GhostWriter

Author: Christopher Maddalena (@chrismaddalena)Purpose: Red Team Project ManagementGhostwriter is an open-source platform designed to enhance offensive security operations by simplifying report writing, asset tracking, and assessment management.

📚 Tool Categories

  • By Target
  • By Language
  • By Phase
Windows SystemsmacOS SystemsLinux SystemsActive DirectorySCCM EnvironmentsCloud & SaaSSocial Engineering

🎓 Resources & Community

SpecterOps Blog

Latest research, attack techniques, and defensive guidance from SpecterOps researchers

BloodHound Slack

Join the community for tool discussions, support, and collaboration

GitHub Organization

Source code, issues, and contributions for all SpecterOps open source projects

Training

Professional training courses from SpecterOps

Research Papers

In-depth research papers and whitepapers on offensive security topics

Twitter/X

Follow @SpecterOps for tool updates, research releases, and security insights

⚖️ Responsible Use

All tools in this collection are provided for legitimate security testing purposes only.
These tools should only be used:
  • During authorized penetration testing engagements
  • In controlled lab environments for research
  • For defensive detection development
  • With explicit written permission from system owners
Unauthorized use of these tools may be illegal and unethical. Always:
  • Obtain proper authorization before testing
  • Follow scope and rules of engagement
  • Document all activities for client reporting
  • Respect privacy laws and regulations
  • Use tools responsibly and ethically

Maintained by SpecterOps