> ## Documentation Index > Fetch the complete documentation index at: https://docs.specterops.io/llms.txt > Use this file to discover all available pages before exploring further. # SpecterOps Open-Source Tools > The official collection of SpecterOps offensive security tools and frameworks documentation
SpecterOps Banner
Slack
## Welcome Welcome to the SpecterOps open source toolkit documentation. This collection represents years of offensive security research and tool development, covering command and control frameworks, Active Directory security, reconnaissance platforms, and specialized attack tools. All tools are provided for legitimate security research, penetration testing, and red team operations. Always obtain proper authorization before use. *** ## 🎯 Command & Control Frameworks Enterprise-grade C2 platforms for red team operations and adversary emulation. **Author:** Cody Thomas (@its\_a\_feature\_) **Platform:** Cross-platform Multiplayer command and control platform with plug-n-play architecture. Supports multiple agents, communication profiles, and real-time collaboration. **Author:** Russel Van Tuyl (@Ne0nd0g) **Platform:** Cross-platform Post-exploitation C2 framework supporting HTTP/1.1, HTTP/2, and HTTP/3 protocols with modular architecture. *** ## 🤖 Mythic Agents Comprehensive collection of Mythic agents for post-exploitation, system integration, and command augmentation. [View all Mythic agents →](/mythic-agents/index) ### Payload Agents **Platform:** Windows C# agent designed for training with advanced OPSEC capabilities, process injection, and extensive post-exploitation commands. **Platform:** macOS, Linux Python-based agent with robust command execution, file operations, and credential harvesting capabilities. **Platform:** macOS, Linux Python agent focused on cross-platform post-exploitation with emphasis on stealth and flexibility. **Platform:** Windows, Linux, macOS Golang agent with advanced execution and credential manipulation features across all major platforms. **Type:** Webshell .NET spider agent for BloodHound SharpHound-based Active Directory enumeration and reconnaissance. ### Service & Integration Agents **Type:** BloodHound Integration Service agent providing seamless integration with BloodHound Community Edition for AD analysis. **Type:** File Enrichment Service agent for automatic file processing, triage, and credential extraction via Nemesis platform. **Type:** Project Management Service agent integrating with Ghostwriter for collaborative operations and automated report generation. **Type:** AI/LLM Integration Virtual agent providing AI capabilities supporting Anthropic, OpenAI, AWS Bedrock, and ollama. **Type:** BOF & .NET Executor Command augmentation providing BOF and .NET assembly execution across multiple Mythic agents. Pre-configured with SharpCollection and Sliver Armory. *** ## 👻 GhostPack Suite Collection of C# offensive security tools for Windows and Active Directory environments by @harmj0y and team. **Focus:** Kerberos Attacks Raw Kerberos interaction and abuses: ticket requests, extraction, manipulation, roasting, and forgery operations. **Focus:** AD CS Attacks Comprehensive toolkit for Active Directory Certificate Services enumeration and exploitation (ESC1-ESC16). **Focus:** Credential Theft DPAPI credential extraction from vaults, Chrome, RDG files, KeePass, certificates, and SCCM secrets. **Focus:** Host Enumeration Comprehensive Windows security enumeration with 120+ commands for system reconnaissance and situational awareness. **Focus:** Privilege Escalation Windows privilege escalation enumeration with 15 checks for services, registry, credentials, and misconfigurations. **Focus:** WMI Operations WMI-based enumeration and lateral movement with AMSI evasion and multiple authentication methods. *** ## 🖥️ SCCM Security Specialized tools for attacking and defending Microsoft Configuration Manager (SCCM) environments. **Author:** Chris Thompson (@\_Mayyhem) **Language:** C#/.NET Post-exploitation tool for SCCM lateral movement and credential gathering without requiring admin console access. **Author:** Garrett Foster (@garrfoster) **Language:** Python Post-exploitation tool for identifying, profiling, and attacking SCCM infrastructure in Active Directory domains. **Author:** Duane Michael (@subat0mik) **Type:** Knowledge Base Central repository for SCCM attack techniques, tradecraft, defensive guidance, and hardening recommendations. *** ## 🔍 Reconnaissance & OSINT Tools for intelligence gathering, social engineering preparation, and offensive reconnaissance operations. **Author:** (@werdhaihai) **Language:** C# **Target:** Confluence & Jira Offensive reconnaissance tool for Atlassian platforms. Enumerate spaces, search for secrets, harvest credentials, and perform social engineering via embedded content. **Language:** Node.js **Features:** LLM-Assisted **Target:** Companies & Employees OSINT and phishing preparation platform. Automated employee discovery, profile enrichment, and AI-generated personalized pretexts for phishing campaigns. *** ## 🎣 Phishing Infrastructure Comprehensive phishing platforms for social engineering assessments and credential harvesting operations. **Author:** Forrest Kasler (@fkasler) **Type:** Browser-in-the-Middle (BitM) Multi-user reverse proxy for bypassing MFA on high-value web applications through real-time session hijacking. **Author:** Forrest Kasler (@fkasler) **Type:** Campaign Management Full-featured phishing platform for crafting, templating, scheduling, and tracking phishing campaigns at scale. **Type:** OSINT & Pretext Generation Automated reconnaissance and AI-powered phishing content creation. Discovers targets and generates personalized pretexts. *** ## 🛠️ Operations Support Supporting tools for data enrichment, analysis, and operational efficiency during engagements. **Authors:** Will Schroeder (@harmj0y) & Lee Chagolla-Christensen (@tifkin) **Purpose:** File Enrichment Pipeline Automated file triage and enrichment platform for processing captured data during red team operations. Extracts credentials, metadata, and intelligence from common file formats. **Author:** Duane Michael (@subat0mik) **Purpose:** Knowledge Repository Comprehensive database of SCCM attack techniques (CRED, TAKEOVER, ELEVATE, EXEC, etc.) with both offensive and defensive documentation. **Author:** Christopher Maddalena (@chrismaddalena) **Purpose:** Red Team Project Management Ghostwriter is an open-source platform designed to enhance offensive security operations by simplifying report writing, asset tracking, and assessment management. *** ## 📚 Tool Categories **Windows Systems** * [Apollo](/mythic-agents/apollo-docs/documentation-payload/apollo/_index) (Mythic C# Agent) * [Merlin](/mythic-agents/merlin-agent-docs/home) (Mythic Golang Agent) * [GhostPack Suite](/ghostpack-docs/index) (Offensive Tools) * [Forge](/mythic-agents/forge-docs/home) (BOF & .NET Execution) **macOS Systems** * [Poseidon](/mythic-agents/poseidon-docs/home) (Mythic Python Agent) * [Apfell](/mythic-agents/apfell-docs/home) (Mythic Python Agent) * [Merlin](/mythic-agents/merlin-agent-docs/home) (Mythic Golang Agent) **Linux Systems** * [Poseidon](/mythic-agents/poseidon-docs/home) (Mythic Python Agent) * [Apfell](/mythic-agents/apfell-docs/home) (Mythic Python Agent) * [Merlin](/mythic-agents/merlin-agent-docs/home) (Mythic Golang Agent) **Active Directory** * [Bloodhound](/mythic-agents/bloodhound-agent-docs/home) (BloodHound Integration) * [Rubeus](/ghostpack-docs/Rubeus-mdx/overview) (Kerberos) * [Certify](/ghostpack-docs/Certify.wik-mdx/overview) (AD CS) **SCCM Environments** * [SharpSCCM](/sharpsccm-docs/overview) (Exploitation) * [SCCMHunter](/sccmhunter-docs/overview) (Reconnaissance) * [Misconfiguration Manager](/misconfiguration-manager-docs/README) (Knowledge Base) **Cloud & SaaS** * [AtlasReaper](/atlasreaper-docs/overview) (Confluence/Jira) * [CuddlePhish](/cuddlephish-docs/overview) (Web Applications) **Social Engineering** * [Ghost Scout](/ghostscout-docs/overview) (OSINT & Pretexts) * [Phishmonger](/phishmonger-docs/overview) (Campaign Management) * [CuddlePhish](/cuddlephish-docs/overview) (MFA Bypass) **C# / .NET** * [GhostPack Suite](/ghostpack-docs/index) ([Rubeus](/ghostpack-docs/Rubeus-mdx/overview), [Certify](/ghostpack-docs/Certify.wik-mdx/overview), [SharpDPAPI](/ghostpack-docs/SharpDPAPI-mdx/overview), [SharpUp](/ghostpack-docs/SharpUp-mdx/overview), [SharpWMI](/ghostpack-docs/SharpWMI-mdx/overview), [Seatbelt](/ghostpack-docs/Seatbelt-mdx/overview)) * [Apollo](/mythic-agents/apollo-docs/documentation-payload/apollo/_index) (Mythic Agent) * [Arachne](/mythic-agents/arachne-docs/home) (Mythic Agent) * [SharpSCCM](/sharpsccm-docs/overview) * [AtlasReaper](/atlasreaper-docs/overview) **Python** * [Poseidon](/mythic-agents/poseidon-docs/home) (Mythic Agent) * [Apfell](/mythic-agents/apfell-docs/home) (Mythic Agent) * [SCCMHunter](/sccmhunter-docs/overview) * [Mythic](/mythic-docs/home) (Backend) **Go** * [Merlin](/mythic-agents/merlin-agent-docs/home) (Mythic Agent) * [Merlin](/merlin-docs/introduction) (Standalone C2) * [Forge](/mythic-agents/forge-docs/home) (Mythic Command Augmentation) * [Sage](/mythic-agents/sage-docs/home) (Mythic Virtual Agent) **Node.js / JavaScript** * [Ghost Scout](/ghostscout-docs/overview) * [Phishmonger](/phishmonger-docs/overview) (Components) * [CuddlePhish](/cuddlephish-docs/overview) **Initial Access** * [CuddlePhish](/cuddlephish-docs/overview) (MFA Bypass) * [Phishmonger](/phishmonger-docs/overview) (Phishing Campaigns) * [Ghost Scout](/ghostscout-docs/overview) (Social Engineering) **Execution** * [Mythic](/mythic-docs/home) (C2 Framework) * [Merlin](/merlin-docs/introduction) (C2 Framework) * [Apollo](/mythic-agents/apollo-docs/documentation-payload/apollo/_index) (Mythic Agent - Windows) * [Poseidon](/mythic-agents/poseidon-docs/home) (Mythic Agent - macOS/Linux) * [Apfell](/mythic-agents/apfell-docs/home) (Mythic Agent - macOS/Linux) * [Merlin](/mythic-agents/merlin-agent-docs/home) (Mythic Agent - Cross-platform) * [Forge](/mythic-agents/forge-docs/home) (BOF & .NET Execution) **Persistence** * [Rubeus](/ghostpack-docs/Rubeus-mdx/overview) (Golden/Silver Tickets) * [Certify](/ghostpack-docs/Certify.wik-mdx/overview) (Certificate Persistence) **Privilege Escalation** * [SharpUp](/ghostpack-docs/SharpUp-mdx/overview) (Enumeration) * [Certify](/ghostpack-docs/Certify.wik-mdx/overview) (AD CS ESCs) * [SharpSCCM](/sharpsccm-docs/overview) (SCCM Abuse) **Credential Access** * [SharpDPAPI](/ghostpack-docs/SharpDPAPI-mdx/overview) (DPAPI Secrets) * [Rubeus](/ghostpack-docs/Rubeus-mdx/overview) (Kerberoasting) * [SCCMHunter](/sccmhunter-docs/overview) (SCCM Secrets) * [Poseidon](/mythic-agents/poseidon-docs/home) (Credential Harvesting) **Discovery** * [Seatbelt](/ghostpack-docs/Seatbelt-mdx/overview) (Host Enumeration) * [SharpWMI](/ghostpack-docs/SharpWMI-mdx/overview) (WMI Queries) * [AtlasReaper](/atlasreaper-docs/overview) (Confluence/Jira) * [Ghost Scout](/ghostscout-docs/overview) (OSINT) * [Arachne](/mythic-agents/arachne-docs/home) (Active Directory Enumeration) * [Bloodhound](/mythic-agents/bloodhound-agent-docs/home) (AD Attack Paths) **Lateral Movement** * [SharpSCCM](/sharpsccm-docs/overview) (SCCM Abuse) * [SharpWMI](/ghostpack-docs/SharpWMI-mdx/overview) (WMI Execution) * [SCCMHunter](/sccmhunter-docs/overview) (SCCM Pivot) **Collection** * [Nemesis](/mythic-agents/nemesis-agent-docs/home) (File Enrichment & Triage) * [SharpDPAPI](/ghostpack-docs/SharpDPAPI-mdx/overview) (Credential Extraction) * [AtlasReaper](/atlasreaper-docs/overview) (Data Exfiltration) **Command and Control** * [Mythic](/mythic-docs/home) (C2 Platform) * [Merlin](/merlin-docs/introduction) (C2 Platform) * [Apollo](/mythic-agents/apollo-docs/documentation-payload/apollo/_index) (Windows Agent) * [Poseidon](/mythic-agents/poseidon-docs/home) (macOS/Linux Agent) * [Apfell](/mythic-agents/apfell-docs/home) (macOS/Linux Agent) * [Merlin](/mythic-agents/merlin-agent-docs/home) (Cross-platform Agent) * [Sage](/mythic-agents/sage-docs/home) (AI/LLM Integration) *** ## 🎓 Resources & Community Latest research, attack techniques, and defensive guidance from SpecterOps researchers Join the community for tool discussions, support, and collaboration Source code, issues, and contributions for all SpecterOps open source projects Professional training courses from SpecterOps In-depth research papers and whitepapers on offensive security topics Follow @SpecterOps for tool updates, research releases, and security insights *** ## ⚖️ Responsible Use **All tools in this collection are provided for legitimate security testing purposes only.** These tools should only be used: * During authorized penetration testing engagements * In controlled lab environments for research * For defensive detection development * With explicit written permission from system owners **Unauthorized use of these tools may be illegal and unethical.** Always: * Obtain proper authorization before testing * Follow scope and rules of engagement * Document all activities for client reporting * Respect privacy laws and regulations * Use tools responsibly and ethically

Maintained by SpecterOps