10 Top Tools for Threat Hunters from Black Hat USA 2019

So you weren't able to make it to Las Vegas this year, or didn’t get to check out all the latest and greatest tools at the booths and workshops? We've got you covered.

Check out these ten short reviews of useful tools presented at Black Hat USA 2019 for threat intelligence analysts, OSINT researchers, forensic investigators, and threat hunters:

King Phisher: Phishing Toolkit for Red Teams

King Phisher

Source: Github

King Phisher, created by SecureState, is a tool designed to simulate real-life scenario phishing attacks that may occur on a corporate network. It’s intended for red teaming, enabling the user to create complex attack scenarios to test internally if anyone in the organization fails to identify the bait.

This highly flexible tool allows you to run numerous phishing campaigns simultaneously, control the phishing email's content (embedded images, HTML, and more), map the location of all the phishing victims, and run SPF checks (Sender Policy Framework) for forging sender address during email delivery.

King Phisher enables red teams to clone web pages on the fly. No more forking through the front end to make the clone look more legit compared to the original site. The toolkit has the capability of harvesting credentials directly from such pages round out this quite robust phishing framework.

CQForensic: Pentesting and Forensics Toolkit


Source: BHUSA2019

If you’re a pentester with network infiltration and privilege escalation needs, then CQTools could make your job easier.

Developed by the CQURE team, this versatile toolkit for penetration testing and forensics facilitates sniffing and spoofing activities, information and password extraction, custom shell and custom payload generation, hiding code from antivirus solutions, keylogging, and leveraging harvested information to deliver attacks.

CQWSLMon allows investigators and analysts to monitor Windows and WSL interaction. CQRegKeyLastWriteTime lets you see the create and modify times of registry keys. CQSecretsDumper allows you to dump credentials, CQNTDSDTDecrypter lets you decrypt ntds.dit (stores all the AD data). CQLsassSecretsDumper dumps DPAPI golden/backup key from LSASS.

CQTools even includes a tool named CQDPAPIKeePassDBDecryptor that decrypts KeePass data. It uses DPAPI data obtained from the domain controller (Active Directory).

In-browser Remote Code Execution with JSShell


Source: Github

If you’ve ever used BeeF framework, then you’ll love this tool because it also latches onto browsers. JSShell, developed by Daniel Abeles, allows the user to attach/hook numerous clients to achieve in-browser remote code execution. You can attach the script payload as XSS on vulnerable web servers when red-teaming or simulating attack scenarios.

JSShell supports cyclic DOM objects, pre-flight scripts, command queue and context, shell pagination, and more. It’s also extensible with the addition of user-driven plugins. If TLS/HTTPS is a must, JSShell supports its integration with Let's Encrypt!

How to Automate and Simplify OSINT Collection

Attack Surface Mapper

Source: Github

Are you looking for a tool to quickly dig through a domain, all its subdomains, email addresses, and company employees? Need something for on-the-fly information gathering?

AttackSurfaceMapper a.k.a. ASM got you covered. Created by Andreas Georgiou and Jacob Wilkin; It uses numerous modules like LinkedInner to map out employees, Shodan for passive port scanning, WeLeakInfo module for knowing which databases an employee email resides in, DNSdumpster for finding out all the subdomains associated with a site, VirusTotal module for finding how malicious certain artifacts are and much more.

ASM proves its value for OSINT investigations and information gathering if you’re trying to go from a domain to just about everything that’s attached to the service without alerting the NOC from poking around. It jumps from one module to the next based on the data it finds in the previous module.

Service Workers at the Backdoor

Shadow Workers

Source: shadow-workers.github.io

Shadow Workers is an open-source C2 created by Claudio Contin and Emmanuel Law designed for helping pentesters and red teams in exploiting XSS and “service workers” inside modern browsers for persistent access to whatever the client has access to through the browser itself. It comes with features like background sync, push notifications, DOM poisoning (via fetch handler), execution of arbitrary JS, and more.

Think of service workers as secondary scripts (typically JS) that run in the background separate from the webpage. Service workers were designed for syncing items, pushing out notifications, and so on.

They can also be used as a tool for browser post-exploitation, as long as the service worker remains active. A service worker may act as a network proxy to the client it’s running on, allowing network interactions directly from the browser - such as port scanning from localhost.

This proxy feature of service workers allows the user who controls the Shadow Workers C2 to browse on the client’s compromised browser as the victim. This powerful capability enables pentesters to access anything the victim’s logged into as the victim.

Also, the DOM poisoning mechanism allows Shadow Workers to modify requests as long as they are within scope; (for example the SW resides in /main/, then it can poison anything in /main/ and after).

Emmanuel Law and Claudio Contin have also released a Chrome extension to help mitigate these style of attacks by allowing/blocking the service workers that are installed by web applications. You can find that tool here.

IOC Explorer Helps Correlate Indicators of Compromise

IoC Explorer

Source: Github

IoC Explorer (Indicator of Compromise) is a tool created by Lion Gu (a security analyst of 360 Enterprise Security Group) for threat hunters, SOC/NSOC, and incident response teams designed to correlate artifacts in an automated fashion.

For instance, you might have nothing more to go on than an email that you need to correlate to some binaries. IoC Explorer will go out and attempt to fetch any domains registered under that email and generate a list of IP addresses. Then the tool correlates binaries that may have a connection to those IP addresses.

The tool relies on various threat intelligence sources to correlate different artifacts. It uses VirusTotal for IP to file, domain to file, domain to IP, file to IP, file to domain, and file to file relations.

In addition to VirusTotal, IoC Explorer uses QiAnXin for domain to IP, domain to email, email to domain, file to IP, and file to domain. IoC Explorer is very flexible - if its threat intelligence sources don't meet your intel needs, you can always add your sources for resolving artifacts to other artifacts.

AVET - the AntiVirus Evasion Tool


Source: BHUSA2019

AVET is a tool designed for taking in EXE, DLL, and shellcode for an executable that can’t be detected by current antivirus programs. AVET uses evasion techniques like process hollowing and shellcode/DLL injection.

Encryption/encoding schemes include RC4 for encryption/decryption. The tool features sandbox evasion techniques such as by file (if file exists, don’t execute), by hostname, by the number of CPU cores, by vendor-specific MAC address prefix, and by specific registry keys.

AVET works with Metasploit's psexec module. To that end, the executable needs first to be compiled as a Windows service, and only then can the payload be used in Metasploit.

Working alongside Metasploit makes AVET particularly useful for pentesters who are already familiar with the framework and are looking at evading AV detection during post-exploitation.

During a live demo in the Blackhat USA Arsenal, AVET was able to evade McAfee AntiVirus detection but later was detected by Windows Defender. For a free open source utility, this tool is a solid pick for testing to see how reliable your environment’s AV software is.

Threat Intelligence Meets DNS: IOC2RPZ


Source: YouTube

DNS is at the core of how the internet functions. It takes in a domain and spits out a corresponding IP address. Malware sometimes uses DNS to communicate with its command and control server. Advertising companies also use DNS for tracking purposes by using complex domain structures.

Public DNS servers address some of these issues. The problem is that you’ll not only have to trust them completely. You’ll also have no control whatsoever over the server and how it may respond to your queries. A policy-driven public DNS does not exist.

DNS RPZ (Response Policy Zone) was built to provide that policy mechanism to a DNS server. Taking in IoCs (indicators of compromise) and then feeding them to a policy-driven DNS server proves effective in blocking malware/phishing campaigns from a heuristic approach.

With IOC2RPZ, you can take thousands of IoC’s and create RPZ feeds that automatically manage/update themselves. It supports DoT (DNS over TLS) and creates zones by incoming requests. IoC’s come from a wide range of sources.

IoC expiration enables the removal of outdated information. IOC2RPC takes the best of two worlds (intel driven IoC + RPZ) and conveniently combines them to help aid in creating a “dynamic firewall” at the DNS level.

New Linux Distro for OSINT Research and DFIR


Source: BHUSA2019

TSURUGI is a dedicated Linux distribution with OSINT investigations, Digital Forensics and Incident Response (DFIR) in mind. It contains a variety of modules - for image recognition/cross-referencing, hashing, mounting, artifacts analysis, data recovery, memory forensics, password recovery, network analysis, and other related tasks. It even includes modules for iOS and Android device information gathering.

For OSINT in particular, TSURUGI comes equipped with EmailHarvester, Maltego, tweet_analyzer, SnapStory, linkedin2username, TorCrawl, WhatBreach, and also the Tor Browser.

TSURUGI's image recognition module proves particularly useful for OSINT investigations where the analyst wants to match a person against a vast bulk of sample images. TSURUGI draws the facial points and frames for accurate resemblance detection.

MITM Detection with MITMEngine



MITMEngine, an open-source library developed by Cloudflare’s Gabriele Fisher and Luke Valenta, has been specifically designed to detect MITM (“monsters in the middleboxes”) between the client and server when establishing a TLS connection.

MITMEngine also powers Cloudflare’s MALCOLM project, a dashboard that displays HTTPS interception statistics across Cloudflare’s network. According to Cloudflare, HTTPS interception occurs primarily in two situations:

  • When a third party root certificate is installed and trusted on a device
  • When accessing a web resource through another server that also has access to the TLS private key for the web resource (for example, a web proxy).

MITM attacks are typically passive attacks (data doesn't get modified in transit), making them hard to detect. The Fisher/Valenta method has taken a new approach by detecting middleboxes through the certificates.

Granted, there could be legitimate reasons why a certificate can differ from the one supplied by the server. Antivirus tools, for example, can at times incorporate their certificates on top of what's already present. Even internal corporate internal networks can inject their root certificates.

Malware also has the capability to snoop on encrypted traffic if the victim has a rogue certificate installed. Some proxies that terminate TLS connections can snoop on encrypted traffic as well if the browser trusts the proxy’s own certificate to handle all the data traversing through it. Certificate warnings generated by browsers cannot be relied upon. MITMEngine closes critical gaps.


The following tools didn’t make it on my review shortlist this year. Still, they are worth closer examination, so check them out:

  • Redhunt OS v2: Virtual machine for adversary emulation and threat hunting
  • BOtB: Break out of the Box / container analysis, exploitation and CICD tool
  • Medaudit: for auditing medical devices and healthcare infrastructure