Tools, modules, and field-ready utilities for threat hunting, detection engineering, and security operations.
ASR Configurator, Essentials and Atomic Testing. Configure and test Attack Surface Reduction rules.
Finding ClickFix and FakeCAPTCHA like it's 1999. Detection and hunting tools for clipboard hijacking attacks.
PowerShell tools to help defenders hunt smarter, hunt harder. A collection of scripts, queries, and techniques for threat hunting using PowerShell.
The home of the SDDLMaker. Parse, create, and understand SDDL strings.
SQL, IIS, Oh My... Detection and hunting tools for SQL Server and IIS security.
ShellSweeping the evil. PowerShell/Python/Lua tool to detect potential web shells using entropy analysis, machine learning, and YARA rules.
Chrome Extension Security API - AI-powered threat detection for 10,000+ Chrome extensions. Analyze extensions for security risks, malicious behavior, and privacy concerns.
curl -H "Authorization: Bearer crx_your_api_key" "https://crx.michaelhaag.org/api/v1/extensions/{extension_id}" MCP server providing AI assistants with instant access to the complete MITRE ATT&CK framework - techniques, tactics, groups, software, and mitigations.
npx -y mitre-attack-mcp MCP server that lets AI assistants query 6,500+ security detection rules from Sigma, Splunk ESCU, and Elastic. Detection engineer harder and smarter with AI.
npx -y security-detections-mcp Finding ClickFix and FakeCAPTCHA like it's 1999. Detection and hunting tools for clipboard hijacking attacks.
Visit https://mhaggis.github.io/ClickGrab/ or git clone https://github.com/MHaggis/ClickGrab.git Interactive PowerShell framework for testing WMI, COM, LOLBAS, and persistence techniques. Built for red team testing and defense validation.
git clone https://github.com/MHaggis/NEBULA.git && Import-Module .\NEBULA.psm1 && Invoke-NEBULA Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.
Subscribe at youtube.com/@atomicsonafriday Living Off The Land Drivers - A curated list of Windows drivers used by adversaries to bypass security controls. The definitive resource for vulnerable driver detection.
curl -s https://www.loldrivers.io/api/drivers.json | jq PowerShell tools to help defenders hunt smarter, hunt harder. A collection of scripts, queries, and techniques for threat hunting using PowerShell.
git clone https://github.com/MHaggis/PowerShell-Hunter.git && cd PowerShell-Hunter && Import-Module .\PSHunter.psm1 Sources, configuration and how to detect evil things utilizing Microsoft Sysmon. A comprehensive collection of Sysmon configurations, documentation, and detection resources.
git clone https://github.com/MHaggis/sysmon-dfir.git && sysmon64.exe -accepteula -i sysmon-dfir\sysmonconfig.xml Living Off The Land Remote Monitoring & Management - A curated list of RMM tools abused by adversaries for persistence and lateral movement.
Visit https://lolrmm.io/ to explore RMM tools and detection strategies Collection of useful, up to date, Carbon Black Response Queries for threat hunting and detection.
git clone https://github.com/MHaggis/CBR-Queries.git A curated list of known malicious bootloaders for various operating systems. Track and catalog bootloader threats with detection rules and hash prevention.
curl -s https://www.bootloaders.io/api/bootloaders.json | jq Windows Script Host testing framework for validating script execution defenses and detection capabilities.
git clone https://github.com/MHaggis/notes.git && cd notes/utilities/ScriptHostTest && .\Run-Tests.ps1 ShellSweeping the evil. PowerShell/Python/Lua tool to detect potential web shells using entropy analysis, machine learning, and YARA rules.
git clone https://github.com/splunk/ShellSweep.git && .\ShellSweep\ShellSweep.ps1 ASR Configurator, Essentials and Atomic Testing. Configure and test Attack Surface Reduction rules.
Visit https://asrgen.streamlit.app/ or git clone https://github.com/MHaggis/ASRGEN.git SQL, IIS, Oh My... Detection and hunting tools for SQL Server and IIS security.
git clone https://github.com/MHaggis/SequelEyes.git && Import-Module .\SequelEyes.psm1 The home of the SDDLMaker. Parse, create, and understand SDDL strings.
git clone https://github.com/MHaggis/SDDLMaker.git && pip install -r requirements.txt A Public Package Scanner for The Community. Scan npm packages for supply chain threats.
git clone https://github.com/MHaggis/Package-Inferno.git && pip install -r requirements.txt Heap leak detection utilities for security research and analysis.
git clone https://github.com/MHaggis/HeapLeakDetection.git Helping defenders learn and validate npm supply-chain detections with safe atomic tests.
git clone https://github.com/MHaggis/NPM-Threat-Emulation.git Windows Mandatory Profile persistence testing toolkit - validating detection coverage for this stealthy persistence technique.
git clone https://github.com/MHaggis/notes.git && cd notes/utilities/MandatoryProfilePersistence Lists of sources and utilities utilized to hunt, detect and prevent evildoers. A curated collection of security resources.
git clone https://github.com/MHaggis/hunt-detect-prevent.git Network tunnel and port forwarding testing utility for validating connectivity and data exfiltration paths.
curl -O https://raw.githubusercontent.com/MHaggis/notes/master/utilities/warp_pipe_tester.py && python3 warp_pipe_tester.py AppLocker Policy Generator. Create and manage AppLocker policies programmatically.
Visit https://applockergen.streamlit.app/ or git clone https://github.com/MHaggis/AppLockerGen.git MSIX Building Made Easy for Defenders. Create MSIX packages for testing and analysis.
git clone https://github.com/MHaggis/MSIXBuilder.git && Import-Module .\MSIXBuilder.psm1 Full of public notes and utilities. A collection of technical notes, scripts, and security research documentation.
git clone https://github.com/MHaggis/notes.git A Splunk app for visualizing and analyzing Sysmon data. Dashboards and saved searches for effective Sysmon analysis.
Download the app package and install via Splunk > Apps > Install from File SQL Server Security Testing Toolkit - comprehensive SQL Server security assessment and exploitation framework.
git clone https://github.com/MHaggis/notes.git && cd notes/utilities/SQLSSTT Comprehensive AWS S3 bucket security assessment tool that checks for common misconfigurations and data exposure risks.
curl -O https://raw.githubusercontent.com/MHaggis/notes/master/utilities/AWS/S3OpenAccessCheck.sh && chmod +x S3OpenAccessCheck.sh && ./S3OpenAccessCheck.sh A combination of OffensiveLua and Learning Lua - By Defenders, for Defenders.
git clone https://github.com/MHaggis/AtomicLua.git Automated Apache and PHP compilation and installation toolkit for building custom web server environments from source.
git clone https://github.com/MHaggis/notes.git && cd notes/utilities/ApachePHPBuild && ./build.sh Advanced NTLM relay attack toolkit for testing authentication security in Windows environments.
git clone https://github.com/MHaggis/notes.git && cd notes/utilities/FancyNTLMRelay Automated IIS web server deployment and configuration toolkit for Windows environments.
git clone https://github.com/MHaggis/notes.git && cd notes/utilities/IISBuilder && .\Install-IIS.ps1 SigZap is a Streamlit application designed to facilitate the search across multiple network signature sets at once.
git clone https://github.com/MHaggis/sigZap.git && pip install -r requirements.txt && streamlit run app.py LLM tools and toys for security research and experimentation.
git clone https://github.com/MHaggis/LLM.git No modules found matching your criteria.