Open Source PowerShell Security Software
Sort By:
PowerShell Security Software
View 5740 business solutionsBrowse free open source PowerShell Security Software and projects below. Use the toggles on the left to filter open source PowerShell Security Software by OS, license, language, programming language, and project status.
-
Find Hidden Risks in Windows Task SchedulerWindows Task Scheduler might be hiding critical failures. Download the free JAMS diagnostic tool to uncover problems before they impact production—get a color-coded risk report with clear remediation steps in minutes.
-
AI-generated apps that pass security reviewRetool lets you generate dashboards, admin panels, and workflows directly on your data. Type something like “Build me a revenue dashboard on my Stripe data” and get a working app with security, permissions, and compliance built in from day one. Whether on our cloud or self-hosted, create the internal software your team needs without compromising enterprise standards or control.
-
1
FLARE VM
A collection of software installations scripts for Windows systems
FLARE VM is a security-focused Windows workstation distribution designed for malware analysis, reverse engineering, penetration testing, and threat hunting. It bundles a curated set of tools—disassemblers, debuggers, decompilers, virtualization, forensics utilities, packet capture tools, exploit frameworks, and hex editors—preconfigured to work together. The environment configures paths, dependencies, environment variables, and common tool integrations so analysts can focus on tasks rather than setup. Updates and modular installation let users include only the tools that match their workflow, keeping the VM lean and current. Because security toolchains often clash (DLL versions, signing, privileges), FLARE VM’s packaging handles compatibility issues ahead of time. For investigations involving malware unpacking, sandboxing, static analysis, or code reversing on Windows, the platform dramatically accelerates readiness and consistency across analysts. -
2
SpotX
SpotX patcher used for patching the desktop version of Spotify
SpotX is a community-built Spotify desktop client patcher that blocks audio, video, and banner ads and unlocks premium-like features—such as unlimited skips and custom themes—on Windows, macOS, and Linux. It injects tweaks client-side to redefine the Spotify experience. -
3
malware-samples
A collection of malware samples and relevant dissection information
This repo is a public collection of malware samples and related dissection/analysis information, maintained by InQuest. It gathers various kinds of malicious artifacts, executables, scripts, macros, obfuscated documents, etc., with metadata (e.g., VirusTotal reports), file carriers, and sample hashes. It’s intended for malware analysts/researchers to help study how malware works, how they are delivered, and how it evolves. -
4
Windows Super God Mode
Creates shortcuts to virtually every special location or action built
This project packages a set of Windows tweaks, shortcuts, and convenience scripts that surface many of the OS’s hidden settings and advanced controls into a single, easy-to-use place. It automates creation of “God Mode” folders and other control-panel shortcuts, removes the need to manually hunt through layers of Settings or the Registry, and often bundles helper scripts for common maintenance tasks. The intent is to put power-user features—tweaks for privacy, appearance, power management, and system behavior—within quick reach so administrators and enthusiasts can configure machines consistently. Because many of the actions touch system settings, the collection emphasizes clear instructions and reversible steps so users can roll back changes if needed. It’s valuable for technicians who want a reproducible baseline for customizing Windows installs, or for home users curious about otherwise-obscure controls. -
Our Free Plans just got better! | Auth0You asked, we delivered! Auth0 is excited to expand our Free and Paid plans to include more options so you can focus on building, deploying, and scaling applications without having to worry about your security. Auth0 now, thank yourself later.
-
5
BashBunny Payloads
The Official Bash Bunny Payload Repository
This repository is a curated collection of payload scripts and examples for the Hak5 Bash Bunny device, a programmable USB attack platform. Payloads demonstrate how the device can emulate human interface devices (keyboard/mouse), Ethernet adapters, serial gadgets, or mass storage to automate complex workflows once plugged into a host. The collection ranges from benign administrative automation to offensive security demonstrations used in penetration testing, showcasing patterns like keystroke automation, reverse shells, credential capture (for lab use), and lateral transport techniques. Each payload typically includes a payload.txt control file with stages and configurable parameters so operators can adapt behavior to different targets. Because the device and its payloads are powerful, the repository emphasizes responsible use—training, red-team engagements with authorization, and awareness of legal/ethical boundaries. -
6
BadUSB
Flipper Zero badusb payload library
This project explores USB device emulation attacks—commonly called BadUSB—by demonstrating how commodity USB hardware can impersonate keyboards, network adapters, or storage devices to perform scripted actions on a host. It typically contains firmware examples, payloads, and explanations showing how a device presenting as a Human Interface Device (HID) can inject keystrokes, open shells, or orchestrate data exfiltration when plugged into a machine. The codebase is frequently intended for security research and defensive testing: defenders and red teams use it to validate endpoint controls, USB whitelisting, and user training. Due to the dual-use nature of such techniques, responsible repositories emphasize lab-only experiments, consent-based testing, and mitigations like disabling autorun, enforcing device policies, and using endpoint detection. -
7
DeepBlueCLI
PowerShell Module for Threat Hunting via Windows Event Logs
DeepBlueCLI is a PowerShell-centric threat-hunting toolkit built to extract, normalize, and flag suspicious activity from Windows event logs and Sysmon telemetry. It parses common sources—including Windows Security, System, Application, PowerShell logs, and Sysmon event ID 1—then applies a rich set of detection heuristics for things like suspicious account changes, password guessing and spraying, service tampering, PowerShell obfuscation and download-string usage, long or unusual command lines, and credential dumping attempts. Output is emitted as native PowerShell objects so analysts can pipe results to CSV, JSON, HTML, GridView, or custom pipelines for further triage and reporting. The codebase includes helpers for command-line decoding and de-obfuscation (automatic base64/deflate handling), safelisting/hash workflows (DeepBlueHash), and sample EVTX files so teams can test the tool on realistic attack traces. -
8
GOAD (Game of Active Directory)
game of active directory
GOAD (Gather Open Attack Data) is a security reconnaissance framework for collecting, enriching, and visualizing open-source intelligence (OSINT) around hosts, domains, and certificates. It automates queries to certificate transparency logs, passive DNS, subdomain enumeration, web endpoints, and other public threat feeds. The tool aggregates results into structured formats and can produce interactive graphs to highlight relationships between entities (e.g. domain → IP → cert → ASN). Analysts can filter, cluster, and explore these relationships to identify infrastructure patterns, potential subdomains, or attack surfaces. Integrations may include metadata like geolocation, WHOIS, and risk scoring to prioritize leads. GOAD helps teams transition from fragmented OSINT tools to a unified reconnaissance dashboard where exploration and filtering are first-class. -
9
Microsoft Defender for Cloud
Welcome to the Microsoft Defender for Cloud community repository
Microsoft Defender for Cloud (the community repository) is a centralized collection of programmatic automations, policy definitions, remediation scripts, and visualization workbooks designed to help organizations manage and operationalize Microsoft Defender for Cloud at scale. It packages ready-to-use Azure Policy definitions, Logic App templates, PowerShell automation, remediation actions, and custom workbooks so teams can deploy detections, enforce security posture, and automate responses across subscriptions and tenants. The repo includes playbooks and examples for translating recommendations into automated remediation, along with onboarding and deployment artifacts (including Terraform helpers) to simplify large-scale rollout. Content is explicitly presented as community-driven: contributors can submit Logic Apps, policies, and scripts, and the project documents contribution guidelines and CLA requirements for submissions. -
Atera all-in-one platform IT management software with AI agentsAtera’s AI agents don’t just assist, they act. From detection to resolution, they handle incidents and requests instantly, taking your IT management from automated to autonomous.
-
10
Security Datasets
Re-play Security Events
Security‑Datasets is a community-driven repository maintained by the Open Threat Research Forge (OTRF) that curates publicly available malicious and benign datasets for threat-hunting, machine learning, event analysis, and cybersecurity research. Datasets include Windows events, logs, alerts, and simulated attack data to support detection engineering and academic research. -
11
BloodHound Legacy
Six Degrees of Domain Admin
BloodHound Legacy is the deprecated open‑source version of the BloodHound Active Directory attack path analysis tool. It uses graph theory to model and visualize privileged relationships in AD, Entra ID, and Azure environments. Security professionals use it to enumerate domain privilege escalation paths, misconfigurations, and attack surfaces in corporate networks -
12
Offensive Reverse Shell
Collection of reverse shells for red team operations
The Offensive Reverse Shell Cheat Sheet is a compilation of reverse shell payloads useful for red team operations and penetration testing. It provides ready-to-use code snippets in various programming languages, facilitating the establishment of reverse shells during security assessments. -
13
Invoke-PSImage
Encodes a PowerShell script in the pixels of a PNG file
Invoke-PSImage is a PowerShell utility that hides, extracts, and optionally executes PowerShell payloads inside image files using simple steganography techniques. It can embed a script or binary blob into an image (commonly PNG or JPEG) and later recover that payload without leaving a separate file on disk, enabling in-memory execution workflows. The tool offers options for compression and encryption so the embedded content is both smaller and protected by a passphrase when required. It includes helpers to encode a payload into an image, decode an embedded payload back to readable form, and run the extracted content directly from memory to avoid touching disk. Designed as a compact, single-file PowerShell script, it relies on .NET imaging APIs to manipulate pixel data or metadata and to store the payload in a way that survives ordinary file transfers. -
14
ScubaGear
Automation to assess the state of your M365 tenant against CISA
ScubaGear is a PowerShell-based assessment tool developed by CISA to verify that Microsoft 365 tenant configuration aligns with Secure Cloud Business Application (SCuBA) baselines. It automates scanning of M365 environments like Exchange, Defender, Teams, and SharePoint, and outputs compliance reports to help administrators align with best practice security configurations. -
15
vulnerable-AD
Create a vulnerable active directory
Vulnerable-AD is a PowerShell toolkit that automates the creation of a deliberately insecure Active Directory domain for hands-on labs and testing. It builds a domain controller (or augments an existing AD installation) with a variety of common misconfigurations and intentional weaknesses so practitioners can exercise attack techniques such as Kerberoast, AS-REP roast, DCSync, Pass-the-Hash, Silver/Golden Ticket attacks, and more. The project can create user objects with default or weak passwords, inject passwords into object descriptions, disable SMB signing, and manipulate ACLs to reproduce real-world privilege escalation and persistence scenarios. A convenience wrapper and examples make it straightforward to deploy in a local lab: you can install AD services, run the script on a domain controller, and generate hundreds of vulnerable accounts and conditions for testing. The repository emphasizes full coverage of the listed attack types and includes options to randomize which weakness -
16
windows_hardening
HardeningKitty and Windows Hardening Settings
This repository, also known as HardeningKitty, is a comprehensive Windows hardening checklist for personal and enterprise environments. It translates security benchmarks (e.g., CIS, Microsoft Security Baselines) into actionable Group Policy and registry recommendations. Though designed primarily for Windows 10, it includes workaround modes such as “HailMary” for Windows Home users lacking the Group Policy Editor. -
17
EmLogs (NoCheating)
A maneira mais prática de verificar se alguém está usando cheats.
por: Desenvolvido para auxiliar na detecção de programas ilegais utilizados em jogos. eng: Developed to assist in the detection of illegal programs used in games. -
18
PoshC2
C2 framework used to aid red teamers with post-exploitation
PoshC2 is a proxy-aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement. PoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes PowerShell/C# and Python2/Python3 implants with payloads written in PowerShell v2 and v4, C++ and C# source code, a variety of executables, DLLs and raw shellcode in addition to a Python2/Python3 payload. These enable C2 functionality on a wide range of devices and operating systems, including Windows, *nix and OSX. Shellcode containing in-build AMSI bypass and ETW patching for a high success rate and stealth. Auto-generated Apache Rewrite rules for use in a C2 proxy, protecting your C2 infrastructure and maintaining good operational security. Fully encrypted communications, protecting the confidentiality and integrity of the C2 traffic. -
19
Active Directory Exploitation
A cheat sheet that contains common enumeration and attack methods
Active-Directory-Exploitation-Cheat-Sheet is a comprehensive, community-curated cheat sheet that collects practical enumeration commands, attack techniques, and quick references for attacking and auditing Windows Active Directory environments. The repository is organized as a stepwise kill-chain: recon, domain enumeration, local privilege escalation, user hunting, BloodHound guidance, lateral movement, persistence, domain-admin takeover, cross-trust attacks, data exfiltration, and a toolbox of payloads and helper scripts. It aggregates short, copy-ready PowerShell, C, .NET and Python snippets as well as command examples so operators can quickly run checks or reproduce techniques in lab environments. The content also includes .NET payload patterns, reverse PowerShell helpers, notes on privileged accounts and groups, and practical tips for hunting or protecting high-value targets. -
20
AzureAD Attack Defense
This publication is a collection of various common attack scenarios
AzureAD-Attack-Defense is a community-maintained playbook that collects common attack scenarios against Microsoft Entra ID (formerly Azure Active Directory) together with detection and mitigation guidance. The repository is organized into focused chapters — for example: Password Spray, Consent Grant, Service Principals in Azure DevOps, Entra Connect Sync Service Account, Replay of Primary Refresh Token (PRT), Entra ID Security Config Analyzer, and Adversary-in-the-Middle — each written to explain the attack, show detection approaches, and recommend mitigation steps. For each scenario the playbook describes the attack flow, maps the techniques to the MITRE ATT&CK framework, and explains how to leverage Microsoft’s security stack (Microsoft Defender XDR, Microsoft Sentinel, Azure Entra ID Connect, and Defender for Cloud) to detect and respond. -
21
BloodHound
Six Degrees of Domain Admin
BloodHound is a single-page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a C# data collector. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment. BloodHound Enterprise is an Attack Path Management solution that continuously maps and quantifies Active Directory Attack Paths. You can remove millions, even billions of Attack Paths within your existing architecture and eliminate the attacker’s easiest, most reliable, and most attractive techniques. -
22
Deffend.net Otus
Helps you to ensure your cyber security through cyber hygiene
Deffend.net Otus aims to help small companies and individuals to avoid cyber security threats through cyber hygiene. It runs on Windows desktop and looks for misconfigurations that may result in cyber security risks. Ensuring cyber hygiene is the first step of preventing cyber security threats. Otus will help to individuals who lack cyber security knowledge and to companies who can not afford getting cyber security consultancy. -
23
Domain Password Spray
A tool written in PowerShell to perform password assessments
DomainPasswordSpray is a focused security tool designed to perform enterprise-scale password spraying assessments against Active Directory environments. It automates the process of attempting common or customized passwords against many accounts while respecting timing and throttling controls to reduce obvious lockout noise. The project includes features for credential list management, target selection (users, service accounts, or collections), and configurable rate limits so testers can tune the balance between coverage and stealth. Output formats include summary reports and structured logs to help analysts triage which accounts were hit and where to prioritize defensive follow-up. The codebase is written to be used by penetration testers, red teams, and security assessors in authorized engagements and emphasizes responsible use; the README explicitly warns against unauthorized use and stresses running tests only with permission. -
24
-
25
Invoke-TheHash
PowerShell Pass The Hash Utils
Invoke-TheHash is a PowerShell module providing utilities to perform “Pass-the-Hash” style remote operations over WMI and SMB by supplying NTLM hashes instead of plaintext passwords. The project includes multiple scripts/modules (Invoke-WMIExec, Invoke-SMBExec, Invoke-SMBEnum, Invoke-SMBClient, and a wrapper Invoke-TheHash) so operators can choose enumeration, file access, or command execution modes. It uses .NET’s TcpClient for direct SMB/WMI connections and performs authentication by inserting an NTLM hash into the NTLMv2 protocol flow. The module supports both local accounts and domain accounts (via domain parameter), and it accepts either LM:NTLM or pure NTLM format hashes. For command execution, it can create services on remote hosts (SMBExec style) or use WMI class methods. Since it works over network protocols rather than relying on built-in Windows clients, it can bypass some limitations or restrictions in constrained environments.