Alternatives and similar repositories for S4UTomato

Users that are interested in S4UTomato are comparing it to the libraries listed below

• wh0amitz / KRBUACBypass

  View on GitHub
  UAC Bypass By Abusing Kerberos Tickets
  ☆508Aug 10, 2023Updated 2 years ago
• slemire / WSPCoerce

  View on GitHub
  PoC to coerce authentication from Windows hosts using MS-WSP
  ☆300Sep 7, 2023Updated 2 years ago
• Dec0ne / DavRelayUp

  View on GitHub
  DavRelayUp - a universal no-fix local privilege escalation in domain-joined windows workstations where LDAP signing is not enforced (the …
  ☆565Jun 5, 2023Updated 2 years ago
• YOLOP0wn / POSTDump

  View on GitHub
  ☆341Nov 10, 2025Updated 3 months ago
• tastypepperoni / PPLBlade

  View on GitHub
  Protected Process Dumper Tool
  ☆577Aug 30, 2023Updated 2 years ago
• zblurx / certsync

  View on GitHub
  Dump NTDS with golden certificates and UnPAC the hash
  ☆646Mar 20, 2024Updated last year
• foxlox / GIUDA

  View on GitHub
  Ask a TGS on behalf of another user without password
  ☆481Mar 30, 2025Updated 10 months ago
• sokaRepo / CoercedPotatoRDLL

  View on GitHub
  Reflective DLL to privesc from NT Service to SYSTEM using SeImpersonateToken privilege
  ☆224Nov 23, 2023Updated 2 years ago
• Dec0ne / ShadowSpray

  View on GitHub
  A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other ob…
  ☆482Oct 14, 2022Updated 3 years ago
• AlmondOffSec / PassTheCert

  View on GitHub
  Proof-of-Concept tool to authenticate to an LDAP/S server with a certificate through Schannel
  ☆724Sep 3, 2025Updated 5 months ago
• ricardojoserf / NativeDump

  View on GitHub
  Dump lsass using only NTAPI functions by hand-crafting Minidump files (without MiniDumpWriteDump!!!)
  ☆698May 7, 2025Updated 9 months ago
• XiaoliChan / wmiexec-Pro

  View on GitHub
  New generation of wmiexec.py
  ☆1,255Jan 5, 2026Updated last month
• JPG0mez / ADCSync

  View on GitHub
  Use ESC1 to perform a makeshift DCSync and dump hashes
  ☆210Nov 2, 2023Updated 2 years ago
• wh0amitz / SharpADWS

  View on GitHub
  Active Directory reconnaissance and exploitation for Red Teams via the Active Directory Web Services (ADWS).
  ☆585Mar 19, 2024Updated last year
• antonioCoco / SspiUacBypass

  View on GitHub
  Bypassing UAC with SSPI Datagram Contexts
  ☆460Sep 24, 2023Updated 2 years ago
• frkngksl / NimExec

  View on GitHub
  Fileless Command Execution for Lateral Movement in Nim
  ☆388Dec 12, 2023Updated 2 years ago
• synacktiv / GPOddity

  View on GitHub
  The GPOddity project, aiming at automating GPO attack vectors through NTLM relaying (and more).
  ☆358Dec 13, 2025Updated 2 months ago
• decoder-it / LocalPotato

  View on GitHub
  ☆705Nov 7, 2023Updated 2 years ago
• grimlockx / ADCSKiller

  View on GitHub
  An ADCS Exploitation Automation Tool Weaponizing Certipy and Coercer
  ☆738May 19, 2023Updated 2 years ago
• Ridter / atexec-pro

  View on GitHub
  Fileless atexec, no more need for port 445
  ☆404Mar 28, 2024Updated last year
• wh0amitz / BypassCredGuard

  View on GitHub
  Credential Guard Bypass Via Patching Wdigest Memory
  ☆335Feb 3, 2023Updated 3 years ago
• wh0amitz / SharpRODC

  View on GitHub
  To audit the security of read-only domain controllers
  ☆118Nov 27, 2023Updated 2 years ago
• zblurx / dploot

  View on GitHub
  DPAPI looting remotely and locally in Python
  ☆540Oct 7, 2025Updated 4 months ago
• garrettfoster13 / sccmhunter

  View on GitHub
  SCCMHunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain.…
  ☆882Feb 5, 2026Updated last week
• Wh04m1001 / DFSCoerce

  View on GitHub
  ☆827Sep 9, 2022Updated 3 years ago
• jfjallid / go-secdump

  View on GitHub
  Tool to remotely dump secrets from the Windows registry
  ☆522Nov 18, 2025Updated 2 months ago
• p0dalirius / pyLDAPWordlistHarvester

  View on GitHub
  A tool to generate a wordlist from the information present in LDAP, in order to crack passwords of domain accounts.
  ☆372Sep 29, 2025Updated 4 months ago
• Xre0uS / MultiDump

  View on GitHub
  MultiDump is a post-exploitation tool for dumping and extracting LSASS memory discreetly.
  ☆537Nov 14, 2025Updated 2 months ago
• S3cur3Th1sSh1t / MultiPotato

  View on GitHub
  ☆539Nov 20, 2021Updated 4 years ago
• decoder-it / ADCSCoercePotato

  View on GitHub
  ☆241May 5, 2024Updated last year
• mertdas / PrivKit

  View on GitHub
  PrivKit is a simple beacon object file that detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS.
  ☆563Jan 20, 2026Updated 3 weeks ago
• WKL-Sec / dcomhijack

  View on GitHub
  Lateral Movement Using DCOM and DLL Hijacking
  ☆326Jun 18, 2023Updated 2 years ago
• wh0amitz / PetitPotato

  View on GitHub
  Local privilege escalation via PetitPotam (Abusing impersonate privileges).
  ☆453Mar 30, 2023Updated 2 years ago
• FalconForceTeam / SOAPHound

  View on GitHub
  SOAPHound is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Dire…
  ☆855Feb 3, 2024Updated 2 years ago
• nettitude / SharpWSUS

  View on GitHub
  ☆477Nov 20, 2022Updated 3 years ago
• BeichenDream / PrintNotifyPotato

  View on GitHub
  PrintNotifyPotato
  ☆539Dec 2, 2022Updated 3 years ago
• zcgonvh / DCOMPotato

  View on GitHub
  Some Service DCOM Object and SeImpersonatePrivilege abuse.
  ☆372Dec 9, 2022Updated 3 years ago
• g3tsyst3m / elevationstation

  View on GitHub
  elevate to SYSTEM any way we can! Metasploit and PSEXEC getsystem alternative
  ☆381Nov 2, 2023Updated 2 years ago
• zyn3rgy / LdapRelayScan

  View on GitHub
  Check for LDAP protections regarding the relay of NTLM authentication
  ☆532Nov 19, 2024Updated last year