Skip to content
View zavetsec's full-sized avatar
1 follower · 1 following

Block or report zavetsec

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don’t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
zavetsec/README.md
ZavetSec

Anonymous purple-team toolsmith. Single-file tooling and references for air-gapped, incident-response, and hardened environments — defense built on understanding offense.

No install. No dependencies. No agents. No telemetry.

Offensive techniques and the detections that catch them — two halves of one workflow.

Why ZavetSec

  • Purple by design — attack techniques paired with the telemetry and detections that expose them
  • Single-file execution — one script (or one HTML), run and done
  • No installation, no prerequisites, no admin infrastructure
  • Air-gap friendly — works fully offline
  • MITRE ATT&CK aligned — both findings and techniques mapped to tactics
  • Dark HTML output — structured, self-contained, ready to share

◣ Blue — Defensive Tooling

Detection, triage, hardening and forensics. Built for SOC/DFIR work in real environments.

Endpoint Monitoring & DLP

Tool Platform Capability
ZavetSec-DLP Windows / .NET 8 Endpoint activity monitoring • keylogger • screenshots • clipboard • USB • DNS • network • web dashboard • EN/RU

SOC / DFIR / Hardening

Tool Platform Capability
Invoke-ZavetSecTriage Windows / PS 5.1 DFIR triage • 17 modules • MITRE ATT&CK
ZavetSec-EVTXHunter Windows / PS 5.1 EVTX threat hunting • file & live • 61 rules / 10 chains • entity risk scoring • MITRE ATT&CK
ZavetSec-Harden Windows / PS 5.1 Hardening baseline • CIS / DISA STIG • Audit / Apply / Rollback
ZLT Linux / Bash Linux triage • 12 modules • single command
Invoke-ADSecurityAudit Windows / PS 5.1 Active Directory audit • findings • remediation
ZavetSec-NetworkInventory Windows / PS 5.1 Network scanner • asset inventory • offline
ZavetSec-NetworkConnections Windows / PS 5.1 Live connections • GeoIP • process context • risk
ZavetSec-BrowserHistory Windows / PS 5.1 Browser forensics • all users • all browsers
Invoke-MBHashCheck Windows / PS 5.1 Hash lookup • MalwareBazaar • ThreatFox
ZavetSec-Vault Any browser Offline password manager • AES-256-GCM • no cloud

Personal Security & Privacy

Tool Platform Capability
opsec-checklist Any browser OPSEC assessment framework • 70+ items • RU/CIS + US/EU editions

◥ Red — Offensive Reference

The other half: a self-contained library of pentest references — built to understand the attacks worth defending against. Same design standard as the tooling: one HTML file per document, fully offline, zero dependencies, no trackers.

Pentest Codex — Reference Library

🌐 Live: zavetsec.github.io/pentestcodex  ·  📦 Repo: zavetsec/pentestcodex

Document Type Contents
Pentest Codex Reference Full kill-chain • every tool explained • every command with flags • 16 sections
AD Attack Reference Reference / AD ADCS ESC1–ESC16 • delegation • RBCD • Shadow Credentials • ACL abuse • GPO/SCCM • MSSQL lateral
Pentest Path Roadmap Blue→Red progression • PNPT → OSCP → CRTO • labs • habit checklist
Arsenal Cheat-sheet Command-first reference across the attack phases
Kali Linux 2026 Guide Distro Install • metapackages • tooling by menu category
Parrot OS 7 Guide Distro Editions • AnonSurf / privacy • tooling • vs Kali

Design Standard

Everything ZavetSec ships — tools and references alike — shares one output format:

  • #0a0d10 dark background — readable in SOC environments at 3 AM
  • #00ff88 green accent — high contrast, low eye strain
  • JetBrains Mono for code and data, Rajdhani for headers
  • Severity tag badges, MITRE ATT&CK references inline
  • 100% self-contained HTML — one file, no CDN, no external requests

Coverage

BLUE — Defensive Tooling
  Endpoint Monitoring   ZavetSec-DLP
  Windows Triage        Invoke-ZavetSecTriage
  Event Log Hunting     ZavetSec-EVTXHunter
  Linux Triage          ZLT
  Active Directory      Invoke-ADSecurityAudit
  Network Discovery     ZavetSec-NetworkInventory
  Live Connections      ZavetSec-NetworkConnections
  Browser Forensics     ZavetSec-BrowserHistory
  Hash Intel            Invoke-MBHashCheck
  Hardening             ZavetSec-Harden
  Secure Storage        ZavetSec-Vault
  Personal OPSEC        opsec-checklist

RED — Offensive Reference
  Pentest Codex         zavetsec.github.io/pentestcodex

Attack-informed defense. Detection-aware offense.
MIT Licensed — open, practical, unrestricted.

Pinned Loading

  1. Invoke-ZavetSecTriage Invoke-ZavetSecTriage Public

    Zero-dependency DFIR triage script for Windows systems. PowerShell 5.1, no external tools required.

    PowerShell 1 1

  2. ZavetSec-BrowserHistory ZavetSec-BrowserHistory Public

    Forensic browser history extractor for Windows — all users, all browsers, one report

    PowerShell 2

  3. ZavetSec-Harden ZavetSec-Harden Public

    Windows security hardening baseline — CIS / DISA STIG / MS Security Baseline. Audit, Apply, Rollback. PowerShell 5.1+

    PowerShell 1

  4. ZavetSec-NetworkConnections ZavetSec-NetworkConnections Public

    Live network connection snapshot with process context, GeoIP enrichment, DNS analysis and risk classification

    PowerShell 1

  5. Invoke-ADSecurityAudit Invoke-ADSecurityAudit Public

    Single-file PowerShell script. Run it on a domain-joined machine and get a structured HTML report with findings, MITRE ATT&CK mappings, and remediation guidance. No agents, no databases, no persist…

    PowerShell 1

  6. ZLT ZLT Public

    ZavetSec Linux Triage is a bash script for first-response DFIR triage of Linux hosts. Run it with a single command, collect telemetry across 12 modules, automatically analyze it against a curated r…

    Shell 1