226 |
227 | | Link |
228 | Description |
229 |
230 |
231 | | 0xsp-SRD/OffensivePascal |
232 | Pascal Offsec repo for malware dev and red teaming 🚩 |
233 |
234 |
235 | | Accenture/CLRvoyance |
236 | Managed assembly shellcode generation |
237 |
238 |
239 | | aeverj/NimShellCodeLoader |
240 | Nim编写Windows平台shellcode免杀加载器 |
241 |
242 |
243 | | airbus-cert/Invoke-BOF |
244 | Load any Beacon Object File using Powershell! |
245 |
246 |
247 | | ajpc500/NimlineWhispers |
248 | A very proof-of-concept port of InlineWhispers for using syscalls in Nim projects. |
249 |
250 |
251 | | Akaion/Bleak |
252 | A Windows native DLL injection library that supports several methods of injection. |
253 |
254 |
255 | | Allevon412/TeamsImplant |
256 | This project is a stealthy teams implant that proxies the urlmon.dll that teams uses compile and throw this bad boy in the teams directory as urlmon.dll and you got yourself a persistence backdoor whenever teams runs by a user or at startup. |
257 |
258 |
259 | | antonioCoco/SharPyShell |
260 | SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications |
261 |
262 |
263 | | api0cradle/LOLBAS |
264 | Living Off The Land Binaries and Scripts (and now also Libraries) |
265 |
266 |
267 | | ariary/fileless-xec |
268 | Stealth dropper executing remote binaries without dropping them on disk .(HTTP3 support, ICMP support, invisible tracks, cross-platform,...) |
269 |
270 |
271 | | b1tg/rust-windows-shellcode |
272 | Windows shellcode development in Rust |
273 |
274 |
275 | | bats3c/DarkLoadLibrary |
276 | LoadLibrary for offensive operations |
277 |
278 |
279 | | BC-SECURITY/Empire |
280 | Empire is a PowerShell and Python post-exploitation agent. |
281 |
282 |
283 | | BC-SECURITY/Offensive-VBA-and-XLS-Entanglement |
284 | Offensive VBA and XLS Entanglement |
285 |
286 |
287 | | Binject/backdoorfactory |
288 | A from-scratch rewrite of The Backdoor Factory - a MitM tool for inserting shellcode into all types of
289 | binaries on the wire. |
290 |
291 |
292 | | boku7/bof-spawnSuspendedProcess |
293 | Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state |
294 |
295 |
296 | | bohops/GhostBuild |
297 | GhostBuild is a collection of simple MSBuild launchers for various GhostPack/.NET projects |
298 |
299 |
300 | | byt3bl33d3r/BOF-Nim |
301 | Cobalt Strike BOF Files with Nim! |
302 |
303 |
304 | | bytecode77/living-off-the-land |
305 | Fileless attack with persistence |
306 |
307 |
308 | | ByteJunkies-co-uk/Metsubushi |
309 | Generate droppers with encrypted payloads automatically. |
310 |
311 |
312 | | capt-meelo/Beaconator |
313 | A beacon generator using Cobalt Strike and PEzor. |
314 |
315 |
316 | | cdong1012/Crab-Runner |
317 | Shellcode runner in Rust |
318 |
319 |
320 | | cedowens/Mythic-Macro-Generator |
321 | Python3 script to generate a macro to launch a Mythic payload. Author: Cedric Owens |
322 |
323 |
324 | | ChaitanyaHaritash/Callback_Shellcode_Injection |
325 | POCs for Shellcode Injection via Callbacks |
326 |
327 |
328 | | Ch0pin/AVIator |
329 | AV|Ator is a backdoor generator utility, which uses cryptographic and injection techniques in order to bypass AV detection. |
330 |
331 |
332 | | checkymander/Sharp-SMBExec |
333 | SMBExec C# module |
334 |
335 |
336 | | cobbr/SharpSploit |
337 | SharpSploit is a .NET post-exploitation library written in C# |
338 |
339 |
340 | | connormcgarr/LittleCorporal |
341 | LittleCorporal: A C# Automated Maldoc Generator |
342 |
343 |
344 | | Cn33liz/StarFighters |
345 | A JavaScript and VBScript Based Empire Launcher, which runs within their own embedded PowerShell Host. |
346 |
347 |
348 | | Cr4sh/KernelForge |
349 | A library to develop kernel level Windows payloads for post HVCI era |
350 |
351 |
352 | | cribdragg3r/Alaris |
353 | A protective and Low Level Shellcode Loader the defeats modern EDR systems. |
354 |
355 |
356 | | cube0x0/SharpeningCobaltStrike |
357 | I realtime v35/40 dotnet compiler for your linux Cobalt Strike C2. New fresh compiled and obfuscated binary for each use |
358 |
359 |
360 | | Cybellum/DoubleAgent |
361 | DoubleAgent is a new Zero-Day technique for injecting code and maintaining persistence on a machine (i.e. auto-run). |
362 |
363 |
364 | | cytopia/kusanagi |
365 | Kusanagi is a bind and reverse shell payload generator with obfuscation and badchar support. |
366 |
367 |
368 | | D00MFist/Go4aRun |
369 | Shellcode runner in GO that incorporates shellcode encryption, remote process injection, block dlls, and spoofed parent process |
370 |
371 |
372 | | damienvanrobaeys/PS1-To-EXE-Generator |
373 | PS1 to EXE Generator: Create an EXE for your PS1 scripts |
374 |
375 |
376 | | darkr4y/geacon |
377 | Practice Go programming and implement CobaltStrike's Beacon in Go |
378 |
379 |
380 | | D00MFist/Mystikal |
381 | macOS Initial Access Payload Generator |
382 |
383 |
384 | | dtrizna/easy-hollow |
385 | Automated build for process hollowing shellcode loader. Build on top of TikiTorch and donut projects. |
386 |
387 |
388 | | EddieIvan01/memexec |
389 | A library for loading and executing PE (Portable Executable) from memory without ever touching the disk |
390 |
391 |
392 | | EntySec/HatVenom |
393 | HatVenom is a HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures. |
394 |
395 |
396 | | erikgeiser/govenom |
397 | govenom is a msfvenom-inspired cross-platform payload generator toolkit written in Go |
398 |
399 |
400 | | EspressoCake/DLL-Hijack-Search-Order-BOF |
401 | DLL Hijack Search Order Enumeration BOF |
402 |
403 |
404 | | FalconForceTeam/BOF2shellcode |
405 | POC tool to convert CobaltStrike BOF files to raw shellcode |
406 |
407 |
408 | | FatCyclone/D-Pwn |
409 | D/Invoke standalone shellcode runners |
410 |
411 |
412 | | Flangvik/SharpCollection |
413 | Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines. |
414 |
415 |
416 | | forrest-orr/artifacts-kit |
417 | Pseudo-malicious usermode memory artifact generator kit designed to easily mimic the footprints left by real malware on an infected Windows OS. |
418 |
419 |
420 | | FortyNorthSecurity/CIMplant |
421 | C# port of WMImplant which uses either CIM or WMI to query remote systems |
422 |
423 |
424 | | FortyNorthSecurity/EDD |
425 | Enumerate Domain Data is designed to be similar to PowerView but in .NET. PowerView is essentially the ultimate domain enumeration tool, and we wanted a .NET implementation that we worked on ourselves. This tool was largely put together by viewing implementations of different functionality across a wide range of existing projects and combining them into EDD. |
426 |
427 |
428 | | FortyNorthSecurity/EXCELntDonut |
429 | Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory. |
430 |
431 |
432 | | FortyNorthSecurity/hot-manchego |
433 | Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library. |
434 |
435 |
436 | | frkngksl/Huan |
437 | Encrypted PE Loader Generator |
438 |
439 |
440 | | FuzzySecurity/PowerShell-Suite |
441 | There are great tools and resources online to accomplish most any task in PowerShell, sometimes however, there is a need to script together a util for a specific purpose or to bridge an ontological gap. This is a collection of PowerShell utilities I put together either for fun or because I had a narrow application in mind. |
442 |
443 |
444 | | gen0cide/gscript |
445 | framework to rapidly implement custom droppers for all three major operating systems |
446 |
447 |
448 | | GetRektBoy724/MeterPwrShell |
449 | Automated Tool That Generate The Perfect Powershell Payload |
450 |
451 |
452 | | GetRektBoy724/SharpHalos |
453 | My implementation of Halo's Gate technique in C# |
454 |
455 |
456 | | GhostPack/SharpWMI |
457 | SharpWMI is a C# implementation of various WMI functionality. |
458 |
459 |
460 | | gigajew/WinXRunPE |
461 | Two C# RunPE's capable of x86 and x64 injections |
462 |
463 |
464 | | glinares/InlineShapesPayload |
465 | VBA InlineShapes Payload Generator |
466 |
467 |
468 | | gloxec/CrossC2 |
469 | Generate CobaltStrike's cross-platform payload |
470 |
471 |
472 | | hausec/MaliciousClickOnceMSBuild |
473 | Basic C# Project that will take an MSBuild payload and run it with MSBuild via ClickOnce. |
474 |
475 |
476 | | hasherezade/masm_shc |
477 | A helper utility for creating shellcodes. Cleans MASM file generated by MSVC, gives refactoring hints. |
478 |
479 |
480 | | JamesCooteUK/SharpSphere |
481 | .NET Project for Attacking vCenter |
482 |
483 |
484 | | jhalon/SharpCall |
485 | Simple PoC demonstrating syscall execution in C# |
486 |
487 |
488 | | jfmaes/Invoke-DLLClone |
489 | Koppeling x Metatwin x LazySign |
490 |
491 |
492 | | jfmaes/SharpLNKGen-UI |
493 | UI for creating LNKs |
494 |
495 |
496 | | jfmaes/SharpZipRunner |
497 | Executes position independent shellcode from an encrypted zip |
498 |
499 |
500 | | JohnWoodman/VBA-Macro-Projects |
501 | This repository is a collection of my malicious VBA projects. |
502 |
503 |
504 | | jonaslejon/malicious-pdf |
505 | Generate a bunch of malicious pdf files with phone-home functionality. Can be used with Burp Collaborator |
506 |
507 |
508 | | kkent030315/anycall |
509 | x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration |
510 |
511 |
512 | | knownsec/shellcodeloader |
513 | ShellcodeLoader of windows can bypass AV. |
514 |
515 |
516 | | Kudaes/DInvoke_rs |
517 | Dynamically invoke arbitrary unmanaged code. |
518 |
519 |
520 | | kyleavery/ThirdEye |
521 | Weaponizing CLRvoyance for Post-Ex .NET Execution |
522 |
523 |
524 | | lockedbyte/CVE-2021-40444 |
525 | Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution) |
526 |
527 |
528 | | mai1zhi2/SharpBeacon |
529 | CobaltStrike Beacon written in .Net 4 用.net重写了stager及Beacon,其中包括正常上线、文件管理、进程管理、令牌管理、结合SysCall进行注入、原生端口转发、关ETW等一系列功能 |
530 |
531 |
532 | | MarkoH17/Spray365 |
533 | Spray365 makes spraying Microsoft accounts (Office 365 / Azure AD) easy through its customizable two-step password spraying approach. The built-in execution plan features options that attempt to bypass Azure Smart Lockout and insecure conditional access policies. |
534 |
535 |
536 | | maxlandon/wiregost |
537 | Golang Implant & Post-Exploitation Framework |
538 |
539 |
540 | | mdsecactivebreach/SharpShooter |
541 | SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code. |
542 |
543 |
544 | | med0x2e/GadgetToJScript |
545 | A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts. |
546 |
547 |
548 | | memN0ps/RustSCRunner |
549 | Shellcode Runner/Injector in Rust using NTDLL functions directly with the ntapi Library. |
550 |
551 |
552 | | mgeeky/Stracciatella |
553 | OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, Constrained Language Mode and
554 | Script Block Logging disabled at startup |
555 |
556 |
557 | | michaelweber/Macrome |
558 | Excel Macro Document Reader/Writer for Red Teamers & Analysts |
559 |
560 |
561 | | mkellerman/Invoke-CommandAs |
562 | Invoke Command As System/Interactive/GMSA/User on Local/Remote machine & returns PSObjects. |
563 |
564 |
565 | | mlcsec/SharpSQL |
566 | Simple C# implementation of PowerUpSQL |
567 |
568 |
569 | | mobdk/Sigma |
570 | Execute shellcode with ZwCreateSection, ZwMapViewOfSection, ZwOpenProcess, ZwMapViewOfSection and ZwCreateThreadEx |
571 |
572 |
573 | | Mr-Un1k0d3r/RedTeamCSharpScripts |
574 | C# Script used for Red Team. These binaries can be used by Cobalt Strike execute-assembly or as standalone
575 | executable. |
576 |
577 |
578 | | mrexodia/AppInitHook |
579 | Global user-mode hooking framework, based on AppInit_DLLs. The goal is to allow you to rapidly develop hooks to inject in an arbitrary process. |
580 |
581 |
582 | | nccgroup/GTFOBLookup |
583 | Offline command line lookup utility for GTFOBins |
584 |
585 |
586 | | netititude/RunOF |
587 | A tool to run object files, mainly beacon object files (BOF), in .Net. |
588 |
589 |
590 | | nnsee/fileless-elf-exec |
591 | Execute ELF files without dropping them on disk |
592 |
593 |
594 | | NVISOsecurity Marauders Map |
595 | The Marauders Map is meant to be used on assessments where you have gained GUI access to an enviornment. The Marauders Map is a DLL written in C#, enriched by the DllExport project to export functions that can serve as an entrypoint of invocation for unmanaged code such as rundll32. |
596 |
597 |
598 | | NYAN-x-CAT/Csharp-Loader |
599 | Download a .NET payload and run it on memory |
600 |
601 |
602 | | optiv/Ivy |
603 | Ivy is a payload creation framework for the execution of arbitrary VBA (macro) source code directly in memory. Ivy’s loader does this by utilizing programmatical access in the VBA object environment to load, decrypt and execute shellcode. |
604 |
605 |
606 | | p3nt4/RunDLL.Net |
607 | Execute .Net assemblies using Rundll32.exe |
608 |
609 |
610 | | plackyhacker/Sys-Calls |
611 | An example of using Syscalls in C# to get a meterpreter shell. |
612 |
613 |
614 | | postrequest/xeca |
615 | PowerShell payload generator |
616 |
617 |
618 | | praetorian-inc/Matryoshka |
619 | Matryoshka loader is a tool that red team operators can leverage to generate shellcode for Microsoft Office document phishing payloads. |
620 |
621 |
622 | | Professor-plum/Reflective-Driver-Loader |
623 | Reflective Kernel Driver injection is a injection technique base off Reflective DLL injection by Stephen Fewer. |
624 |
625 |
626 | | pwn1sher/frostbyte |
627 | FrostByte is a POC project that combines different defense evasion techniques to build better redteam payloads |
628 |
629 |
630 | | pwn1sher/uuid-loader |
631 | UUID based shellcode loader for your favorite C2 |
632 |
633 |
634 | | shogunlab/Mochi |
635 | Mochi is a proof-of-concept C++ loader that leverages the ChaiScript embedded scripting language to execute code. |
636 |
637 |
638 | | rasta-mouse/MiscTools |
639 | Miscellaneous Tools |
640 |
641 |
642 | | redcanaryco/chain-reactor |
643 | Chain Reactor is an open source framework for composing executables that simulate adversary behaviors and
644 | techniques on Linux endpoints. |
645 |
646 |
647 | | redcode-labs/Coldfire |
648 | Golang malware development library |
649 |
650 |
651 | | redcode-labs/GoSH |
652 | Golang reverse/bind shell generator |
653 |
654 |
655 | | redcode-labs/Neurax |
656 | A framework for constructing self-spreading binaries |
657 |
658 |
659 | | redcode-labs/REVENANT |
660 | Volatile ELF payloads generator with Metasploit integrations for testing GNU/Linux ecosystems against low-level threats |
661 |
662 |
663 | | redcode-labs/SNOWCRASH |
664 | A polyglot payload generator |
665 |
666 |
667 | | rek7/fireELF |
668 | fireELF - Fileless Linux Malware Framework |
669 |
670 |
671 | | Reverse Shell Generator |
672 | Reverse Shell Generator |
673 |
674 |
675 | | richkmeli/Richkware |
676 | Framework for building Windows malware, written in C++ |
677 |
678 |
679 | | ropnop/go-sharp-loader.go |
680 | Example Go program with multiple .NET Binaries embedded |
681 |
682 |
683 | | rvrsh3ll/NoMSBuild |
684 | MSBuild without MSbuild.exe |
685 |
686 |
687 | | s0lst1c3/dropengine |
688 | DropEngine provides a malleable framework for creating shellcode runners, allowing operators to choose from a selection of components and combine them to create highly sophisticated payloads within seconds.DropEngine provides a malleable framework for creating shellcode runners, allowing operators to choose from a selection of components and combine them to create highly sophisticated payloads within seconds.DropEngine provides a malleable framework for creating shellcode runners, allowing operators to choose from a selection of components and combine them to create highly sophisticated payloads within seconds. |
689 |
690 |
691 | | sevagas/macro_pack |
692 | macro_pack is a tool used to automatize obfuscation and generation of MS Office documents for pentest, demo,
693 | and social engineering assessments. The goal of macro_pack is to simplify antimalware bypass and automatize
694 | the process from vba generation to final Office document generation. |
695 |
696 |
697 | | S3cur3Th1sSh1t/Invoke-SharpLoader |
698 | Load encrypted and compressed C# Code from a remote Webserver or from a local file straight to memory and execute it there. |
699 |
700 |
701 | | S3cur3Th1sSh1t/Nim_CBT_Shellcode |
702 | CallBack-Techniques for Shellcode execution ported to Nim |
703 |
704 |
705 | | S3cur3Th1sSh1t/Nim-RunPE |
706 | A Nim implementation of reflective PE-Loading from memory |
707 |
708 |
709 | | S3cur3Th1sSh1t/OffensiveVBA |
710 | This repo covers some code execution and AV Evasion methods for Macros in Office documents |
711 |
712 |
713 | | S4R1N/AlternativeShellcodeExec |
714 | Alternative Shellcode Execution Via Callbacks |
715 |
716 |
717 | | scythe-io/memory-module-loader |
718 | An implementation of a Windows loader that can load dynamic-linked libraries (DLLs) directly from memory |
719 |
720 |
721 | | secdev-01/AllTheThingsExec |
722 | Executes Blended Managed/Unmanged Exports |
723 |
724 |
725 | | sh4hin/GoPurple |
726 | Yet another shellcode runner consists of different techniques for evaluating detection capabilities of
727 | endpoint security solutions |
728 |
729 |
730 | | SheLLVM/SheLLVM |
731 | A collection of LLVM transform and analysis passes to write shellcode in regular C |
732 |
733 |
734 | | snovvcrash/NimHollow |
735 | Nim implementation of Process Hollowing using syscalls (for educational purposes) |
736 |
737 |
738 | | snovvcrash/peas |
739 | Modified version of PEAS client for offensive operations |
740 |
741 |
742 | | STMSolutions/boobsnail |
743 | BoobSnail allows generating Excel 4.0 XLM macro. Its purpose is to support the RedTeam and BlueTeam in XLM macro generation. |
744 |
745 |
746 | | timwhitez/Doge-Loader |
747 | 🐶Cobalt Strike Shellcode Loader by Golang |
748 |
749 |
750 | | TheCruZ/kdmapper |
751 | KDMapper is a simple tool that exploits iqvw64e.sys Intel driver to manually map non-signed drivers in memory |
752 |
753 |
754 | | TheWover/donut |
755 | Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and
756 | other Windows payloads from memory and runs them with parameters |
757 |
758 |
759 | | threatexpress/cobaltstrike_payload_generator |
760 | Quickly generate every payload type for each listener and optionally host via HTTP. |
761 |
762 |
763 | | trickster0/OffensiveRust |
764 | Rust Weaponization for Red Team Engagements. |
765 |
766 |
767 | | trustedsec/ELFLoader |
768 | This is a ELF object in memory loader/runner. The goal is to create a single elf loader that can be used to run follow on capabilities across all x86_64 and x86 nix operating systems. |
769 |
770 |
771 | | trustedsec/unicorn |
772 | Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory.
773 | Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy
774 | (TrustedSec) and Josh Kelly at Defcon 18. |
775 |
776 |
777 | | wumb0/rust_bof |
778 | Cobalt Strike Beacon Object Files (BOFs) written in rust with rust core and alloc. |
779 |
780 |
781 | | X-C3LL/xlsxPoisoN |
782 | Just a PoC to turn xlsx (regular Excel files) into xlsm (Excel file with macro) and slipping inside a macro (vbaProject.bin) |
783 |
784 |
785 | | xforcered/InlineExecute-Assembly |
786 | InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module |
787 |
788 |
789 | | xinbailu/DripLoader |
790 | Evasive shellcode loader for bypassing event-based injection detection (PoC) |
791 |
792 |
793 | | xinbailu/DripLoader-Ops |
794 | a usable, cleaned-up version for script kiddies |
795 |
796 |
797 | | xpn/NautilusProject |
798 | A collection of weird ways to execute unmanaged code in .NET |
799 |
800 |
801 | | V1V1/OffensiveAutoIt |
802 | Offensive tooling notes and experiments in AutoIt v3 |
803 |
804 |
805 | | Yaxser/COFFLoader2 |
806 | Load and execute COFF files and Cobalt Strike BOFs in-memory |
807 |
808 |
809 | | yqcs/ZheTian |
810 | ZheTian Powerful remote load and execute ShellCode tool |
811 |
812 |
813 | | zerosum0x0/rcmd |
814 | Runs a command in another process |
815 |
816 |
817 |
818 | ## Persistence
819 |
820 |
1052 |
1053 | | Link |
1054 | Description |
1055 |
1056 |
1057 | | 0xDivyanshu/Injector |
1058 | Complete Arsenal of Memory injection and other techniques for red-teaming in Windows |
1059 |
1060 |
1061 | | 0xpat/COFFInjector |
1062 | PoC MSVC COFF Object file loader/injector. |
1063 |
1064 |
1065 | | 0xN3utr0n/Noteme |
1066 | ELF packer/crypter that aims to create hardened and stealthy troyans |
1067 |
1068 |
1069 | | 0xZDH/redirect.rules |
1070 | Quick and dirty dynamic redirect.rules generator |
1071 |
1072 |
1073 | | 3gstudent/Eventlogedit-evtx--Evolution |
1074 | Remove individual lines from Windows XML Event Log (EVTX) files |
1075 |
1076 |
1077 | | 89luca89/pakkero |
1078 | Pakkero is a binary packer written in Go made for fun and educational purpose. Its main goal is to take in
1079 | input a program file (elf binary, script, even appimage) and compress it, protect it from tampering and
1080 | intrusion. |
1081 |
1082 |
1083 | | aaaddress1/wowGrail |
1084 | PoC: Rebuild A New Path Back to the Heaven's Gate (HITB 2021) |
1085 |
1086 |
1087 | | Aetsu/OffensivePipeline |
1088 | OffensivePipeline allows to download, compile (without Visual Studio) and obfuscate C# tools for Red Team exercises. |
1089 |
1090 |
1091 | | airzero24/WMIReg |
1092 | PoC to interact with local/remote registry hives through WMI |
1093 |
1094 |
1095 | | ajpc500/NimlineWhispers2 |
1096 | A tool for converting SysWhispers2 syscalls for use with Nim projects |
1097 |
1098 |
1099 | | AnErrupTion/LoGiC.NET |
1100 | A more advanced free and open .NET obfuscator using dnlib. |
1101 |
1102 |
1103 | | anthemtotheego/Detect-Hooks |
1104 | Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR |
1105 |
1106 |
1107 | | api0cradle/UltimateAppLockerByPassList
1108 | |
1109 | The goal of this repository is to document the most common techniques to bypass AppLocker. |
1110 |
1111 |
1112 | | arget13/DDexec |
1113 | A technique to run binaries filelessly and stealthily on Linux using dd to replace the shell with another process. |
1114 |
1115 |
1116 | | Arvanaghi/CheckPlease |
1117 | Sandbox evasion modules written in PowerShell, Python, Go, Ruby, C, C#, Perl, and Rust. |
1118 |
1119 |
1120 | | asaurusrex/DoppelGate |
1121 | This project is designed to provide a method of extracting syscalls dynamically directly from on-disk ntdll. Userland hooks have become prevalent in many security products these days, and bypassing these hooks is a great way for red teamers/pentesters to bypass these defenses. |
1122 |
1123 |
1124 | | asaurusrex/EDR_Userland_Hook_Checker |
1125 | Project to check which Nt/Zw functions your local EDR is hooking |
1126 |
1127 |
1128 | | audibleblink/dummyDLL |
1129 | Utility for hunting UAC bypasses or COM/DLL hijacks that alerts on the exported function that was consumed. |
1130 |
1131 |
1132 | | aus/gopherheaven |
1133 | Go implementation of the Heaven's Gate technique |
1134 |
1135 |
1136 | | AzAgarampur/byeintegrity4-uac |
1137 | Bypass UAC by abusing the Windows Defender Firewall Control Panel, environment variables, and shell protocol handlers |
1138 |
1139 |
1140 | | AzAgarampur/byeintegrity8-uac |
1141 | Bypass UAC at any level by abusing the Program Compatibility Assistant with RPC, WDI, and more Windows components |
1142 |
1143 |
1144 | | Bashfuscator/Bashfuscator |
1145 | A fully configurable and extendable Bash obfuscation framework. This tool is intended to help both red team and blue team. |
1146 |
1147 |
1148 | | bats3c/Ghost-In-The-Logs |
1149 | Evade sysmon and windows event logginEvade sysmon and windows event loggingg |
1150 |
1151 |
1152 | | BaumFX/cpp-anti-debug |
1153 | anti debugging library in c++. |
1154 |
1155 |
1156 | | BinaryScary/NET-Obfuscate |
1157 | Obfuscate ECMA CIL (.NET IL) assemblies to evade Windows Defender AMSI |
1158 |
1159 |
1160 | | blacklanternsecurity/TREVORproxy |
1161 | A SOCKS proxy written in Python that randomizes your source IP address. Round-robin your evil packets through SSH tunnels or give them billions of unique source addresses! |
1162 |
1163 |
1164 | | bhumic/PErmutator |
1165 | The goal of this project is to create a permutation engine for PE files. The engine should randomize the executable parts of the file. |
1166 |
1167 |
1168 | | boku7/AsmHalosGate |
1169 | x64 Assembly HalosGate direct System Caller to evade EDR UserLand hooks |
1170 |
1171 |
1172 | | boku7/BokuLoader |
1173 | Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. |
1174 |
1175 |
1176 | | boku7/CobaltStrikeReflectiveLoader |
1177 | Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. |
1178 |
1179 |
1180 | | boku7/halosgate-ps |
1181 | Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes |
1182 |
1183 |
1184 | | boku7/HellsGatePPID |
1185 | Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process |
1186 |
1187 |
1188 | | boku7/HOLLOW |
1189 | EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode |
1190 |
1191 |
1192 | | boku7/injectAmsiBypass |
1193 | Cobalt Strike BOF - Bypass AMSI in a remote process with code injection. |
1194 |
1195 |
1196 | | boku7/injectEtwBypass |
1197 | CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) |
1198 |
1199 |
1200 | | boku7/Ninja_UUID_Dropper |
1201 | Module Stomping, No New Thread, HellsGate syscaller, UUID Dropper for x64 Windows 10! |
1202 |
1203 |
1204 | | boku7/spawn |
1205 | Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing. |
1206 |
1207 |
1208 | | bohops/UltimateWDACBypassList |
1209 | A centralized resource for previously documented WDAC bypass techniques |
1210 |
1211 |
1212 | | boku7/winx64-InjectAllProcessesMeterpreter-Shellcode |
1213 | 64bit Windows 10 shellcode that injects all processes with Meterpreter reverse shells. |
1214 |
1215 |
1216 | | br-sn/CheekyBlinder |
1217 | Enumerating and removing kernel callbacks using signed vulnerable drivers |
1218 |
1219 |
1220 | | burrowers/garble |
1221 | Obfuscate Go builds |
1222 |
1223 |
1224 | | bytecode77/self-morphing-csharp-binary |
1225 | Executable that mutates its own code |
1226 |
1227 |
1228 | | c0de90e7/GhostWriting |
1229 | GhostWriting Injection Technique. |
1230 |
1231 |
1232 | | calebstewart/bypass-clm |
1233 | PowerShell Constrained Language Mode Bypass |
1234 |
1235 |
1236 | | CCob/SharpBlock |
1237 | A method of bypassing EDR's active projection DLL's by preventing entry point execution. |
1238 |
1239 |
1240 | | Cerbersec/KillDefenderBOF |
1241 | Beacon Object File PoC implementation of KillDefender |
1242 |
1243 |
1244 | | ChadSki/SharpNeedle |
1245 | Inject C# code into a running process |
1246 |
1247 |
1248 | | Charterino/AsStrongAsFuck |
1249 | A console obfuscator for .NET assemblies. |
1250 |
1251 |
1252 | | checkymander/Zolom |
1253 | C# Executable with embedded Python that can be used reflectively to run python code on systems without Python installed |
1254 |
1255 |
1256 | | chvancooten/NimPackt-v1 |
1257 | Nim-based assembly packer and shellcode loader for opsec & profit |
1258 |
1259 |
1260 | | Cn33liz/p0wnedShell |
1261 | p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET) |
1262 |
1263 |
1264 | | cobbr/PSAmsi |
1265 | PSAmsi is a tool for auditing and defeating AMSI signatures. |
1266 |
1267 |
1268 | | cipheras/obfus |
1269 | Curated list of examples, tools, frameworks, etc in various languages with various techniques for obfuscation of RATs, malwares, etc. Only for learning purposes & red teaming. |
1270 |
1271 |
1272 | | cnsimo/BypassUAC |
1273 | Use ICMLuaUtil to Bypass UAC! |
1274 |
1275 |
1276 | | Cracked5pider/KaynLdr |
1277 | KaynLdr is a Reflective Loader written in C/ASM |
1278 |
1279 |
1280 | | cube0x0/SyscallPack |
1281 | BOF and Shellcode for full DLL unhooking using dynamic syscalls |
1282 |
1283 |
1284 | | cwolff411/powerob |
1285 | An on-the-fly Powershell script obfuscator meant for red team engagements. Built out of necessity. |
1286 |
1287 |
1288 | | cyberark/Evasor |
1289 | A tool to be used in post exploitation phase for blue and red teams to bypass APPLICATIONCONTROL policies |
1290 |
1291 |
1292 | | czs108/PE-Packer |
1293 | 📦 A Windows x86 PE file packer written in C & Microsoft Assembly. The file after packing can obstruct the process of reverse engineering. |
1294 |
1295 |
1296 | | d00rt/ebfuscator |
1297 | Ebfuscator: Abusing system errors for binary obfuscation |
1298 |
1299 |
1300 | | d35ha/CallObfuscator |
1301 | Obfuscate specific windows apis with different apis |
1302 |
1303 |
1304 | | DamonMohammadbagher/NativePayload_Tinjection |
1305 | Remote Thread Injection by C# |
1306 |
1307 |
1308 | | danielbohannon/Invoke-CradleCrafter
1309 | |
1310 | PowerShell Remote Download Cradle Generator & Obfuscator |
1311 |
1312 |
1313 | | danielbohannon/Invoke-DOSfuscation |
1314 | Cmd.exe Command Obfuscation Generator & Detection Test Harness |
1315 |
1316 |
1317 | | DarthTon/Polychaos |
1318 | PE permutation library |
1319 |
1320 |
1321 | | DarthTon/Xenos |
1322 | Windows dll injector |
1323 |
1324 |
1325 | | dndx/phantun |
1326 | Transforms UDP stream into (fake) TCP streams that can go through Layer 3 & Layer 4 (NAPT) firewalls/NATs. |
1327 |
1328 |
1329 | | dsnezhkov/zombieant |
1330 | Zombie Ant Farm: Primitives and Offensive Tooling for Linux EDR evasion. |
1331 |
1332 |
1333 | | EgeBalci/Amber |
1334 | amber is a reflective PE packer for bypassing security products and mitigations. It can pack regularly
1335 | compiled PE files into reflective payloads that can load and execute itself like a shellcode. |
1336 |
1337 |
1338 | | EgeBalci/sgn |
1339 | Shikata ga nai (仕方がない) encoder ported into go with several improvements |
1340 |
1341 |
1342 | | EspressoCake/Firewall_Walker_BOF |
1343 | A BOF to interact with COM objects associated with the Windows software firewall. |
1344 |
1345 |
1346 | | EspressoCake/Self_Deletion_BOF |
1347 | BOF implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs |
1348 |
1349 |
1350 | | FalconForceTeam/SysWhispers2BOF |
1351 | Script to use SysWhispers2 direct system calls from Cobalt Strike BOFs |
1352 |
1353 |
1354 | | FatRodzianko/SharpBypassUAC |
1355 | C# tool for UAC bypasses |
1356 |
1357 |
1358 | | ffuf/pencode |
1359 | Complex payload encoder |
1360 |
1361 |
1362 | | fireeye/OfficePurge |
1363 | VBA purge your Office documents with OfficePurge. VBA purging removes P-code from module streams within Office documents. |
1364 |
1365 |
1366 | | Flangvik/AMSI.fail |
1367 | C# Azure Function with an HTTP trigger that generates obfuscated PowerShell snippets that break or disable AMSI for the current process. |
1368 |
1369 |
1370 | | Flangvik/NetLoader |
1371 | Loads any C# binary in mem, patching AMSI + ETW. |
1372 |
1373 |
1374 | | Flangvik/RosFuscator |
1375 | YouTube/Livestream project for obfuscating C# source code using Roslyn |
1376 |
1377 |
1378 | | Flangvik/SharpDllProxy |
1379 | Retrieves exported functions from a legitimate DLL and generates a proxy DLL source code/template for DLL proxy loading or sideloading |
1380 |
1381 |
1382 | | forrest-orr/phantom-dll-hollower-poc |
1383 | Phantom DLL hollowing PoC |
1384 |
1385 |
1386 | | GetRektBoy724/HalosUnhooker |
1387 | Halos Gate-based NTAPI Unhooker |
1388 |
1389 |
1390 | | GetRektBoy724/JALSI |
1391 | JALSI - Just Another Lame Shellcode Injector |
1392 |
1393 |
1394 | | GetRektBoy724/SharpUnhooker |
1395 | C# Based Universal API Unhooker |
1396 |
1397 |
1398 | | GetRektBoy724/TripleS |
1399 | Syscall Stub Stealer - Freshly steal Syscall stub straight from the disk |
1400 |
1401 |
1402 | | GetRektBoy724/TripleS |
1403 | Syscall Stub Stealer - Freshly steal Syscall stub straight from the disk |
1404 |
1405 |
1406 | | GhostPack/Invoke-Evasion |
1407 | PowerShell Obfuscation and Data Science |
1408 |
1409 |
1410 | | GoodstudyChina/APC-injection-x86-x64 |
1411 | injdrv is a proof-of-concept Windows Driver for injecting DLL into user-mode processes using APC. |
1412 |
1413 |
1414 | | HackOvert/AntiDBG |
1415 | A bunch of Windows anti-debugging tricks for x86 and x64. |
1416 |
1417 |
1418 | | hasherezade/module_overloading |
1419 | A more stealthy variant of "DLL hollowing" |
1420 |
1421 |
1422 | | hasherezade/process_chameleon |
1423 | A process overwriting its own PEB to make an illusion that it has been loaded from a different path. |
1424 |
1425 |
1426 | | hasherezade/process_overwriting |
1427 | Yet another variant of Process Hollowing |
1428 |
1429 |
1430 | | hasherezade/transacted_hollowing |
1431 | Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging |
1432 |
1433 |
1434 | | hlldz/Invoke-Phant0m |
1435 | Windows Event Log Killer |
1436 |
1437 |
1438 | | hlldz/RefleXXion |
1439 | RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks, it first collects the syscall numbers of the NtOpenFile, NtCreateSection, NtOpenSection and NtMapViewOfSection found in the LdrpThunkSignature array. |
1440 |
1441 |
1442 | | huntresslabs/evading-autoruns |
1443 | Slides and reference material from Evading Autoruns presentation at DerbyCon 7 (September 2017) |
1444 |
1445 |
1446 | | HuskyHacks/RustyProcessInjectors |
1447 | Just some Rust process injector POCs, nothing weird. |
1448 |
1449 |
1450 | | icyguider/Nimcrypt2 |
1451 | .NET, PE, & Raw Shellcode Packer/Loader Written in Nim |
1452 |
1453 |
1454 | | Idov32/FunctionStomping |
1455 | A new shellcode injection technique. Given as C++ header or standalone Rust program. |
1456 |
1457 |
1458 | | infosecn1nja/MaliciousMacroMSBuild |
1459 | Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass. |
1460 |
1461 |
1462 | | iomoath/PowerShx |
1463 | Run Powershell without software restrictions. |
1464 |
1465 |
1466 | | jason-klein/signed-nsis-exe-append-payload |
1467 | Append a custom data payload to a digitally signed NSIS .exe installer |
1468 |
1469 |
1470 | | jfmaes/LazySign |
1471 | Create fake certs for binaries using windows binaries and the power of bat files |
1472 |
1473 |
1474 | | jfmaes/sharpbysentinel |
1475 | Kill telemetry to sentinel |
1476 |
1477 |
1478 | | jfmaes/SharpNukeEventLog |
1479 | nuke that event log using some epic dinvoke fu |
1480 |
1481 |
1482 | | JKornev/hidden |
1483 | Windows driver with usermode interface which can hide processes, file-system and registry objects, protect processes and etc |
1484 |
1485 |
1486 | | JoelGMSec/Invoke-Stealth |
1487 | Simple & Powerful PowerShell Script Obfuscator |
1488 |
1489 |
1490 | | jonatan1024/clrinject |
1491 | Injects C# EXE or DLL Assembly into every CLR runtime and AppDomain of another process. |
1492 |
1493 |
1494 | | jnastarot/furikuri |
1495 | (In dev)furikuri is framework for code protection |
1496 |
1497 |
1498 | | jthuraisamy/SysWhispers |
1499 | SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls. |
1500 |
1501 |
1502 | | jthuraisamy/SysWhispers2 |
1503 | AV/EDR evasion via direct system calls. |
1504 |
1505 |
1506 | | jthuraisamy/TelemetrySourcerer |
1507 | Enumerate and disable common sources of telemetry used by AV/EDR. |
1508 |
1509 |
1510 | | JustasMasiulis/lazy_importer |
1511 | library for importing functions from dlls in a hidden, reverse engineer unfriendly way |
1512 |
1513 |
1514 | | Kara-4search/FullDLLUnhooking_CSharp |
1515 | Unhook DLL via cleaning the DLL 's .text section |
1516 |
1517 |
1518 | | Kara-4search/HellgateLoader_CSharp |
1519 | Load shelcode via HELLGATE, rewrite hellgate for learning purpose. |
1520 |
1521 |
1522 | | Kara-4search/MappingInjection_CSharp |
1523 | MappingInjection via csharp |
1524 |
1525 |
1526 | | karttoon/trigen |
1527 | Trigen is a Python script which uses different combinations of Win32 function calls in generated VBA to execute shellcode. |
1528 |
1529 |
1530 | | kernelm0de/ProcessHider |
1531 | Hide Process From Task Manager using Usermode API Hooking |
1532 |
1533 |
1534 | | klezVirus/chameleon |
1535 | Chameleon is yet another PowerShell obfuscation tool designed to bypass AMSI and commercial antivirus solutions. |
1536 |
1537 |
1538 | | klezVirus/inceptor |
1539 | Template-Driven AV/EDR Evasion Framework |
1540 |
1541 |
1542 | | klezVirus/SharpSelfDelete |
1543 | C# implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs |
1544 |
1545 |
1546 | | klezVirus/SysWhispers3 |
1547 | SysWhispers on Steroids - AV/EDR evasion via direct system calls. |
1548 |
1549 |
1550 | | knight0x07/ImpulsiveDLLHijack |
1551 | C# based tool which automates the process of discovering and exploiting DLL Hijacks in target binaries. The Hijacked paths discovered can later be weaponized during Red Team Operations to evade EDR's. |
1552 |
1553 |
1554 | | kyleavery/inject-assembly |
1555 | Inject .NET assemblies into an existing process |
1556 |
1557 |
1558 | | l373/GIVINGSTORM |
1559 | Infection vector that bypasses AV, IDS, and IPS. (For now...) |
1560 |
1561 |
1562 | | last-byte/unDefender |
1563 | Killing your preferred antimalware by abusing native symbolic links and NT paths. |
1564 |
1565 |
1566 | | lawiet47/STFUEDR |
1567 | Silence EDRs by removing kernel callbacks |
1568 |
1569 |
1570 | | m0rv4i/Ridgway |
1571 | A quick tool for hiding a new process running shellcode. |
1572 |
1573 |
1574 | | magnusstubman/dll-exports |
1575 | Collection of DLL function export forwards for DLL export function proxying |
1576 |
1577 |
1578 | | maltek-labs/Malcode-Obfuscator |
1579 | Polymorphic code obfuscator for use in Red Team operations |
1580 |
1581 |
1582 | | matterpreter/DefenderCheck |
1583 | Identifies the bytes that Microsoft Defender flags on. |
1584 |
1585 |
1586 | | matterpreter/SHAPESHIFTERmatterpreter/SHAPESHIFTER |
1587 | Companion PoC for the "Adventures in Dynamic Evasion" blog post |
1588 |
1589 |
1590 | | mdsecactivebreach/Chameleon |
1591 | Chameleon: A tool for evading Proxy categorisation |
1592 |
1593 |
1594 | | mdsecactivebreach/firewalker |
1595 | This repo contains a simple library which can be used to add FireWalker hook bypass capabilities to existing code |
1596 |
1597 |
1598 | | med0x2e/NoAmci |
1599 | Using DInvoke to patch AMSI.dll in order to bypass AMSI detections triggered when loading .NET tradecraft via Assembly.Load(). |
1600 |
1601 |
1602 | | med0x2e/SigFlip |
1603 | SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature. |
1604 |
1605 |
1606 | | mgeeky/ElusiveMice |
1607 | Cobalt Strike User-Defined Reflective Loader with AV/EDR Evasion in mind |
1608 |
1609 |
1610 | | mgeeky/ShellcodeFluctuation |
1611 | An in-memory evasion technique fluctuating shellcode memory protection between RW & RX and encrypting/decrypting contents |
1612 |
1613 |
1614 | | mgeeky/Stracciatella |
1615 | OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, Constrained Language Mode and Script Block Logging disabled at startup |
1616 |
1617 |
1618 | | mgeeky/ThreadStackSpoofer |
1619 | Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts. |
1620 |
1621 |
1622 | | MinervaLabsResearch/CoffeeShot |
1623 | CoffeeShot: Avoid Detection with Memory Injection |
1624 |
1625 |
1626 | | mobdk/Upsilon |
1627 | Upsilon execute shellcode with syscalls - no API like NtProtectVirtualMemory is used |
1628 |
1629 |
1630 | | monoxgas/sRDI |
1631 | Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode |
1632 |
1633 |
1634 | | Moriarty2016/NimRDI |
1635 | RDI implementation in Nim |
1636 |
1637 |
1638 | | MRGEffitas/Ironsquirrel |
1639 | Encrypted exploit delivery for the masses |
1640 |
1641 |
1642 | | nccgroup/demiguise |
1643 | HTA encryption tool for RedTeams |
1644 |
1645 |
1646 | | netbiosX/AMSI-Provider |
1647 | A fake AMSI Provider which can be used for persistence. |
1648 |
1649 |
1650 | | netero1010/TrustedPath-UACBypass-BOF |
1651 | Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object. |
1652 |
1653 |
1654 | | nephosec/bof-adios |
1655 | Implementation of Self Deleting Executables |
1656 |
1657 |
1658 | | nettitude/RunPE |
1659 | C# Reflective loader for unmanaged binaries. |
1660 |
1661 |
1662 | | NotPrab/.NET-Obfuscator |
1663 | Lists of .NET Obfuscator (Free, Trial, Paid and Open Source ) |
1664 |
1665 |
1666 | | NtRaiseHardError/Anti-Delete |
1667 | Protects deletion of files with a specified extension using a kernel-mode driver. |
1668 |
1669 |
1670 | | NtRaiseHardError/NINA |
1671 | NINA: No Injection, No Allocation x64 Process Injection Technique |
1672 |
1673 |
1674 | | OmerYa/Invisi-Shell |
1675 | Hide your Powershell script in plain sight. Bypass all Powershell security features |
1676 |
1677 |
1678 | | optiv/ScareCrow |
1679 | ScareCrow - Payload creation framework designed around EDR bypass. |
1680 |
1681 |
1682 | | ORCA666/EVA3 |
1683 | using hellsgate in EVA to get the syscalls |
1684 |
1685 |
1686 | | ORCA666/snaploader |
1687 | Injecting shellcode into 'ntdll.dll' address space in target process, and hijacking its thread without calling GetThreadContext, evading memory scanners, and more ... |
1688 |
1689 |
1690 | | ORCA666/T.D.P |
1691 | Using Thread Description To Hide Shellcode |
1692 |
1693 |
1694 | | OsandaMalith/PE2HTML |
1695 | Injects HTML/PHP/ASP to the PE |
1696 |
1697 |
1698 | | outflanknl/TamperETW |
1699 | PoC to demonstrate how CLR ETW events can be tampered. |
1700 |
1701 |
1702 | | oXis/GPUSleep |
1703 | Move CS beacon to GPU memory when sleeping |
1704 |
1705 |
1706 | | passthehashbrowns/DInvokeProcessHollowing |
1707 | This repository is an implementation of process hollowing shellcode injection using DInvoke from SharpSploit. DInvoke allows operators to use unmanaged code while avoiding suspicious imports or API hooking. |
1708 |
1709 |
1710 | | pathtofile/SealighterTI |
1711 | Combining Sealighter with unpatched exploits to run the Threat-Intelligence ETW Provider |
1712 |
1713 |
1714 | | peewpw/Invoke-PSImage |
1715 | Embeds a PowerShell script in the pixels of a PNG file and generates a oneliner to execute |
1716 |
1717 |
1718 | | PELock/JObfuscator-Python |
1719 | JObfuscator is a source code obfuscator for the Java language. Protect Java source code & algorithms from hacking, cracking, reverse engineering, decompilation & technology theft. |
1720 |
1721 |
1722 | | Pepitoh/VBad |
1723 | VBA Obfuscation Tools combined with an MS office document generator |
1724 |
1725 |
1726 | | phra/PEzor |
1727 | Open-Source PE Packer |
1728 |
1729 |
1730 | | plackyhacker/Peruns-Fart |
1731 | Perun's Fart (Slavic God's Luck). Another method for unhooking AV and EDR, this is my C# version. |
1732 |
1733 |
1734 | | playhacker/SandboxDefender |
1735 | C# code to Sandbox Defender (and most probably other AV/EDRs). |
1736 |
1737 |
1738 | | plackyhacker/SuspendedThreadInjection |
1739 | Another meterpreter injection technique using C# that attempts to bypass Defender |
1740 |
1741 |
1742 | | PwnDexter/SharpEDRChecker |
1743 | Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools. |
1744 |
1745 |
1746 | | r3nhat/XORedReflectiveDLL |
1747 | Reflective DLL Injection with obfuscated (XOR) shellcode |
1748 |
1749 |
1750 | | rasta-mouse/AmsiScanBufferBypass |
1751 | Bypass AMSI by patching AmsiScanBuffer |
1752 |
1753 |
1754 | | RedCursorSecurityConsulting/PPLKiller |
1755 | Tool to bypass LSA Protection (aka Protected Process Light) |
1756 |
1757 |
1758 | | reevesrs24/EvasiveProcessHollowing |
1759 | Evasive Process Hollowing Techniques |
1760 |
1761 |
1762 | | rmdavy/HeapsOfFun |
1763 | AMSI Bypass Via the Heap |
1764 |
1765 |
1766 | | RythmStick/AMSITrigger |
1767 | Hunting for Malicious Strings |
1768 |
1769 |
1770 | | S1ckB0y1337/TokenPlayer |
1771 | Manipulating and Abusing Windows Access Tokens. |
1772 |
1773 |
1774 | | S4R1N/MMFCodeInjection |
1775 | Code Injection via Memory Mapped Files |
1776 |
1777 |
1778 | | sad0p/d0zer |
1779 | Elf binary infector written in Golang |
1780 |
1781 |
1782 | | scrt/avdebugger |
1783 | Most antivirus engines rely on strings or other bytes sequences, function exports and big integers to recognize malware. This project helps to automatically recover these signatures. |
1784 |
1785 |
1786 | | scrt/avcleaner |
1787 | C/C++ source obfuscator for antivirus bypass |
1788 |
1789 |
1790 | | secretsquirrel/SigThief |
1791 | Stealing Signatures and Making One Invalid Signature at a Time |
1792 |
1793 |
1794 | | SecIdiot/TitanLdr |
1795 | Titan: A crappy Reflective Loader written in C and assembly for Cobalt Strike. Redirects DNS Beacon over DoH |
1796 |
1797 |
1798 | | Sh0ckFR/InlineWhispers2 |
1799 | Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2 |
1800 |
1801 |
1802 | | sinfulz/JustEvadeBro |
1803 | JustEvadeBro, a cheat sheet which will aid you through AMSI/AV evasion & bypasses. |
1804 |
1805 |
1806 | | slyd0g/SharpCrashEventLog |
1807 | C# port of LogServiceCrash |
1808 |
1809 |
1810 | | slyd0g/UrbanBishopLocal |
1811 | A port of FuzzySecurity's UrbanBishop project for inline shellcode execution. The execution vector uses a delegate vs an APC on a suspended threat at ntdll!RtlExitUserThread in UrbanBishop |
1812 |
1813 |
1814 | | SolomonSklash/SleepyCrypt |
1815 | A shellcode function to encrypt a running process image when sleeping. |
1816 |
1817 |
1818 | | snovvcrash/DInjector |
1819 | Collection of shellcode injection techniques packed in a D/Invoke weaponized DLL |
1820 |
1821 |
1822 | | stephenfewer/ReflectiveDLLInjection |
1823 | Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process |
1824 |
1825 |
1826 | | t3hbb/NSGenCS |
1827 | Extendable payload obfuscation and delivery framework |
1828 |
1829 |
1830 | | timwhitez/Doge-PX |
1831 | |
1832 |
1833 |
1834 | | timwhitez/Doge-sRDI |
1835 | Shellcode implementation of Reflective DLL Injection by Golang. Convert DLLs to position independent shellcode |
1836 |
1837 |
1838 | | the-xentropy/xencrypt |
1839 | A PowerShell script anti-virus evasion tool |
1840 |
1841 |
1842 | | TheWover/CertStealer |
1843 | A .NET tool for exporting and importing certificates without touching disk. |
1844 |
1845 |
1846 | | TheWover/GhostLoader |
1847 | GhostLoader - AppDomainManager - Injection - 攻壳机动队 |
1848 |
1849 |
1850 | | ThomasThelen/Anti-Debugging |
1851 | A collection of c++ programs that demonstrate common ways to detect the presence of an attached debugger. |
1852 |
1853 |
1854 | | tomcarver16/AmsiHook |
1855 | AmsiHook is a project I created to figure out a bypass to AMSI via function hooking. |
1856 |
1857 |
1858 | | tokyoneon/chimera |
1859 | Chimera is a (shiny and very hack-ish) PowerShell obfuscation script designed to bypass AMSI and commercial
1860 | antivirus solutions. |
1861 |
1862 |
1863 | | Tylous/Limelighter |
1864 | A tool for generating fake code signing certificates or signing real ones |
1865 |
1866 |
1867 | | Tylous/ZipExec |
1868 | A unique technique to execute binaries from a password protected zip |
1869 |
1870 |
1871 | | Unknow101/FuckThatPacker |
1872 | A simple python packer to easily bypass Windows Defender |
1873 |
1874 |
1875 | | VirtualAlllocEx/Payload-Download-Cradles |
1876 | This are different types of download cradles which should be an inspiration to play and create new download cradles to bypass AV/EPP/EDR in context of download cradle detections. |
1877 |
1878 |
1879 | | VirtualAlllocEx/Shellcode-Downloader-CreateThread-Execution |
1880 | This POC gives you the possibility to compile a .exe to completely avoid statically detection by AV/EPP/EDR of your C2-shellcode and download and execute your C2-shellcode which is hosted on your (C2)-webserver. |
1881 |
1882 |
1883 | | waldo-irc/YouMayPasser |
1884 | YouMayPasser is an x64 implementation of Gargoyle |
1885 |
1886 |
1887 | | Wra7h/Single-Dose |
1888 | Generate process injection binaries |
1889 |
1890 |
1891 | | wavestone-cdt/EdrSandblast |
1892 | EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections |
1893 |
1894 |
1895 | | xct/morbol |
1896 | Simple AV Evasion for PE Files |
1897 |
1898 |
1899 | | Yaxser/Backstab |
1900 | A tool to kill antimalware protected processes |
1901 |
1902 |
1903 | | Yet-Zio/WusaBypassUAC |
1904 | UAC bypass abusing WinSxS in "wusa.exe". |
1905 |
1906 |
1907 | | xforcered/InvisibilityCloak |
1908 | Proof-of-concept obfuscation toolkit for C# post-exploitation tools |
1909 |
1910 |
1911 | | zeroperil/HookDump |
1912 | Security product hook detection |
1913 |
1914 |
1915 | | zeroSteiner/crimson-forge |
1916 | Crimson Forge intends to provide sustainable evasion capabilities for native code on the x86 and AMD64 architectures. |
1917 |
1918 |
1919 |
1920 | ## Credential Access
1921 |
1922 |
1923 |
1924 | | Link |
1925 | Description |
1926 |
1927 |
1928 | | 0xZDH/o365spray |
1929 | Username enumeration and password spraying tool aimed at Microsoft O365. |
1930 |
1931 |
1932 | | aas-n/spraykatz |
1933 | Credentials gathering tool automating remote procdump and parse of lsass process. |
1934 |
1935 |
1936 | | alfarom256/BOF-ForeignLsass |
1937 | LSASS Dumping With Foreign Handles |
1938 |
1939 |
1940 | | anthemtotheego/CredBandit |
1941 | Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel |
1942 |
1943 |
1944 | | antonioCoco/MalSeclogon |
1945 | A little tool to play with the Seclogon service |
1946 |
1947 |
1948 | | Arvanaghi/SessionGopher |
1949 | SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally. |
1950 |
1951 |
1952 | | b4rtik/SharpKatz |
1953 | Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands |
1954 |
1955 |
1956 | | b4rtik/SharpMiniDump |
1957 | Create a minidump of the LSASS process from memory |
1958 |
1959 |
1960 | | Barbarisch/forkatz |
1961 | credential dump using foreshaw technique using SeTrustedCredmanAccessPrivilege |
1962 |
1963 |
1964 | | blacklanternsecurity/TREVORspray |
1965 | A featureful round-robin SOCKS proxy and Python O365 sprayer based on MSOLSpray which uses the Microsoft Graph API |
1966 |
1967 |
1968 | | byt3bl33d3r/SprayingToolkit |
1969 | Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient |
1970 |
1971 |
1972 | | CCob/lsarelayx |
1973 | NTLM relaying for Windows made easy |
1974 |
1975 |
1976 | | CCob/MirrorDump |
1977 | Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory |
1978 |
1979 |
1980 | | codewhitesec/HandleKatz |
1981 | PIC lsass dumper using cloned handles |
1982 |
1983 |
1984 | | connormcgarr/tgtdelegation |
1985 | tgtdelegation is a Beacon Object File (BOF) to obtain a usable TGT via the "TGT delegation trick" |
1986 |
1987 |
1988 | | cube0x0/BofRoast |
1989 | Beacon Object Files for roasting Active Directory |
1990 |
1991 |
1992 | | cube0x0/KrbRelay |
1993 | Framework for Kerberos relaying |
1994 |
1995 |
1996 | | cube0x0/MiniDump |
1997 | C# Lsass parser |
1998 |
1999 |
2000 | | cube0x0/SharpSystemTriggers |
2001 | Collection of remote authentication triggers in C# |
2002 |
2003 |
2004 | | dafthack/MSOLSpray |
2005 | A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled. |
2006 |
2007 |
2008 | | danf42/GetLsaSecrets |
2009 | C# implementation of Get-LSASecrets originally written in PowerShell |
2010 |
2011 |
2012 | | DanMcInerney/icebreaker |
2013 | Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment
2014 | |
2015 |
2016 |
2017 | | deepinstinct/LsassSilentProcessExit |
2018 | Command line interface to dump LSASS memory to disk via SilentProcessExit |
2019 |
2020 |
2021 | | djhohnstein/1PasswordSuite |
2022 | Utilities to extract secrets from 1Password |
2023 |
2024 |
2025 | | Dramelac/GoldenCopy |
2026 | Copy the properties and groups of a user from neo4j (bloodhound) to create an identical golden ticket. |
2027 |
2028 |
2029 | | eladshamir/Internal-Monologue |
2030 | Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS |
2031 |
2032 |
2033 | | EspressoCake/HandleKatz_BOF |
2034 | A BOF port of the research of @thefLinkk and @codewhitesec |
2035 |
2036 |
2037 | | EspressoCake/PPLDump_BOF |
2038 | A faithful transposition of the key features/functionality of @itm4n's PPLDump project as a BOF. |
2039 |
2040 |
2041 | | fireeye/ADFSpoof |
2042 | A python tool to forge AD FS security tokens. |
2043 |
2044 |
2045 | | Flangvik/BetterSafetyKatz |
2046 | Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from
2047 | gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory. |
2048 |
2049 |
2050 | | FSecureLABS/physmem2profit |
2051 | Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical
2052 | memory remotely |
2053 |
2054 |
2055 | | FSecureLABS/SharpClipHistory |
2056 | SharpClipHistory is a .NET application written in C# that can be used to read the contents of a user's clipboard history in Windows 10 starting from the 1809 Build. |
2057 |
2058 |
2059 | | G0ldenGunSec/SharpSecDump |
2060 | .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py |
2061 |
2062 |
2063 | | GhostPack/SafetyKatz |
2064 | SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subTee's
2065 | .NET PE Loader |
2066 |
2067 |
2068 | | GhostPack/SharpDump |
2069 | SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality. |
2070 |
2071 |
2072 | | GhostPack/Rubeus |
2073 | Rubeus is a C# toolset for raw Kerberos interaction and abusesRubeus is a C# toolset for raw Kerberos
2074 | interaction and abuses |
2075 |
2076 |
2077 | | gitjdm/dumper2020 |
2078 | Yet another LSASS dumper |
2079 |
2080 |
2081 | | GossiTheDog/HiveNightmare |
2082 | Exploit allowing you to read registry hives as non-admin |
2083 |
2084 |
2085 | | Greenwolf/ntlm_theft |
2086 | A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf) |
2087 |
2088 |
2089 | | Hackndo/lsassy |
2090 | Extract credentials from lsass remotely |
2091 |
2092 |
2093 | | helpsystems/nanodump |
2094 | Dumping LSASS has never been so stealthy |
2095 |
2096 |
2097 | | horizon3ai/vcenter_saml_login |
2098 | A tool to extract the IdP cert from vCenter backups and log in as Administrator |
2099 |
2100 |
2101 | | HunnicCyber/SharpDomainSpray |
2102 | Basic password spraying tool for internal tests and red teaming |
2103 |
2104 |
2105 | | icyguider/DumpNParse |
2106 | A Combination LSASS Dumper and LSASS Parser. All Credit goes to @slyd0g and @cube0x0. |
2107 |
2108 |
2109 | | IlanKalendarov/PyHook |
2110 | PyHook is an offensive API hooking tool written in python designed to catch various credentials within the API call. |
2111 |
2112 |
2113 | | IlanKalendarov/SharpHook |
2114 | SharpHook is inspired by the SharpRDPThief project, It uses various API hooks in order to give us the desired credentials. |
2115 |
2116 |
2117 | | iomoath/SharpSpray |
2118 | Active Directory password spraying tool. Auto fetches user list and avoids potential lockouts. |
2119 |
2120 |
2121 | | itm4n/PPLdump |
2122 | Dump the memory of a PPL with a userland exploit |
2123 |
2124 |
2125 | | jfmaes/SharpHandler |
2126 | Duplicating handles to dump LSASS since 2021 |
2127 |
2128 |
2129 | | jfmaes/SharpRDPDump |
2130 | Create a minidump of TermService for clear text pw extraction |
2131 |
2132 |
2133 | | Kevin-Robertson/Inveigh |
2134 | Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool |
2135 |
2136 |
2137 | | kindtime/nosferatu |
2138 | Lsass NTLM Authentication Backdoor |
2139 |
2140 |
2141 | | knavesec/CredMaster |
2142 | Refactored & improved CredKing password spraying tool, uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttling |
2143 |
2144 |
2145 | | KoreLogicSecurity/wmkick |
2146 | WMkick is a TCP protocol redirector/MITM tool that targets NTLM authentication message flows in WMI (135/tcp) and Powershell-Remoting/WSMan/WinRM (5985/tcp) to capture NetNTLMv2 hashes. |
2147 |
2148 |
2149 | | LuemmelSec/SAML2Spray |
2150 | Python Script for SAML2 Authentication Passwordspray |
2151 |
2152 |
2153 | | m0rv4i/SafetyDump |
2154 | Dump stuff without touching disk |
2155 |
2156 |
2157 | | MadHatt3R-0x90/SharpPuppet |
2158 | Tool Allowing Keystroke Injection Into Arbitrary Window. |
2159 |
2160 |
2161 | | mdsecactivebreach/Farmer |
2162 | Farmer is a project for collecting NetNTLM hashes in a Windows domain. Farmer achieves this by creating a local WebDAV server that causes the WebDAV Mini Redirector to authenticate from any connecting clients. |
2163 |
2164 |
2165 | | mobdk/CopyCat
2166 | | Simple rapper for Mimikatz, bypass Defender |
2167 |
2168 |
2169 | | mobdk/CoreClass |
2170 | Mimikatz embedded as classes |
2171 |
2172 |
2173 | | mobdk/WinBoost |
2174 | Execute Mimikatz with different technique |
2175 |
2176 |
2177 | | nidem/kerberoast |
2178 | Kerberoast is a series of tools for attacking MS Kerberos implementations. Below is a brief overview of what
2179 | each tool does. |
2180 |
2181 |
2182 | | optiv/Talon |
2183 | A password guessing tool that targets the Kerberos and LDAP services within the Windows Active Directory environment. |
2184 |
2185 |
2186 | | oxfemale/LogonCredentialsSteal |
2187 | LOCAL AND REMOTE HOOK msv1_0!SpAcceptCredentials from LSASS.exe and DUMP DOMAIN/LOGIN/PASSWORD IN CLEARTEXT to text file. |
2188 |
2189 |
2190 | | peewpw/Invoke-WCMDump |
2191 | PowerShell Script to Dump Windows Credentials from the Credential Manager |
2192 |
2193 |
2194 | | Pickfordmatt/SharpLocker |
2195 | SharpLocker helps get current user credentials by popping a fake Windows lock screen, all output is sent to Console which works perfect for Cobalt Strike. |
2196 |
2197 |
2198 | | PorLaCola25/TransactedSharpMiniDump |
2199 | Implementation of b4rtiks's SharpMiniDump using NTFS transactions to avoid writting the minidump to disk and exfiltrating it via HTTPS using sockets. |
2200 |
2201 |
2202 | | postrequest/safetydump |
2203 | MiniDump a process in memory with rust |
2204 |
2205 |
2206 | | putterpanda/mimikittenz |
2207 | A post-exploitation powershell tool for extracting juicy info from memory. |
2208 |
2209 |
2210 | | RedCursorSecurityConsulting/SharpHashSpray |
2211 | An execute-assembly compatible tool for spraying local admin hashes on an Active Directory domain. |
2212 |
2213 |
2214 | | ricardojoserf/adfsbrute |
2215 | A script to test credentials against Active Directory Federation Services (ADFS), allowing password spraying or bruteforce attacks. |
2216 |
2217 |
2218 | | ropnop/kerbrute |
2219 | A tool to perform Kerberos pre-auth bruteforcing |
2220 |
2221 |
2222 | | r3ggi/NoMADCredentialsStealer/ |
2223 | NoMAD Credentials Stealer |
2224 |
2225 |
2226 | | rvrsh3ll/SharpEdge |
2227 | C# Implementation of Get-VaultCredential |
2228 |
2229 |
2230 | | rvrsh3ll/TokenTactics |
2231 | Azure JWT Token Manipulation Toolset |
2232 |
2233 |
2234 | | rvrsh3ll/SharpSMBSpray |
2235 | Spray a hash via smb to check for local administrator access |
2236 |
2237 |
2238 | | S3cur3Th1sSh1t/RDPThiefInject |
2239 | RDPThief donut shellcode inject into mstsc |
2240 |
2241 |
2242 | | sec-consult/aggrokatz |
2243 | Aggrokatz is an aggressor plugin extension for Cobalt Strike which enables pypykatz to interface with the beacons remotely and allows it to parse LSASS dump files and registry hive files to extract credentials and other secrets stored without downloading the file and without uploading any suspicious code to the beacon. |
2244 |
2245 |
2246 | | secureworks/whiskeysamlandfriends |
2247 | GoldenSAML Attack Libraries and Framework |
2248 |
2249 |
2250 | | secdev-01/Mimikore |
2251 | .NET 5 Single file Application . Mimikatz or any Base64 PE Loader. |
2252 |
2253 |
2254 | | shantanu561993/SharpLoginPrompt |
2255 | This Program creates a login prompt to gather username and password of the current user. This project allows red team to phish username and password of the current user without touching lsass and having adminitrator credentials on the system. |
2256 |
2257 |
2258 | | ShutdownRepo/smartbrute |
2259 | Password spraying and bruteforcing tool for Active Directory Domain Services |
2260 |
2261 |
2262 | | skelsec/pypykatz |
2263 | Mimikatz implementation in pure Python |
2264 |
2265 |
2266 | | SnaffCon/Snaffler |
2267 | Snaffler is a tool for pentesters to help find delicious candy needles (creds mostly, but it's flexible) in a bunch of horrible boring haystacks (a massive Windows/AD environment). |
2268 |
2269 |
2270 | | swisskyrepo/SharpLAPS |
2271 | Retrieve LAPS password from LDAP |
2272 |
2273 |
2274 | | treebuilder/aad-sso-enum-brute-spray |
2275 | POC of SecureWorks' recent Azure Active Directory password brute-forcing vuln |
2276 |
2277 |
2278 | | uknowsec/SharpDecryptPwd |
2279 | 对密码已保存在 Windwos 系统上的部分程序进行解析,包括:Navicat,TeamViewer,FileZilla,WinSCP,Xmangager系列产品(Xshell,Xftp)。 |
2280 |
2281 |
2282 | | ustayready/SharpHose |
2283 | Asynchronous Password Spraying Tool in C# for Windows Environments |
2284 |
2285 |
2286 | | Viralmaniar/Remote-Desktop-Caching-
2287 | |
2288 | This tool allows one to recover old RDP (mstsc) session information in the form of broken PNG files. These
2289 | PNG files allows Red Team member to extract juicy information such as LAPS passwords or any sensitive
2290 | information on the screen. |
2291 |
2292 |
2293 | | VollRagm/KernelBypassSharp |
2294 | C# Kernel Mode Driver to read and write memory in protected processes |
2295 |
2296 |
2297 | | vyrus001/go-mimikatz |
2298 | A wrapper around a pre-compiled version of the Mimikatz executable for the purpose of anti-virus evasion. |
2299 |
2300 |
2301 | | w1u0u1/minidump |
2302 | Custom implementation of DbgHelp's MiniDumpWriteDump function. Uses static syscalls to replace low-level functions like NtReadVirtualMemory. |
2303 |
2304 |
2305 | | Wra7h/SharpGhosting |
2306 | Process Ghosting in C# |
2307 |
2308 |
2309 | | zcgonvh/SSMSPwd |
2310 | SQL Server Management Studio(SSMS) saved password dumper |
2311 |
2312 |
2313 |
2314 | ## Lateral Movement
2315 |
2316 |
2492 |
2493 | | Link |
2494 | Description |
2495 |
2496 |
2497 | | 3xpl01tc0d3r/Callidus |
2498 | It is developed using .net core framework in C# language. Allows operators to leverage O365 services for
2499 | establishing command & control communication channel. It usages Microsoft Graph APIs for communicating with
2500 | O365 services. |
2501 |
2502 |
2503 | | ahmedkhlief/Ninja |
2504 | Open source C2 server created for stealth red team operations |
2505 |
2506 |
2507 | | bashexplode/cs2webconfig |
2508 | Convert Cobalt Strike profiles to IIS web.config files |
2509 |
2510 |
2511 | | bats3c/shad0w |
2512 | SHAD0W is a modular C2 framework designed to successfully operate on mature environments. |
2513 |
2514 |
2515 | | BishopFox/sliver |
2516 | Sliver is a general purpose cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority generated when you first run the binary. |
2517 |
2518 |
2519 | | blackbotinc/Atomic-Red-Team-Intelligence-C2 |
2520 | ARTi-C2 is a post-exploitation framework used to execute Atomic Red Team test cases with rapid payload deployment and execution capabilities via .NET's DLR. |
2521 |
2522 |
2523 | | boku7/azureOutlookC2 |
2524 | Azure Outlook Command & Control (C2) - Remotely control a compromised Windows Device from your Outlook mailbox. Threat Emulation Tool for North Korean APT InkySquid / ScarCruft / APT37. TTP: Use Microsoft Graph API for C2 Operations. |
2525 |
2526 |
2527 | | byt3bl33d3r/SILENTTRINITY |
2528 | An asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR |
2529 |
2530 |
2531 | | cedowens/C2_Cradle |
2532 | Tool to download, install, and run macOS capable command & control servers (i.e., C2s with macOS payloads/clients) as docker containers from a list of options. This is helpful for automating C2 server setup. |
2533 |
2534 |
2535 | | cobbr/C2Bridge |
2536 | C2Bridges allow developers to create new custom communication protocols and quickly utilize them within Covenant. |
2537 |
2538 |
2539 | | cobbr/Covenant |
2540 | Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make
2541 | the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for
2542 | red teamers. |
2543 |
2544 |
2545 | | Cr4sh/MicroBackdoor |
2546 | Small and convenient C2 tool for Windows targets |
2547 |
2548 |
2549 | | cyberark/kubesploit |
2550 | Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments. |
2551 |
2552 |
2553 | | d4rckh/nimc2 |
2554 | nimc2 is a very lightweight C2 written fully in nim (implant & server). |
2555 |
2556 |
2557 | | DeimosC2/DeimosC2 |
2558 | DeimosC2 is a Golang command and control framework for post-exploitation. |
2559 |
2560 |
2561 | | Dliv3/DomainBorrowing |
2562 | Domain Borrowing is a new method to hide your C2 traffic with CDN |
2563 |
2564 |
2565 | | echtdefault/C2-GUI-Template |
2566 | Template for a C2 GUI coded in C++ using Win32 API |
2567 |
2568 |
2569 | | EspressoCake/Cobalt_Strike_Ansible |
2570 | A project to replicate the functionality of Noah Powers' ServerSetup script, but with error handling and fixed Namecheap API support. |
2571 |
2572 |
2573 | | fbkcs/ThunderDNS |
2574 | This tool can forward TCP traffic over DNS protocol. Non-compile clients + socks5 support. |
2575 |
2576 |
2577 | | Flangvik/AzureC2Relay |
2578 | AzureC2Relay is an Azure Function that validates and relays Cobalt Strike beacon traffic by verifying the incoming requests based on a Cobalt Strike Malleable C2 profile. |
2579 |
2580 |
2581 | | geemion/Khepri |
2582 | 🔥🔥🔥Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++, the architecture and usage like Cobalt Strike |
2583 |
2584 |
2585 | | gl4ssesbo1/Nebula |
2586 | Cloud C2 Framework, which at the moment offers reconnaissance, enumeration, exploitation, post exploitation on AWS, but still working to allow testing other Cloud Providers and DevOps Components. |
2587 |
2588 |
2589 | | Gr1mmie/AtlasC2 |
2590 | C# C2 Framework centered around Stage 1 operations |
2591 |
2592 |
2593 | | its-a-feature/Mythic |
2594 | A collaborative, multi-platform, red teaming framework |
2595 |
2596 |
2597 | | kgretzky/pwndrop |
2598 | Self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV. |
2599 |
2600 |
2601 | | leonjza/tc2 |
2602 | Treafik fronted c2 examples |
2603 |
2604 |
2605 | | looCiprian/GC2-sheet |
2606 | GC2 is a Command and Control application that allows an attacker to execute commands on the target machine using Google Sheet and exfiltrate data using Google Drive. |
2607 |
2608 |
2609 | | loseys/BlackMamba |
2610 | BlackMamba is a multi client C2/post exploitation framework with some spyware features. Powered by Python 3.8.6 and QT Framework. |
2611 |
2612 |
2613 | | mttaggart/OffensiveNotion |
2614 | Notion as a platform for offensive operations |
2615 |
2616 |
2617 | | mgeeky/RedWarden |
2618 | Cobalt Strike C2 Reverse proxy that fends off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation |
2619 |
2620 |
2621 | | mhaskar/DNSStager |
2622 | DNSStager is an open-source project based on Python used to hide and transfer your payload using DNS. |
2623 |
2624 |
2625 | | mhaskar/Octopus |
2626 | Open source pre-operation C2 server based on python and powershell |
2627 |
2628 |
2629 | | MythicAgents/Athena |
2630 | Athena is a fully-featured cross-platform agent designed using the .NET 6. Athena is designed for Mythic 2.2 and newer. |
2631 |
2632 |
2633 | | MythicAgents/hermes |
2634 | Swift 5 macOS implant |
2635 |
2636 |
2637 | | NetSPI/SQLC2 |
2638 | SQLC2 is a PowerShell script for deploying and managing a command and control system that uses SQL Server as both the control server and the agent. |
2639 |
2640 |
2641 | | nettitude/SharpSocks |
2642 | Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell |
2643 |
2644 |
2645 | | Ne0nd0g/merlin |
2646 | Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
2647 | |
2648 |
2649 |
2650 | | p3nt4/Invoke-SocksProxy |
2651 | Socks proxy, and reverse socks server using powershell. |
2652 |
2653 |
2654 | | p3nt4/Nuages |
2655 | A modular C2 framework |
2656 |
2657 |
2658 | | Porchetta-Industries/pyMalleableC2 |
2659 | Python interpreter for Cobalt Strike Malleable C2 Profiles. Allows you to parse, build and modify them programmatically. |
2660 |
2661 |
2662 | | Project Prismatica |
2663 | Project Prismatica is a focused framework for Command and Control that is dedicated to extensibility. |
2664 |
2665 |
2666 | | pucarasec/zuthaka |
2667 | Zuthaka is an open source application designed to assist red-teaming efforts, by simplifying the task of managing different APTs and other post-exploitation tools. |
2668 |
2669 |
2670 | | r3nhat/GRAT2 |
2671 | GRAT2 is a Command and Control (C2) tool written in python3 and the client in .NET 4.5 |
2672 |
2673 |
2674 | | sensepost/goDoH |
2675 | godoh - A DNS-over-HTTPS C2 |
2676 |
2677 |
2678 | | shadown-workers/shadow-workers |
2679 | Shadow Workers is a free and open source C2 and proxy designed for penetration testers to help in the exploitation of XSS and malicious Service Workers (SW) |
2680 |
2681 |
2682 | | SpiderLabs/DoHC2 |
2683 | DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be
2684 | leveraged for command and control (C2) via DNS over HTTPS (DoH). |
2685 |
2686 |
2687 | | sysdream/ligolo |
2688 | Reverse Tunneling made easy for pentesters, by pentesters https://sysdream.com/ |
2689 |
2690 |
2691 | | thiagomayllart/Harvis |
2692 | Harvis is designed to automate your C2 Infrastructure. |
2693 |
2694 |
2695 | | threatexpress/mythic2modrewrite |
2696 | Generate Apache mod_rewrite rules for Mythic C2 profiles |
2697 |
2698 |
2699 | | threatexpress/random_c2_profile |
2700 | Cobalt Strike random C2 Profile generator |
2701 |
2702 |
2703 | | tnpitsecurity/ligolo-ngv |
2704 | An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface. |
2705 |
2706 |
2707 | | Tylous/SourcePoint |
2708 | SourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion. |
2709 |
2710 |
2711 | | vestjoe/cobaltstrike_services |
2712 | Running Cobalstrike Teamserver as a Service |
2713 |
2714 |
2715 | | X-C3LL/wfp-reader |
2716 | Proof of concept - Covert Channel using Windows Filtering Platform (C#) |
2717 |
2718 |
2719 | | zerosum0x0/koadic |
2720 | Koadic C3 COM Command & Control - JScript RAT |
2721 |
2722 |
2723 |
2724 | ## Exfiltration
2725 |
2726 | 
7 | 
4 |
5 |
6 | 
11 |
12 |
13 |
14 | - [Reconnaissance/Discovery](#reconnaissancediscovery)
15 | - [Initial Access](#initial-access)
16 | - [Execution](#execution)
17 | - [Persistence](#persistence)
18 | - [Privilege Escalation](#privilege-escalation)
19 | - [Defense Evasion](#defense-evasion)
20 | - [Credential Access](#credential-access)
21 | - [Lateral Movement](#lateral-movement)
22 | - [Collection](#collection)
23 | - [Command & Control](#command--control)
24 | - [Exfiltration](#exfiltration)
25 |
26 | ## Reconnaissance/Discovery
27 |
28 |