Welcome
Welcome to the SpecterOps open source toolkit documentation. This collection represents years of offensive security research and tool development, covering command and control frameworks, Active Directory security, reconnaissance platforms, and specialized attack tools.All tools are provided for legitimate security research, penetration testing, and red team operations. Always obtain proper authorization before use.
🎯 Command & Control Frameworks
Enterprise-grade C2 platforms for red team operations and adversary emulation.
Mythic
Author: Cody Thomas (@its_a_feature_)Platform: Cross-platformMultiplayer command and control platform with plug-n-play architecture. Supports multiple agents, communication profiles, and real-time collaboration.
Merlin
Author: Russel Van Tuyl (@Ne0nd0g)Platform: Cross-platformPost-exploitation C2 framework supporting HTTP/1.1, HTTP/2, and HTTP/3 protocols with modular architecture.
🤖 Mythic Agents
Comprehensive collection of Mythic agents for post-exploitation, system integration, and command augmentation. View all Mythic agents →Payload Agents
Apollo
Platform: WindowsC# agent designed for training with advanced OPSEC capabilities, process injection, and extensive post-exploitation commands.
Poseidon
Platform: macOS, LinuxPython-based agent with robust command execution, file operations, and credential harvesting capabilities.
Apfell
Platform: macOS, LinuxPython agent focused on cross-platform post-exploitation with emphasis on stealth and flexibility.
Merlin
Platform: Windows, Linux, macOSGolang agent with advanced execution and credential manipulation features across all major platforms.
Arachne
Type: Webshell.NET spider agent for BloodHound SharpHound-based Active Directory enumeration and reconnaissance.
Service & Integration Agents
Bloodhound
Type: BloodHound IntegrationService agent providing seamless integration with BloodHound Community Edition for AD analysis.
Nemesis
Type: File EnrichmentService agent for automatic file processing, triage, and credential extraction via Nemesis platform.
Ghostwriter
Type: Project ManagementService agent integrating with Ghostwriter for collaborative operations and automated report generation.
Sage
Type: AI/LLM IntegrationVirtual agent providing AI capabilities supporting Anthropic, OpenAI, AWS Bedrock, and ollama.
Forge
Type: BOF & .NET ExecutorCommand augmentation providing BOF and .NET assembly execution across multiple Mythic agents. Pre-configured with SharpCollection and Sliver Armory.
👻 GhostPack Suite
Collection of C# offensive security tools for Windows and Active Directory environments by @harmj0y and team.Rubeus
Focus: Kerberos AttacksRaw Kerberos interaction and abuses: ticket requests, extraction, manipulation, roasting, and forgery operations.
Certify
Focus: AD CS AttacksComprehensive toolkit for Active Directory Certificate Services enumeration and exploitation (ESC1-ESC16).
SharpDPAPI
Focus: Credential TheftDPAPI credential extraction from vaults, Chrome, RDG files, KeePass, certificates, and SCCM secrets.
Seatbelt
Focus: Host EnumerationComprehensive Windows security enumeration with 120+ commands for system reconnaissance and situational awareness.
SharpUp
Focus: Privilege EscalationWindows privilege escalation enumeration with 15 checks for services, registry, credentials, and misconfigurations.
SharpWMI
Focus: WMI OperationsWMI-based enumeration and lateral movement with AMSI evasion and multiple authentication methods.
🖥️ SCCM Security
Specialized tools for attacking and defending Microsoft Configuration Manager (SCCM) environments.
SharpSCCM
Author: Chris Thompson (@_Mayyhem)Language: C#/.NETPost-exploitation tool for SCCM lateral movement and credential gathering without requiring admin console access.
SCCMHunter
Author: Garrett Foster (@garrfoster)Language: PythonPost-exploitation tool for identifying, profiling, and attacking SCCM infrastructure in Active Directory domains.
Misconfiguration Manager
Author: Duane Michael (@subat0mik)Type: Knowledge BaseCentral repository for SCCM attack techniques, tradecraft, defensive guidance, and hardening recommendations.
🔍 Reconnaissance & OSINT
Tools for intelligence gathering, social engineering preparation, and offensive reconnaissance operations.AtlasReaper
Author: (@werdhaihai)Language: C#Target: Confluence & JiraOffensive reconnaissance tool for Atlassian platforms. Enumerate spaces, search for secrets, harvest credentials, and perform social engineering via embedded content.
Ghost Scout
Language: Node.jsFeatures: LLM-AssistedTarget: Companies & EmployeesOSINT and phishing preparation platform. Automated employee discovery, profile enrichment, and AI-generated personalized pretexts for phishing campaigns.
🎣 Phishing Infrastructure
Comprehensive phishing platforms for social engineering assessments and credential harvesting operations.
CuddlePhish
Author: Forrest Kasler (@fkasler)Type: Browser-in-the-Middle (BitM)Multi-user reverse proxy for bypassing MFA on high-value web applications through real-time session hijacking.
Phishmonger
Author: Forrest Kasler (@fkasler)Type: Campaign ManagementFull-featured phishing platform for crafting, templating, scheduling, and tracking phishing campaigns at scale.
Ghost Scout
Type: OSINT & Pretext GenerationAutomated reconnaissance and AI-powered phishing content creation. Discovers targets and generates personalized pretexts.
🛠️ Operations Support
Supporting tools for data enrichment, analysis, and operational efficiency during engagements.
Nemesis
Authors: Will Schroeder (@harmj0y) & Lee Chagolla-Christensen (@tifkin)Purpose: File Enrichment PipelineAutomated file triage and enrichment platform for processing captured data during red team operations. Extracts credentials, metadata, and intelligence from common file formats.
Misconfiguration Manager
Author: Duane Michael (@subat0mik)Purpose: Knowledge RepositoryComprehensive database of SCCM attack techniques (CRED, TAKEOVER, ELEVATE, EXEC, etc.) with both offensive and defensive documentation.
GhostWriter
Author: Christopher Maddalena (@chrismaddalena)Purpose: Red Team Project ManagementGhostwriter is an open-source platform designed to enhance offensive security operations by simplifying report writing, asset tracking, and assessment management.
📚 Tool Categories
- By Target
- By Language
- By Phase
Windows Systems
- Apollo (Mythic C# Agent)
- Merlin (Mythic Golang Agent)
- GhostPack Suite (Offensive Tools)
- Forge (BOF & .NET Execution)
- Bloodhound (BloodHound Integration)
- Rubeus (Kerberos)
- Certify (AD CS)
- SharpSCCM (Exploitation)
- SCCMHunter (Reconnaissance)
- Misconfiguration Manager (Knowledge Base)
- AtlasReaper (Confluence/Jira)
- CuddlePhish (Web Applications)
- Ghost Scout (OSINT & Pretexts)
- Phishmonger (Campaign Management)
- CuddlePhish (MFA Bypass)
🎓 Resources & Community
SpecterOps Blog
Latest research, attack techniques, and defensive guidance from SpecterOps researchers
BloodHound Slack
Join the community for tool discussions, support, and collaboration
GitHub Organization
Source code, issues, and contributions for all SpecterOps open source projects
Training
Professional training courses from SpecterOps
Research Papers
In-depth research papers and whitepapers on offensive security topics
Twitter/X
Follow @SpecterOps for tool updates, research releases, and security insights
⚖️ Responsible Use
These tools should only be used:- During authorized penetration testing engagements
- In controlled lab environments for research
- For defensive detection development
- With explicit written permission from system owners
- Obtain proper authorization before testing
- Follow scope and rules of engagement
- Document all activities for client reporting
- Respect privacy laws and regulations
- Use tools responsibly and ethically
Maintained by SpecterOps