Open Source PowerShell Security Software
Sort By:
PowerShell Security Software
View 5621 business solutionsBrowse free open source PowerShell Security Software and projects below. Use the toggles on the left to filter open source PowerShell Security Software by OS, license, language, programming language, and project status.
-
MongoDB Atlas runs apps anywhereMongoDB Atlas gives you the freedom to build and run modern applications anywhere—across AWS, Azure, and Google Cloud. With global availability in over 115 regions, Atlas lets you deploy close to your users, meet compliance needs, and scale with confidence across any geography.
-
Our Free Plans just got better! | Auth0You asked, we delivered! Auth0 is excited to expand our Free and Paid plans to include more options so you can focus on building, deploying, and scaling applications without having to worry about your security. Auth0 now, thank yourself later.
-
1
FLARE VM
A collection of software installations scripts for Windows systems
FLARE VM is a security-focused Windows workstation distribution designed for malware analysis, reverse engineering, penetration testing, and threat hunting. It bundles a curated set of tools—disassemblers, debuggers, decompilers, virtualization, forensics utilities, packet capture tools, exploit frameworks, and hex editors—preconfigured to work together. The environment configures paths, dependencies, environment variables, and common tool integrations so analysts can focus on tasks rather than setup. Updates and modular installation let users include only the tools that match their workflow, keeping the VM lean and current. Because security toolchains often clash (DLL versions, signing, privileges), FLARE VM’s packaging handles compatibility issues ahead of time. For investigations involving malware unpacking, sandboxing, static analysis, or code reversing on Windows, the platform dramatically accelerates readiness and consistency across analysts. -
2
SpotX
SpotX patcher used for patching the desktop version of Spotify
SpotX is a community-built Spotify desktop client patcher that blocks audio, video, and banner ads and unlocks premium-like features—such as unlimited skips and custom themes—on Windows, macOS, and Linux. It injects tweaks client-side to redefine the Spotify experience. -
3
BloodHound
Six Degrees of Domain Admin
BloodHound is a single-page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a C# data collector. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment. BloodHound Enterprise is an Attack Path Management solution that continuously maps and quantifies Active Directory Attack Paths. You can remove millions, even billions of Attack Paths within your existing architecture and eliminate the attacker’s easiest, most reliable, and most attractive techniques. -
4
malware-samples
A collection of malware samples and relevant dissection information
This repo is a public collection of malware samples and related dissection/analysis information, maintained by InQuest. It gathers various kinds of malicious artifacts, executables, scripts, macros, obfuscated documents, etc., with metadata (e.g., VirusTotal reports), file carriers, and sample hashes. It’s intended for malware analysts/researchers to help study how malware works, how they are delivered, and how it evolves. -
No-Nonsense Code-to-Cloud Security for Devs | AikidoAikido provides a unified security platform for developers, combining 12 powerful scans like SAST, DAST, and CSPM. AI-driven AutoFix and AutoTriage streamline vulnerability management, while runtime protection blocks attacks.
-
5
ScubaGear
Automation to assess the state of your M365 tenant against CISA
ScubaGear is a PowerShell-based assessment tool developed by CISA to verify that Microsoft 365 tenant configuration aligns with Secure Cloud Business Application (SCuBA) baselines. It automates scanning of M365 environments like Exchange, Defender, Teams, and SharePoint, and outputs compliance reports to help administrators align with best practice security configurations. -
6
BloodHound Legacy
Six Degrees of Domain Admin
BloodHound Legacy is the deprecated open‑source version of the BloodHound Active Directory attack path analysis tool. It uses graph theory to model and visualize privileged relationships in AD, Entra ID, and Azure environments. Security professionals use it to enumerate domain privilege escalation paths, misconfigurations, and attack surfaces in corporate networks -
7
GOAD (Game of Active Directory)
game of active directory
GOAD (Gather Open Attack Data) is a security reconnaissance framework for collecting, enriching, and visualizing open-source intelligence (OSINT) around hosts, domains, and certificates. It automates queries to certificate transparency logs, passive DNS, subdomain enumeration, web endpoints, and other public threat feeds. The tool aggregates results into structured formats and can produce interactive graphs to highlight relationships between entities (e.g. domain → IP → cert → ASN). Analysts can filter, cluster, and explore these relationships to identify infrastructure patterns, potential subdomains, or attack surfaces. Integrations may include metadata like geolocation, WHOIS, and risk scoring to prioritize leads. GOAD helps teams transition from fragmented OSINT tools to a unified reconnaissance dashboard where exploration and filtering are first-class. -
8
PoshC2
C2 framework used to aid red teamers with post-exploitation
PoshC2 is a proxy-aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement. PoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes PowerShell/C# and Python2/Python3 implants with payloads written in PowerShell v2 and v4, C++ and C# source code, a variety of executables, DLLs and raw shellcode in addition to a Python2/Python3 payload. These enable C2 functionality on a wide range of devices and operating systems, including Windows, *nix and OSX. Shellcode containing in-build AMSI bypass and ETW patching for a high success rate and stealth. Auto-generated Apache Rewrite rules for use in a C2 proxy, protecting your C2 infrastructure and maintaining good operational security. Fully encrypted communications, protecting the confidentiality and integrity of the C2 traffic. -
9
Ultimate AppLocker Bypass List
The most common techniques to bypass AppLocker
UltimateAppLockerByPassList is a community-curated repository that collects known techniques, patterns, and candidate binaries that have been observed or proposed to bypass Microsoft AppLocker and similar executable control policies. The project functions as a living catalog: entries list binaries, script hosts, and patterns that researchers have tested or reported in the wild, along with notes about context, platform constraints, and mitigation ideas. It is aimed primarily at defenders, incident responders, and security researchers who need a consolidated reference to understand common bypass vectors and to validate detection logic. The repository emphasizes defensive use—helping blue teams craft allow-list policies, create detection rules, and test policy hardening in isolated lab environments—rather than offensive exploitation. q -
Photo and Video Editing APIs and SDKsUnlock Picsart's full editing suite by embedding our Editor SDK directly into your platform. Offer your users the power of a full design suite without leaving your site.
-
10
Windows Super God Mode
Creates shortcuts to virtually every special location or action built
This project packages a set of Windows tweaks, shortcuts, and convenience scripts that surface many of the OS’s hidden settings and advanced controls into a single, easy-to-use place. It automates creation of “God Mode” folders and other control-panel shortcuts, removes the need to manually hunt through layers of Settings or the Registry, and often bundles helper scripts for common maintenance tasks. The intent is to put power-user features—tweaks for privacy, appearance, power management, and system behavior—within quick reach so administrators and enthusiasts can configure machines consistently. Because many of the actions touch system settings, the collection emphasizes clear instructions and reversible steps so users can roll back changes if needed. It’s valuable for technicians who want a reproducible baseline for customizing Windows installs, or for home users curious about otherwise-obscure controls. -
11
EmLogs (NoCheating)
A maneira mais prática de verificar se alguém está usando cheats.
por: Desenvolvido para auxiliar na detecção de programas ilegais utilizados em jogos. eng: Developed to assist in the detection of illegal programs used in games. -
12
Active Directory Exploitation
A cheat sheet that contains common enumeration and attack methods
Active-Directory-Exploitation-Cheat-Sheet is a comprehensive, community-curated cheat sheet that collects practical enumeration commands, attack techniques, and quick references for attacking and auditing Windows Active Directory environments. The repository is organized as a stepwise kill-chain: recon, domain enumeration, local privilege escalation, user hunting, BloodHound guidance, lateral movement, persistence, domain-admin takeover, cross-trust attacks, data exfiltration, and a toolbox of payloads and helper scripts. It aggregates short, copy-ready PowerShell, C, .NET and Python snippets as well as command examples so operators can quickly run checks or reproduce techniques in lab environments. The content also includes .NET payload patterns, reverse PowerShell helpers, notes on privileged accounts and groups, and practical tips for hunting or protecting high-value targets. -
13
AzureAD Attack Defense
This publication is a collection of various common attack scenarios
AzureAD-Attack-Defense is a community-maintained playbook that collects common attack scenarios against Microsoft Entra ID (formerly Azure Active Directory) together with detection and mitigation guidance. The repository is organized into focused chapters — for example: Password Spray, Consent Grant, Service Principals in Azure DevOps, Entra Connect Sync Service Account, Replay of Primary Refresh Token (PRT), Entra ID Security Config Analyzer, and Adversary-in-the-Middle — each written to explain the attack, show detection approaches, and recommend mitigation steps. For each scenario the playbook describes the attack flow, maps the techniques to the MITRE ATT&CK framework, and explains how to leverage Microsoft’s security stack (Microsoft Defender XDR, Microsoft Sentinel, Azure Entra ID Connect, and Defender for Cloud) to detect and respond. -
14
BadUSB
Flipper Zero badusb payload library
This project explores USB device emulation attacks—commonly called BadUSB—by demonstrating how commodity USB hardware can impersonate keyboards, network adapters, or storage devices to perform scripted actions on a host. It typically contains firmware examples, payloads, and explanations showing how a device presenting as a Human Interface Device (HID) can inject keystrokes, open shells, or orchestrate data exfiltration when plugged into a machine. The codebase is frequently intended for security research and defensive testing: defenders and red teams use it to validate endpoint controls, USB whitelisting, and user training. Due to the dual-use nature of such techniques, responsible repositories emphasize lab-only experiments, consent-based testing, and mitigations like disabling autorun, enforcing device policies, and using endpoint detection. -
15
BashBunny Payloads
The Official Bash Bunny Payload Repository
This repository is a curated collection of payload scripts and examples for the Hak5 Bash Bunny device, a programmable USB attack platform. Payloads demonstrate how the device can emulate human interface devices (keyboard/mouse), Ethernet adapters, serial gadgets, or mass storage to automate complex workflows once plugged into a host. The collection ranges from benign administrative automation to offensive security demonstrations used in penetration testing, showcasing patterns like keystroke automation, reverse shells, credential capture (for lab use), and lateral transport techniques. Each payload typically includes a payload.txt control file with stages and configurable parameters so operators can adapt behavior to different targets. Because the device and its payloads are powerful, the repository emphasizes responsible use—training, red-team engagements with authorization, and awareness of legal/ethical boundaries. -
16
DeepBlueCLI
PowerShell Module for Threat Hunting via Windows Event Logs
DeepBlueCLI is a PowerShell-centric threat-hunting toolkit built to extract, normalize, and flag suspicious activity from Windows event logs and Sysmon telemetry. It parses common sources—including Windows Security, System, Application, PowerShell logs, and Sysmon event ID 1—then applies a rich set of detection heuristics for things like suspicious account changes, password guessing and spraying, service tampering, PowerShell obfuscation and download-string usage, long or unusual command lines, and credential dumping attempts. Output is emitted as native PowerShell objects so analysts can pipe results to CSV, JSON, HTML, GridView, or custom pipelines for further triage and reporting. The codebase includes helpers for command-line decoding and de-obfuscation (automatic base64/deflate handling), safelisting/hash workflows (DeepBlueHash), and sample EVTX files so teams can test the tool on realistic attack traces. -
17
Domain Password Spray
DomainPasswordSpray is a tool written in PowerShell to perform a passw
DomainPasswordSpray is a focused security tool designed to perform enterprise-scale password spraying assessments against Active Directory environments. It automates the process of attempting common or customized passwords against many accounts while respecting timing and throttling controls to reduce obvious lockout noise. The project includes features for credential list management, target selection (users, service accounts, or collections), and configurable rate limits so testers can tune the balance between coverage and stealth. Output formats include summary reports and structured logs to help analysts triage which accounts were hit and where to prioritize defensive follow-up. The codebase is written to be used by penetration testers, red teams, and security assessors in authorized engagements and emphasizes responsible use; the README explicitly warns against unauthorized use and stresses running tests only with permission. -
18
Invoke-PSImage
Encodes a PowerShell script in the pixels of a PNG file
Invoke-PSImage is a PowerShell utility that hides, extracts, and optionally executes PowerShell payloads inside image files using simple steganography techniques. It can embed a script or binary blob into an image (commonly PNG or JPEG) and later recover that payload without leaving a separate file on disk, enabling in-memory execution workflows. The tool offers options for compression and encryption so the embedded content is both smaller and protected by a passphrase when required. It includes helpers to encode a payload into an image, decode an embedded payload back to readable form, and run the extracted content directly from memory to avoid touching disk. Designed as a compact, single-file PowerShell script, it relies on .NET imaging APIs to manipulate pixel data or metadata and to store the payload in a way that survives ordinary file transfers. Because the project enables hiding and executing code, it’s a dual-use toolkit: useful for red-team exercises, defensive steganography d -
19
Invoke-TheHash
PowerShell Pass The Hash Utils
Invoke-TheHash is a PowerShell module providing utilities to perform “Pass-the-Hash” style remote operations over WMI and SMB by supplying NTLM hashes instead of plaintext passwords. The project includes multiple scripts/modules (Invoke-WMIExec, Invoke-SMBExec, Invoke-SMBEnum, Invoke-SMBClient, and a wrapper Invoke-TheHash) so operators can choose enumeration, file access, or command execution modes. It uses .NET’s TcpClient for direct SMB/WMI connections and performs authentication by inserting an NTLM hash into the NTLMv2 protocol flow. The module supports both local accounts and domain accounts (via domain parameter), and it accepts either LM:NTLM or pure NTLM format hashes. For command execution, it can create services on remote hosts (SMBExec style) or use WMI class methods. Since it works over network protocols rather than relying on built-in Windows clients, it can bypass some limitations or restrictions in constrained environments. -
20
MicroBurst
A collection of scripts for assessing Microsoft Azure security
MicroBurst is a PowerShell toolkit from NetSPI focused on assessing Microsoft Azure security by automating discovery, enumeration, and targeted auditing of cloud services and configurations. It bundles many functions to enumerate Azure resources (subscriptions, VMs, storage accounts, container registries, App Services and more), probe common misconfigurations, and harvest sensitive artifacts when available (for example storage blobs, keys, automation account credentials, and other subscription-level secrets). The project exposes both interactive helpers and scripted commands (e.g., Invoke-EnumerateAzureBlobs, Invoke-EnumerateAzureSubDomains, REST-based VM command execution and storage key retrieval routines) so operators can pivot from discovery to validated proof-of-concept actions during authorized penetration tests. -
21
Microsoft Defender for Cloud
Welcome to the Microsoft Defender for Cloud community repository
Microsoft Defender for Cloud (the community repository) is a centralized collection of programmatic automations, policy definitions, remediation scripts, and visualization workbooks designed to help organizations manage and operationalize Microsoft Defender for Cloud at scale. It packages ready-to-use Azure Policy definitions, Logic App templates, PowerShell automation, remediation actions, and custom workbooks so teams can deploy detections, enforce security posture, and automate responses across subscriptions and tenants. The repo includes playbooks and examples for translating recommendations into automated remediation, along with onboarding and deployment artifacts (including Terraform helpers) to simplify large-scale rollout. Content is explicitly presented as community-driven: contributors can submit Logic Apps, policies, and scripts, and the project documents contribution guidelines and CLA requirements for submissions. -
22
Nishang
Offensive PowerShell for red team and penetration testing
Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing. Import all the scripts in the current PowerShell session (PowerShell v3 onwards). Use the individual scripts with dot sourcing. Note that the help is available for the function loaded after running the script and not the script itself since version 0.3.8. In all cases, the function name is same as the script name. Nishang scripts are flagged by many Anti Viruses as malicious. The scrripts on a target are meant to be used in memory which is very easy to do with PowerShell. Two basic methods to execute PowerShell scripts in memory. Use the in-memory dowload and execute: Use below command to execute a PowerShell script from a remote shell, meterpreter native shell, a web shell etc. and the function exported by it. -
23
PowerSharpPack
Offensive CSharp Projects wraped into Powershell for easy usage
PowerSharpPack is a consolidated offensive-security toolkit that wraps many standalone C# projects into an easy-to-use PowerShell loader. The author compiles, gzip-compresses and base64-encodes each C# binary, then dynamically loads the assemblies into the PowerShell process so operators can invoke powerful .NET tools without dropping executables on disk. The bundle exposes a single entry script (PowerSharpPack.ps1) with switches to select which embedded tool to run and an optional -Command argument to pass tool-specific parameters. Included projects cover a broad range of post-exploitation and reconnaissance needs: Kerberos tooling, host survey utilities, credential and browser data extractors, AD enumeration, privilege escalation helpers, persistence frameworks, and file/handle utilities. For convenience the repo also ships per-binary PowerShell loaders when users prefer to avoid loading the entire pack, plus helper binaries used for compression/encoding. -
24
Security Datasets
Re-play Security Events
Security‑Datasets is a community-driven repository maintained by the Open Threat Research Forge (OTRF) that curates publicly available malicious and benign datasets for threat-hunting, machine learning, event analysis, and cybersecurity research. Datasets include Windows events, logs, alerts, and simulated attack data to support detection engineering and academic research. -
25
powercat
Netshell features all in version 2 powershell
PowerCat is a compact PowerShell implementation of netcat-style networking utilities that makes it easy to create TCP/UDP clients and listeners, forward ports, and move data between sockets and files. It provides both interactive shells and single-command execution modes so operators can create bind shells, reverse shells, or simple file upload/download endpoints using only PowerShell. The tool supports encrypted connections (SSL/TLS) and can act as a basic SOCKS proxy or relay, enabling flexible pivot and tunneling workflows. PowerCat is implemented as a single, portable PowerShell script that favors minimal dependencies and is convenient to drop into a target or use from an admin workstation. Because it reimplements low-level socket behavior in managed code it is especially useful in Windows environments where native tools like netcat are unavailable or restricted.
