Tagged +

Issue 059 - Jan 2025

writeups

New AMSI Bypss Technique Modifying CLR.DLL in Memory – Practical Security Analytics LLC
- desc: New AMSI Bypss Technique Modifying CLR.DLL in Memory – Practical Security Analytics LLC
- tags: maldev,windows
Restoring Reflective Code Loading on macOS - Objective-See's Blog
- desc: Restoring Reflective Code Loading on macOS
- tags: maldev,macos
The (Anti-)EDR Compendium
- desc: The (Anti-)EDR Compendium
- tags: maldev
Home — PhantomSec
- desc: Home — PhantomSec
- tags: maldev
Backdooring Your Backdoors - watchtower
- desc: Backdooring Your Backdoors
- tags: apt
#HITB2024BKK #COMMSEC D1: My First and Last Shellcode Loader - YouTube
- desc: #HITB2024BKK #COMMSEC D1: My First and Last Shellcode Loader - YouTube
- tags: maldev
DevOps access is closer than you assume | Zolder - Applied Security Research
- desc: DevOps access is closer than you assume | Zolder - Applied Security Research
- tags: redteam,phish
How to detect honeypots in AWS | tejaszarekar
- desc: How to detect honeypots in AWS | tejaszarekar
- tags: redteam,cloud
ScatterBrain: Unmasking the Shadow of PoisonPlug's Obfuscator | Google Cloud Blog
- desc: ScatterBrain: Unmasking the Shadow of PoisonPlug's Obfuscator | Google Cloud Blog
- tags: blue,hunt,redteam,maldev

tools

joaoviictorti/coffeeldr
- desc: A COFF Loader written in Rust
- tags: c2,maldev
joaoviictorti/rustclr
- desc: Host CLR and run .NET binaries using Rust
- tags: maldev,c2
owasp-noir/noir
- desc: Attack surface detector that identifies endpoints by static analysis
- tags: web
blackorbird/APT_REPORT
- desc: Interesting APT Report Collection And Some Special IOC
- tags: hunt,blue
DreamSoule/ollvm17
- desc: Obfuscation LLVM 17
- tags: maldev
janoglezcampos/llvm-yx-callobfuscator
- desc: LLVM plugin to transparently apply stack spoofing and indirect syscalls to Windows x64 native calls at compile time.
- tags: maldev
dockur/macos
- desc: OSX (macOS) inside a Docker container.
- tags: macos,infra
Mayyhem/Maestro
- desc: Abusing Intune for Lateral Movement over C2
- tags: redteam,azure
eGenix/egenix-pyrun
- desc: eGenix PyRun - Your friendly, lean, open source Python runtime
- tags: dev
luchina-gabriel/OSX-PROXMOX
- desc: Voilà, install macOS on ANY Computer! This is really and magic easiest way!
- tags: macos,infra
Macmod/ldapx
- desc: Flexible LDAP proxy that can be used to inspect & transform all LDAP packets generated by other tools on the fly.
- tags: windows,redteam
chryzsh/linux_bof
- desc: ELF Beacon Object File (BOF) Template
- tags: c2,linux
logangoins/Cable
- desc: .NET post-exploitation toolkit for Active Directory reconnaissance and exploitation
- tags: windows,redteam
olafhartong/PockETWatcher
- desc: a tiny program to consume from ETW providers for research
- tags: windows,redteam
cisagov/ScubaGear
- desc: Automation to assess the state of your M365 tenant against CISA's baselines
- tags: azure,cloud
syumai/workers
- desc: Go package to run an HTTP server on Cloudflare Workers.
- tags: redteam
dobin/RedEdr
- desc: Collect Windows telemetry for Maldev
- tags: maldev,detection
dobin/SuperMega
- desc: Stealthily inject shellcode into an executable
- tags: maldev
WafflesExploits/Bloodhound-query-legacy2ce
- desc: A Python based tool to convert custom queries from Legacy BloodHound to BloodHound CE format, with the option to directly upload them to the API or save them to a file for later use.
- tags: redteam,utils
obfuscar/obfuscar
- desc: Open source obfuscation tool for .NET assemblies
- tags: maldev
LloydLabs/ntqueueapcthreadex-ntdll-gadget-injection
- desc: This novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by passing a random pop r32; ret gadget can be used for stealthy code injection.
- tags: maldev
NoahKirchner/speedloader
- desc: Rust template/library for implementing your own COFF loader
- tags: c2
Swayampadhy/CurveLock
- desc: A mordern ransomware designed from scratch to infect faster and encrypt target contents using Elliptical Curve Cryptography
- tags: apt,redteam,purpleteam

Issue 058 - Jan 2025

writeups

Monitor Cobalt Strike beacon for Windows tokens and gain Kerberos persistence | sokarepo
- desc: Monitor Cobalt Strike beacon for Windows tokens and gain Kerberos persistence | sokarepo
- tags: maldev,windows,kerberos,postex
Detonating Beacons to Illuminate Detection Gaps — Elastic Security Labs
- desc: Detonating Beacons to Illuminate Detection Gaps — Elastic Security Labs
- tags: maldev,windows,detection
Breaking Control Flow Flattening: A Deep Technical Analysis | Zerotistic's blog
- desc: Breaking Control Flow Flattening: A Deep Technical Analysis | Zerotistic's blog
- tags: maldev,detection,obfuscation
Analyzing AitM phish kits and the ways they evade detection
- desc: Analyzing AitM phish kits and the ways they evade detection
- tags: redteam,phish
How attackers defeat detections based on page signatures
- desc: How attackers defeat detections based on page signatures
- tags: redteam,phish
Stealthy Attributes of Lazarus APT Group: Evading Detection with Extended Attributes - group-ib
- desc: techniques regarding concealing codes in Extended Attributes in order to evade detection in macOS systems
- tags: apt,redteam,phish,macos
From HTTP to RCE. How to leave backdoor in IIS | by CICADA8 | Medium
- desc: From HTTP to RCE. How to leave backdoor in IIS | by CICADA8 | Medium
- tags: web,redteam

tools

zero2504/FrostLock-Injection
- desc: FrostLock Injection is a freeze/thaw-based code injection technique that uses Windows Job Objects to temporarily freeze (suspend) a target process, inject shellcode, and then seamlessly resume (thaw) it.
- tags: maldev
JayGLXR/MacOS-Stealer-in-Rust
- desc: MacOS Stealer written in Rust. For Legal and Ethical Research Purposes Only.
- tags: maldev,postex,macos
roadwy/DefenderYara
- desc: Extracted Yara rules from Windows Defender mpavbase and mpasbase
- tags: maldev
arnetheduck/nlvm
- desc: LLVM-based compiler for the Nim language
- tags: utils,maldev
RePRGM/Nimpacket
- desc: A library for interacting with Windows through SMB written in Nim.
- tags: utils,windows
RalfHacker/Kerbeus-BOF
- desc: BOF for Kerberos abuse (an implementation of some important features of the Rubeus).
- tags: windows,postex,redteam
xforcered/Being-A-Good-CLR-Host
- desc: ICLRRuntimeHost based proof-of-concept for using Common Language Runtime (CLR) customizations in offensive .NET tradecraft
- tags: maldev
jthack/cewlai
- desc: ai-based domain name generation
- tags: web,utils
kapellos/LNKSmuggler
- desc: A Python script for creating .lnk (shortcut) files with embedded encoded data and packaging them into ZIP archives.
- tags: phish
joaoviictorti/rustclr
- desc: Host CLR and run .NET binaries using Rust
- tags: maldev
jakehildreth/Locksmith
- desc: A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.
- tags: windows,redteam
BlackSnufkin/LitterBox
- desc: sandbox approach for malware developers and red teamers to test payloads against detection mechanisms before deployment
- tags: maldev

Issue 057 - Nov 2024

writeups

Building a RuntimeInstaller Payload Pipeline to Evade AV Detection – Practical Security Analytics LLC
- desc: Building a RuntimeInstaller Payload Pipeline to Evade AV Detection – Practical Security Analytics LLC
- tags: maldev,infra
x86matthew - NTSockets - Downloading a file via HTTP using the NtCreateFile and NtDeviceIoControlFile syscalls
- desc: x86matthew - NTSockets - Downloading a file via HTTP using the NtCreateFile and NtDeviceIoControlFile syscalls
- tags: maldev
TCC bypasses via launch services
- desc: TCC bypasses via launch services
- tags: maldev,mac
Introducing lightyear: a new way to dump PHP files
- desc: Introducing lightyear: a new way to dump PHP files
- tags: web,exploit
An unexpected journey into Microsoft Defender's signature World — retooling_
- desc: An unexpected journey into Microsoft Defender's signature World — retooling_
- tags: maldev,windows

tools

alufers/mitmproxy2swagger
- desc: Automagically reverse-engineer REST APIs via capturing traffic
- tags: web,utils
CICADA8-Research/Spyndicapped
- desc: COM ViewLogger — new malware keylogging technique
- tags: redteam
xforcered/MLOKit
- desc: MLOps Attack Toolkit
- tags: windows,redteam
safedv/RustPotato
- desc: A Rust implementation of GodPotato — abusing SeImpersonate to gain SYSTEM privileges. Includes a TCP-based reverse shell and indirect NTAPI for various operations.
- tags: windows,postex
safedv/RustVEHSyscalls
- desc: A Rust port of LayeredSyscall — performs indirect syscalls while generating legitimate API call stack frames by abusing VEH.
- tags: maldev

Issue 057 - Nov 2024

writeups

Defender for Endpoint: Bypassing Lsass Dump with PowerShell
- desc: Defender for Endpoint: Bypassing Lsass Dump with PowerShell
- tags: redteam Beyond the Basics: Exploring Uncommon NTLM Relay Attack Techniques
- desc: lesser-known NTLM relay attacks that are potentially being overlooked
- tags: redteam
EDR Bypass Testing Reveals Extortion Actor's Toolkit
- desc: EDR Bypass Testing Reveals Extortion Actor's Toolkit
- tags: blue
Monitor Cobalt Strike beacon for Windows tokens and gain Kerberos persistence | sokarepo
- desc: Monitor Cobalt Strike beacon for Windows tokens and gain Kerberos persistence | sokarepo
- tags: c2,redteam
LoadLibrary madness: dynamically load WinHTTP.dll - RiskInsight
- desc: LoadLibrary madness: dynamically load WinHTTP.dll - RiskInsight
- tags: maldev,redteam,c2
Local Admin + Disconnected RDP Sessions – secureyourit.co.uk
- desc: Local Admin + Disconnected RDP Sessions – secureyourit.co.uk
- tags: redteam,windows
A New Era of macOS Sandbox Escapes: Diving into an Overlooked Attack Surface and Uncovering 10+ New Vulnerabilities – Mickey's Blogs – Exploring the world with my sword of debugger :)
- desc: A New Era of macOS Sandbox Escapes: Diving into an Overlooked Attack Surface and Uncovering 10+ New Vulnerabilities – Mickey's Blogs – Exploring the world with my sword of debugger :)
- tags: mac
BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence - SentinelOne
- desc: BlueNoroff Hidden Risk | Threat Actor Targets Macs with Fake Crypto News and Novel Persistence - SentinelOne
- tags: blue,phish

tools

safedv/RustVEHSyscalls
- desc: Rust port of LayeredSyscall, designed to perform indirect syscalls while generating legitimate API call stack frames by abusing Vectored Exception Handling (VEH) to bypass user-land EDR hooks in Windows.
- tags: maldev
safedv/RustiveDump
- desc: LSASS memory dumper using only NTAPIs, creating a minimal minidump, built in Rust with no_std and independent of the C runtime (CRT). It can be compiled as shellcode (PIC), supports XOR encryption, and remote file transmission.
- tags: maldev,redteam
Maldev-Academy/ExecutePeFromPngViaLNK
- desc: Extract and execute a PE embedded within a PNG file using an LNK file.
- tags: phish,redteam,maldev
NtDallas/KrakenMask
- desc: Sleep obfuscation
- tags: maldev
Cracked5pider/earlycascade-injection
- desc: early cascade injection PoC based on Outflanks blog post
- tags: maldev

Issue 056 - Nov 2024

writeups

Zero Day Initiative — Exploiting Exchange PowerShell After ProxyNotShell: Part 2 - ApprovedApplicationCollection
- desc: Zero Day Initiative — Exploiting Exchange PowerShell After ProxyNotShell: Part 2 - ApprovedApplicationCollection
- tags: microsoft
Protection of privileged users and groups by Azure AD Restricted Management Administrative Units - Thomas Naunheim
- desc: Protection of privileged users and groups by Azure AD Restricted Management Administrative Units - Thomas Naunheim
- tags: cloud,zure
Using Open Groups to Escalate Privileges in Google Cloud
- desc: Using Open Groups to Escalate Privileges in Google Cloud
- tags: cloud,gcp,privesc
Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats – Sophos News
- desc: Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats – Sophos News
- tags: gold
Staying Hidden on the Endpoint: Evading Detection with Shellcode | Mandiant | Google Cloud Blog
- desc: Staying Hidden on the Endpoint: Evading Detection with Shellcode | Mandiant | Google Cloud Blog
- tags: maldev
Early Cascade Injection: From Windows Process Creation to Stealthy Injection - OutFLank
- desc: technique targets the user-mode part of process creation and combines elements of the well-known Early Bird APC Injection technique with the recently published EDR-Preloading technique by Marcus Hutchins
- tags: maldev
Katz and Mouse Game: MaaS Infostealers Adapt to Patched Chrome Defenses — Elastic Security Labs
- desc: Katz and Mouse Game: MaaS Infostealers Adapt to Patched Chrome Defenses — Elastic Security Labs
- tags: redteam,stealer
CloudScout: Evasive Panda scouting cloud services
- desc: CloudScout: Evasive Panda scouting cloud services
- tags: apt,maldev,stealer,redteam
ZombAIs: From Prompt Injection to C2 with Claude Computer Use - Embrace The Red
- desc: Research on Prompt Injection to C2 implant deployment with Claude Computer Use
- tags c2, ai
Exploring Google Cloud Default Service Accounts: Deep Dive and Real-World Adoption Trends | Datadog Security Labs
- desc: Exploring Google Cloud Default Service Accounts: Deep Dive and Real-World Adoption Trends
- tags: cloud,gcp,redteam
Abusing Azure Arc: From Service Principal Exposed to Reverse Shell - XYBYTES
- desc: Abusing Azure Arc: From Service Principal Exposed to Reverse Shell - XYBYTES
- tags: cloud,redteam

tools

Mayyhem/Maestro
- desc: Abusing Intune for Lateral Movement over C2
- tags: redteam, c2
xjasonlyu/tun2socks
- desc: tun2socks - powered by gVisor TCP/IP stack
- tags: redteam,util
0xHossam/KernelCallbackTable-Injection-PoC
- desc: Proof of Concept for manipulating the Kernel Callback Table in the Process Environment Block (PEB) to perform process injection and hijack execution flow
- tags: maldev
OtterHacker/Hooker
- desc: Simple code to detect userland hook setup by the EDR on your process
- tags: maldev
emiliensocchi/azurehound-queries
- desc: 🌩️ Collection of BloodHound queries for Azure
- tags: cloud, azure
0xthirteen/reg_snake
- desc: Python tool to interact with WMI StdRegProv
- tags: redteam,windows

Issue 055 - Sep 2024

writeups

Relay Your Heart Away: An OPSEC-Conscious Approach to 445 Takeover | by Nick Powers | Aug, 2024 | Posts By SpecterOps Team Members
- desc: Relay Your Heart Away: An OPSEC-Conscious Approach to 445 Takeover | by Nick Powers | Aug, 2024 | Posts By SpecterOps Team Members
- tags: windows, pentest
Data-Bouncing - The art of indirect exfiltration. Using & Abusing Trusted Domains as a 2nd Order Transport.
- desc: Advanced data exfiltration research
- tags: redteam
The Lucrative Economics of API Hacking
- desc: The Lucrative Economics of API Hacking
- tags: web
Operation Crimson Palace: A Technical Deep Dive – Sophos News
- desc: Operation Crimson Palace: A Technical Deep Dive – DLL Stitching
- tags: ir, redteam

tools

mlcsec/Graphpython
- desc: Modular cross-platform Microsoft Graph API (Entra, o365, and Intune) enumeration and exploitation toolkit
- tags: redteam
Ludus
- desc: Lab environment solution
- tags: util
SecuraBV/Timeroast
- desc: Timeroasting scripts by Tom Tervoort
- tags: windows, exploit, redteam
gravitl/netmaker
- desc: Netmaker makes networks with WireGuard. Netmaker automates fast, secure, and distributed virtual networks.
- tags: infra
Cobaltlad/LSA_reg2pdf
- desc: Dumping LSA secrets: a story about task decorrelation
- tags: redteam

Issue 054 - Jun 2024

writeups

GrimResource - Microsoft Management Console for initial access and evasion — Elastic Security Labs
- desc: GrimResource - Microsoft Management Console for initial access and evasion — Elastic Security Labs
- tags: blue,re,apt
Cracking Zero Trust: On-Prem to Azure Pivots with Responder and Evilginx2 – nullg0re InfoSec
- desc: Cracking Zero Trust: On-Prem to Azure Pivots with Responder and Evilginx2 – nullg0re InfoSec
- tags: windows, azure, relay
Doubling Down: Detecting In-Memory Threats with Kernel ETW Call Stacks — Elastic Security Labs
- desc: Doubling Down: Detecting In-Memory Threats with Kernel ETW Call Stacks — Elastic Security Labs
- tags: blue
When the hunter becomes the hunted: Using custom callbacks to disable EDRs - alteredsecurity
- desc: Using custom callbacks to disable EDRs
- tags: maldev
Offensive VBA - X-C3LL
- desc: Advanced VBA code execution techniques
- tags: phish, redteam
ScriptBlock Smuggling: Spoofing PowerShell Security Logs and Bypassing AMSI Without Reflection or Patching – BC Security
- desc: ScriptBlock Smuggling: Spoofing PowerShell Security Logs and Bypassing AMSI Without Reflection or Patching – BC Security
- tags: maldev,redteam
Old new email attacks - Slonser Notes
- desc: Old new email attacks - Slonser Notes
- tags: phish,research
Rhadamanthys & the 40 thieves
- desc: The nuts, bolts and lineage of the multimodular stealer
- tags: re,blue
Module Stomping
- desc: Module Stomping
- tags: maldev Scheduled Task Tampering – Purple Team
- desc: Scheduled Task Tampering – Purple Team
- tags: windows,redteam,postex
From Process Injection to Function Hijacking | CyberSecurity Blog
- desc: From Process Injection to Function Hijacking | CyberSecurity Blog
- tags: maldev
Writing a Sliver C2 Powershell Stager with Shellcode Compression and AES Encryption | by Ycf-Kel | Medium
- desc: Writing a Sliver C2 Powershell Stager with Shellcode Compression and AES Encryption | by Ycf-Kel | Medium
- tags: maldev
Lateral Movement with the .NET Profiler | by Daniel Mayer | Jun, 2024 | Posts By SpecterOps Team Members
- desc: Lateral Movement with the .NET Profiler | by Daniel Mayer | Jun, 2024 | Posts By SpecterOps Team Members
- tags: maldev
Abusing auto mail responders to access internal workplaces | by Rikesh Baniya | Jun, 2024 | Medium
- desc: Abusing auto mail responders to access internal workplaces | by Rikesh Baniya | Jun, 2024 | Medium
- tags: phish
Monitor Cobalt Strike beacon for Windows tokens and gain Kerberos persistence | sokarepo
- desc: Monitor Cobalt Strike beacon for Windows tokens and gain Kerberos persistence | sokarepo
- tags: c2,redteam,postex
Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 1)
- desc: Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 1)
- tags: research,web
Let Me Manage Your AppDomain
- desc: Let Me Manage Your AppDomain
- tags: maldev
A case of missing bytes: bruteforcing your way through Jenkins’ CVE-2024-23897 | Guillaume Quéré
- desc: A case of missing bytes: bruteforcing your way through Jenkins’ CVE-2024-23897 | Guillaume Quéré
- tags: research
Tyranid's Lair: Working your way Around an ACL
- desc: Tyranid's Lair: Working your way Around an ACL
- tags: windows
LNK or Swim: Analysis & Simulation of Recent LNK Phishing | Splunk
- desc: LNK or Swim: Analysis & Simulation of Recent LNK Phishing | Splunk
- tags: maldev,phish

tools

system32 important files
- desc: system32 important files
- tags: windows, utils
spellshift/realm
- desc: Realm is a cross platform Red Team engagement platform with a focus on automation and reliability.
- tags: redteam, util
nbaertsch/AutoAppDomainHijack
- desc: Automated .NET AppDomain hijack payload generation
- tags: maldev
dmacvicar/terraform-provider-libvirt
- desc: Terraform provider to provision infrastructure with Linux's KVM using libvirt
- tags: lab, util
jfmaes/LazySign
- desc: Create fake certs for binaries using windows binaries and the power of bat files
- tags: maldev
jakobfriedl/BenevolentLoader
- desc: Shellcode loader using direct syscalls via Hell's Gate and payload encryption.
- tags: maldev
coremedic/IndirectProxyCall
- desc: Proof of concept demonstrating a method of proxying syscalls indirectly
- tags: maldev
sud0Ru/impacket-dcom
- desc: Adjusted version of the impacket-dcomexec script to work against Windows 10
- tags: windows, ad
0xEr3bus/RdpStrike
- desc: Positional Independent Code to extract clear text password from mstsc.exe using API Hooking via HWBP.
- tags: redteam, ad
0xsp-SRD/MDE_Enum
- desc: comprehensive .NET tool designed to extract and display detailed information about Windows Defender exclusions and Attack Surface Reduction (ASR) rules without Admin privileges
- tags: redteam, windows
An0nUD4Y/Evilginx-Phishing-Infra-Setup
- desc: Evilginx Phishing Engagement Infrastructure Setup Guide
- tags: phish, redteam
CCob/okta-terrify
- desc: Okta Verify and Okta FastPass Abuse Tool
- tags: postex, cloud
CICADA8-Research/RemoteKrbRelay
- desc: Remote Kerberos Relay made easy! Advanced Kerberos Relay Framework
- tags: ad, relay, windows
dchrastil/ScrapedIn
- desc: A tool to scrape LinkedIn without API restrictions for data reconnaissance
- tags: utils, osint
dreadnode/rigging
- desc: Lightweight LLM Interaction Framework
- tags: llm
evilsocket/nerve
- desc: stateless rag agent
- tags: llm
Continue
- desc: Amplified developers, automated development
- tags: util,rag
erebe/wstunnel
- desc: Tunnel all your traffic over Websocket or HTTP2 - Bypass firewalls/DPI - Static binary available
- tags: utils, postex
fiddyschmitt/File-Tunnel
- desc: Tunnel TCP connections through a file
- tags: postex, utils
fkkarakurt/reconic
- desc: A Powerful Network Reconnaissance Tool for Security Professionals
- tags: osint
iamunixtz/FireHawk
- desc: FireHawk: The Elite Firebase Security Testing Utility
- tags: osint, recon
ipSlav/DirtyCLR
- desc: An App Domain Manager Injection DLL PoC on steroids
- tags: maldev
Kudaes/Dumpy
- desc: Reuse open handles to dynamically dump LSASS.
- tags: postex
Maldev-Academy/RemoteTLSCallbackInjection
- desc: Utilizing TLS callbacks to execute a payload without spawning any threads in a remote process
- tags: maldev
MayerDaniel/profiler-lateral-movement
- desc: Lateral Movement via the .NET Profiler
- tags: maldev, postex, phish
mlcsec/SharpGraphView
- desc: Microsoft Graph API post-exploitation toolkit
- tags: postex, osint
MrTuxx/OffensiveGolang
- desc: A collection of offensive Go packages inspired by different Go repositories.
- tags: maldev
netero1010/GhostTask
- desc: A tool employs direct registry manipulation to create scheduled tasks without triggering the usual event logs.
- tags: postex, persistence
p0dalirius/smbclient-ng
- desc: smbclient-ng, a fast and user friendly way to interact with SMB shares.
- tags: utils
redteamsocietegenerale/DLLirant
- desc: DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.
- tags: maldev
SafeBreach-Labs/DoubleDrive
- desc: A fully-undetectable ransomware that utilizes OneDrive & Google Drive to encrypt target local files
- tags: maldev, util
sokaRepo/CoercedPotatoRDLL
- desc: Reflective DLL to privesc from NT Service to SYSTEM using SeImpersonateToken privilege
- tags: privesc
srlabs/Certiception
- desc: An ADCS honeypot to catch attackers in your internal network.
- tags: lab, blue
theokwebb/C-from-Scratch
- desc: A roadmap to learn C from Scratch
- tags: training
umutcamliyurt/PingRAT
- desc: PingRAT secretly passes C2 traffic through firewalls using ICMP payloads.
- tags: maldev
vxCrypt0r/Voidgate
- desc: A technique that can be used to bypass AV/EDR memory scanners. This can be used to hide well-known and detected shellcodes (such as msfvenom) by performing on-the-fly decryption of individual encrypted assembly instructions, thus rendering memory scanners useless for that specific memory page.
- tags: maldev
Wh1t3Rh1n0/SlackEnum
- desc: A user enumeration tool for Slack.
- tags: osint
whokilleddb/SOAPHound
- desc: SOAPHound is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.
- tags: postex, windows
Welcome to Comprehensive Rust 🦀 - Comprehensive Rust 🦀
- desc: Welcome to Comprehensive Rust 🦀 - Comprehensive Rust 🦀
- tags: training
LOOBins - Living Off the Orchard: macOS Binaries
- desc: LOOBins - Living Off the Orchard: macOS Binaries
- tags: macos
DosX-dev/obfus.h
- desc: Macro-header for compile-time C obfuscation (tcc, win x86/x64)
- tags: maldev
ac3ss0r/obfusheader.h
- desc: Obfusheader.h is a portable header file for C++14 compile-time obfuscation.
- tags: maldev
lissy93/web-check
- desc: 🕵️‍♂️ All-in-one OSINT tool for analysing any website
- tags: web,recon

Issue 053 - Apr 2024

writeups

Agent Tesla Targeting United States & Australia: Revealing the Attackers' Identities - Check Point Research
- desc: Agent Tesla Targeting United States & Australia: Revealing the Attackers' Identities - Check Point Research
- tags: ir
Bringing Python to Workers using Pyodide and WebAssembly
- desc: Bringing Python to Workers using Pyodide and WebAssembly
- tags: phish, c2, redteam
Bypass Intune Device Platform Enrollment Restrictions on Windows
- desc: Bypass Intune Device Platform Enrollment Restrictions on Windows
- tags: windows, azure
SVG Files Abused in Emerging Campaigns | Cofense
- desc: SVG Files Abused in Emerging Campaigns | Cofense
- tags: phish
Writing Sliver C2 Extensions in Rust | by Luke Paris | Paradoxis
- desc: Writing Sliver C2 Extensions in Rust | by Luke Paris | Paradoxis
- tags: c2
AiTM Phishing with Azure Functions | by Nicola | Apr, 2024 | Medium
- desc: Misusing Azure functions for social engineering
- tags: phish, creds
Hijacking & Spoofing Context Menu Options | mr.d0x
- desc: Hijacking & Spoofing Context Menu Options
- tags: phish
Leaking NTLM Credentials Through Windows Themes
- desc: NTLM phish leak
- tags: phish, reds
MultiDump - Xre0uS
- desc: MultiDump - Xre0uS
- tags: postex
Disable Windows Defender UAC Bypass, + Upgrade to SYSTEM – DSAS INJECT
- desc: Disable Windows Defender (+ UAC Bypass, + Upgrade to SYSTEM) – DSAS INJECT
- tags: windows, privesc
TrustedSec | Behind the Code: Assessing Public Compile-Time…
- desc: TrustedSec | Behind the Code: Assessing Public Compile-Time…
- tags: maldev
TrustedSec | Weaponization of Token Theft – A Red Team Perspective
- desc: TrustedSec | Weaponization of Token Theft – A Red Team Perspective
- tags: redteam, postex
ThievingFox - Remotely retrieving credentials from password managers and Windows utilities - Slowerzs' blog
- desc: ThievingFox - Remotely retrieving credentials from password managers and Windows utilities
- tags: postex, redteam
From Hidden Bee to Rhadamanthys - The Evolution of Custom Executable Formats - Check Point Research
- desc: From Hidden Bee to Rhadamanthys - The Evolution of Custom Executable Formats - Check Point Research
- tags: apt, phish, ir
GTPDOOR - A novel backdoor tailored for covert access over the roaming exchange
- desc: GTPDOOR - A novel backdoor tailored for covert access over the roaming exchange
- tags: ir
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks | Trend Micro (US)
- desc: Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks | Trend Micro (US)
- tags: phish, ir
Finding pastures new: An alternate approach for implant design | by Sapientflow | Mar, 2024 | Medium
- desc: Finding pastures new: An alternate approach for implant design | by Sapientflow | Mar, 2024 | Medium
- tags: maldev
Achieving DLL Side-Loading in the Original Process - Okiok
- desc: Achieving DLL Side-Loading in the Original Process - Okiok
- tags: maldev
Bypass AMSI on Windows 11. Motivation | by Gustav Shen | Medium
- desc: Bypass AMSI on Windows 11. Motivation | by Gustav Shen | Medium
- tags: windows, postex
Hidden GitHub Commits and How to Reveal Them — Neodyme
- desc: Hidden GitHub Commits and How to Reveal Them — Neodyme
- tags: redteam, creds

tools

aforensics/HiddenVM
- desc: HiddenVM — Use any desktop OS without leaving a trace.
- tags: redteam
SaadAhla/dropper
- desc: Project that generates Malicious Office Macro Enabled Dropper for DLL SideLoading and Embed it in Lnk file to bypass MOTW
- tags: phish
RedByte1337/GraphSpy
- desc: Initial Access and Post-Exploitation Tool for AAD and O365 with a browser-based GUI
- tags: phish, azure
xjasonlyu/tun2socks
- desc: tun2socks - powered by gVisor TCP/IP stack
- tags: utils
hmgle/graftcp
- desc: A flexible tool for redirecting a given program's TCP traffic to SOCKS5 or HTTP proxy.
- tags: utils
dunderhay/git-rotate
- desc: Leveraging GitHub Actions to rotate IP addresses during password spraying attacks to bypass IP-Based blocking
- tags: utils, spray
SySS-Research/azurenum
- desc: Enumerate Microsoft Entra ID (Azure AD) fast
- tags: azure
MultSec/MultCheck
- desc: Identifies bad bytes from static analysis with any Anti-Virus scanner.
- tags: maldev
wikiZ/RedGuard
- desc: RedGuard is a C2 front flow control tool,Can avoid Blue Teams,AVs,EDRs check.
- tags: utils, phish
xpn/CloudInject
- desc: Okta misuse
- tags: postex, redteam
dsnezhkov/shutter
- desc: Windows Filtering Platform network controls
- tags: util, postex, redteam
xforcered/ADOKit
- desc: Azure DevOps Services Attack Toolkit
- tags: azure

Issue 052 - Mar 2024

writeups

Source Code Disclosure in ASP.NET apps – PT SWARM
- desc: Source Code Disclosure in ASP.NET apps – PT SWARM
- tags: web
Evasive Panda leverages Monlam Festival to target Tibetans
- desc: evasive c# loader, watering hole
- tags: apt
CryptoChameleon: New Phishing Tactics Exhibited in FCC-Targeted Attack | Lookout Threat Intelligence
- desc: Manual MiTM phishing kit
- tags: apt, phish
Rise in Deceptive PDF: The Gateway to Malicious Payloads | McAfee Blog
- desc: Rise in Deceptive PDF: The Gateway to Malicious Payloads | McAfee Blog
- tags: phish,init
Unveiling malware behavior trends — Elastic Security Labs
- desc: Unveiling malware behavior trends — Elastic Security Labs
- tags: maldev,redteam,detection
Unveiling the depths of Residential Proxies providers - Sekoia.io Blog
- desc: Unveiling the depths of Residential Proxies providers - Sekoia.io Blog
- tags: redteam
Building an AITM attack tool in Cloudflare Workers (174 LOC) – Zolder B.V.
- desc: Building an AITM attack tool in Cloudflare Workers (174 LOC) – Zolder B.V.
- tags: phish
Semi-Annual Chronicles of UAC-0006
- desc: Detailed analysis of UAC-006 operations
- tags: redteam,phish,lnk,javascript,initaccess
Finding pastures new: An alternate approach for implant design | by Sapientflow | Mar, 2024 | Medium
- desc: Finding pastures new: An alternate approach for implant design | by Sapientflow | Mar, 2024 | Medium
- tags: maldev
Hook, Line and Sinker: Phishing Windows Hello for Business | by Yehuda Smirnov | Mar, 2024 | Medium
- desc: Hook, Line and Sinker: Phishing Windows Hello for Business | by Yehuda Smirnov | Mar, 2024 | Medium
- tags: phish,redteam
Identity Providers for RedTeamers - XPN InfoSec Blog
- desc: Identity Providers for RedTeamers - XPN InfoSec Blog
- tags: sso,redteam,postex
Hidden GitHub Commits and How to Reveal Them — Neodyme
- desc: Hidden GitHub Commits and How to Reveal Them — Neodyme
- tags: postex, redteam, bugbounty
CODE WHITE - Finest Hacking
- desc: CODE WHITE - Finest Hacking
- tags: web,exploit
Unveiling custom packers: A comprehensive guide – Estrellas's Blog – Threat Research & Reverse Engineering.
- desc: Unveiling custom packers: A comprehensive guide – Estrellas's Blog – Threat Research & Reverse Engineering.
- tags: malware,re
How to find the AWS Account ID of any S3 Bucket
- desc: How to find the AWS Account ID of any S3 Bucket
- tags: aws
An In-depth Exploration into WebClient Abuse | Redfox Security
- desc: An In-depth Exploration into WebClient Abuse | Redfox Security
- tags: redteam,AD
Automating C2 Infrastructure with Terraform, Nebula, Caddy and Cobalt Strike
- desc: Automating C2 Infrastructure with Terraform, Nebula, Caddy and Cobalt Strike
- tags: utils,infra
SensePost | Mail in the middle – a tool to automate spear phishing campaigns
- desc: SensePost | Mail in the middle – a tool to automate spear phishing campaigns
- tags: phish
TA577’s Unusual Attack Chain Leads to NTLM Data Theft | Proofpoint US
- desc: TA577’s Unusual Attack Chain Leads to NTLM Data Theft | Proofpoint US
- tags: phish,initaccess

tools

NilsIrl/dockerc
- desc: container image to single executable compiler
- tags: util
Xre0uS/MultiDump
- desc: MultiDump is a post-exploitation tool for dumping and extracting LSASS memory discreetly.
- tags: postex,windows
skelsec/evilrdp
- desc: RDP execution framework
- tags: windows,util
wh0amitz/SharpADWS
- desc: Active Directory reconnaissance and exploitation for Red Teams via the Active Directory Web Services (ADWS).
- tags: ad
zolderio/AITMWorker
- desc: Proof of concept: using a Cloudflare worker for AITM attacks
- tags: phish
Weaponizing Windows Thread Pool APIs: Proxying DLL Loads Using I/O Completion Callbacks - fin3ss3g0d's Blog
- desc: Weaponizing Windows Thread Pool APIs: Proxying DLL Loads Using I/O Completion Callbacks - fin3ss3g0d's Blog
- tags: maldev
mvelazc0/msInvader
- desc: M365/Azure adversary simulation tool designed to simulate adversary techniques and generate attack telemetry.
- tags: azure
Kudaes/Shelter
- desc: ROP-based sleep obfuscation to evade memory scanners
- tags: maldev,rust
LOTP - Living Off the Pipeline
- desc: LOTP - Living Off the Pipeline
- tags: cicd,redteam
SafeBreach-Labs/PoolParty
- desc: A set of fully-undetectable process injection techniques abusing Windows Thread Pools
- tags: maldev

Issue 051 - Mar 2024

writeups

MacOS CI/CD with Tart. How Snowflake’s Red Team uses Tart and… | by Justin Bui | Snowflake | Feb, 2024 | Medium
- desc: MacOS CI/CD with Tart. How Snowflake’s Red Team uses Tart and… | by Justin Bui | Snowflake | Feb, 2024 | Medium
- tags: infra, mac
MSSQL linked servers: abusing ADSI for password retrieval
- desc: MSSQL linked servers: abusing ADSI for password retrieval
- tags: redteam,windows
Azure AD Security Defaults/MFA Bypass with Graph API | by Root ♊ | Medium
- desc: Azure AD Security Defaults/MFA Bypass with Graph API | by Root ♊ | Medium
- tags: cloud,redteam
Customizing Sliver - Part 1 - hn security
- desc: Customizing Sliver - Part 1 - hn security
- tags: c2,redteam
“Can't Stop the Phish” - Tips for Warming Up Your Email Domain Right - White Knight Labs
- desc: “Can't Stop the Phish” - Tips for Warming Up Your Email Domain Right - White Knight Labs
- tags: redteam,phish
Hello: I’m your ADCS server and I want to authenticate against you – Decoder's Blog
- desc: Hello: I’m your ADCS server and I want to authenticate against you – Decoder's Blog
- tags: ad
Ransomware in the honeypot: how we capture keys with sticky canary files — Elastic Security Labs
- desc: Ransomware in the honeypot: how we capture keys with sticky canary files — Elastic Security Labs
- tags: detection
.NET Threadless Process Injection | by Daniel Santos | Feb, 2024 | Medium
- desc: .NET Threadless Process Injection | by Daniel Santos | Feb, 2024 | Medium
- tags: maldev
CharmingCypress: Innovating Persistence | Volexity
- desc: CharmingCypress: Innovating Persistence | Volexity
- tags: phish,init
The Untold Story of the Boldest Supply-Chain Hack Ever
- desc: Sunburst Orion CI CD compromise & software fix
- tags: apt
You can not simply publicly access private secure links, can you? | Vin01’s Blog
- desc: You can not simply publicly access private secure links, can you? | Vin01’s Blog
- tags: research

tools

Idov31/Nidhogg
- desc: Nidhogg is an all-in-one simple to use rootkit.
- tags: redteam, maldev
Hiding In PlainSight - Indirect Syscall is Dead! Long Live Custom Call Stacks
- desc: Hiding In PlainSight - Indirect Syscall is Dead! Long Live Custom Call Stacks
- tags: maldev
CDPSvc DLL Hijacking - From LOCAL SERVICE to SYSTEM | itm4n's blog
- desc: CDPSvc DLL Hijacking - From LOCAL SERVICE to SYSTEM | itm4n's blog
- tags: maldev
Idov31/Jormungandr
- desc: Jormungandr is a kernel implementation of a COFF loader, allowing kernel developers to load and execute their COFFs in the kernel.
- tags: maldev,kernel
hakaioffsec/coffee
- desc: A COFF loader made in Rust
- tags: maldev,redteam,c2
mertdas/SharpTerminator
- desc: Terminate AV/EDR Processes using kernel driver
- tags: redteam,windows
d3ext/hooka
- desc: Evasive shellcode loader, hooks detector and more
- tags: maldev
r0oth3x49/ghauri
- desc: An advanced cross-platform tool that automates the process of detecting and exploiting SQL injection security flaws
- tags: web
Xacone/BestEdrOfThemarket
- desc: Little AV/EDR bypassing lab for training & learning purposes
- tags: c2,maldev,redteam,opsec
fortra/No-Consolation
- desc: A BOF that runs unmanaged PEs inline
- tags: maldev,c2
jborean93/dpapi-ng
- desc: Python DPAPI NG Decryptor for non-Windows Platforms
- tags: windows
RedTeamPentesting/resocks
- desc: mTLS-Encrypted Back-Connect SOCKS5 Proxy
- tags: redteam,utility
garrettfoster13/sccmhunter
- desc: tool for identifying, profiling, and attacking SCCM related assets
- tags: ad,redteam
nettitude/ETWHash
- desc: C# POC to extract NetNTLMv1/v2 hashes from ETW provider
- tags: ad
0xNslabs/CanaryTokenScanner
- desc: Script designed to identify Canary Tokens within Microsoft Office documents and Acrobat Reader PDF (docx, xlsx, pptx, pdf).
- tags: redteam,util
Mr-Un1k0d3r/MsGraphFunzy
- desc: Scripts to interact with Microsoft Graph APIs
- tags: cloud,azure
dockur/windows
- desc: Windows in a Docker container.
- tags: util
Docker
- desc: Docker
- tags: maldev,util

Issue 050 - Feb 2024

writeups

How to protect Evilginx using Cloudflare and HTML Obfuscation
- desc: How to protect Evilginx using Cloudflare and HTML Obfuscation
- tags: phish, redteam
Okta for Red Teamers — Perimeter Edition | by Nick VanGilder | nickvangilder | Medium
- desc: Okta for Red Teamers — Perimeter Edition | by Nick VanGilder | nickvangilder | Medium
- tags: phish, redteam
Google OAuth is Broken (Sort Of) ◆ Truffle Security Co.
- desc: Google OAuth is Broken (Sort Of) ◆ Truffle Security Co.
- tags: web, exploit, phish
Phishing the anti-phishers: Exploiting anti-phishing tools for internal access
- desc: abusing email scanners with automated confirmation email links
- tags: redteam
Phishing through Slack for initial access
- desc: Phishing through Slack for initial access
- tags: phish, redteam
Unmanaged .NET Patching - outflank
- desc: unmanaged patching of managed code (fighting exit during inline exec)
- tags: maldev
Havoc C2 with AV/EDR Bypass Methods in 2024 (Part 1) | by Sam Rothlisberger | Jan, 2024 | Medium
- desc: Havoc C2 with AV/EDR Bypass Methods in 2024 (Part 1) | by Sam Rothlisberger | Jan, 2024 | Medium
- tags: maldev
How to perform a Complete Process Hollowing - Red Team SNCF
- desc: How to perform a Complete Process Hollowing - Red Team SNCF
- tags: maldev
Pentesting Azure: RECON Techniques – Security Café
- desc: Pentesting Azure: RECON Techniques – Security Café
- tags: cloud
Installing WinDbg
- desc: Installing WinDbg
- tags: utils, re
Shadow Credentials: Workstation Takeover Edition
- desc: Shadow Credentials: Workstation Takeover Edition
- tags: windows, privesc
Active Directory Enumeration for Red Teams - MDSec
- desc: Active Directory Enumeration for Red Teams - MDSec
- tags: redteam, opsec
Azure AD Pass The Certificate. Intro | by Mor | Medium
- desc: Azure AD Pass The Certificate. Intro | by Mor | Medium
- tags: cloud
How to set up Evilginx to phish Office 365 credentials - JanBakker.tech
- desc: How to set up Evilginx to phish Office 365 credentials - JanBakker.tech
- tags: phish
Bypassing EDRs With EDR-Preloading
- desc: Bypassing EDRs With EDR-Preloading
- tags: maldev
CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
- desc: CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
- tags: nday, threatinel
CharmingCypress: Innovating Persistence | Volexity
- desc: CharmingCypress: Innovating Persistence | Volexity
- tags: re, threatintel
The Risks of the #MonikerLink Bug in Microsoft Outlook and the Big Picture - Check Point Research
- desc: The Risks of the #MonikerLink Bug in Microsoft Outlook and the Big Picture - Check Point Research
- tags: nday, research

tools

waelmas/frameless-bitb
- desc: A new approach to Browser In The Browser (BITB) without the use of iframes, allowing the bypass of traditional framebusters implemented by login pages like Microsoft and the use with Evilginx.
- tags: phish, redteam
nodauf/GoMapEnum
- desc: User enumeration and password bruteforce on Azure, ADFS, OWA, O365, Teams and gather emails on Linkedin
- tags: windows, postex
NYAN-x-CAT/AsyncRAT-C-Sharp
- desc: Open-Source Remote Administration Tool For Windows C# (RAT)
- tags: windows
DebugPrivilege/InsightEngineering
- desc: Hardcore Debugging
- tags: re, maldev
rasta-mouse/CsWhispers
- desc: Source generator to add D/Invoke and indirect syscall methods to a C# project.
- tags: maldev
Slowerzs/ThievingFox
- desc: collection of post-exploitation tools to gather credentials from various password managers and windows utilities.
- tags: postex, windows
plerionhq/conditional-love
- desc: An AWS metadata enumeration tool by Plerion
- tags: cloud
spyr0-sec/AutomatedBadLab
- desc: Scripts to provision vulnerable and testing environments using AutomatedLab
- tags: utils, windows, lab
The-Z-Labs/bof-launcher
- desc: Beacon Object File (BOF) launcher - library for executing BOF files in C/C++/Zig applications
- tags: maldev, redteam, windows
Xre0uS/MultiDump
- desc: MultiDump is a post-exploitation tool for dumping and extracting LSASS memory discreetly.
- tags: postex, windows
hoodoer/JS-Tap
- desc: JavaScript payload and supporting software to be used as XSS payload or post exploitation implant to monitor users as they use the targeted application.
- tags: phish, redteam
leandrofroes/gftrace
- desc: A command line Windows API tracing tool for Golang binaries.
- tags: utils

Issue 049 - Feb 2024

writeups

Creating an OPSEC safe loader for Red Team Operations - LRQA Nettitude Labs
- desc: Creating an OPSEC safe loader for Red Team Operations - LRQA Nettitude Labs
- tags: mal
Making Okta do keylogging for you
- desc: Making Okta do keylogging for you
- tags: redteam, phish
Evilginx, meet BITB – Rasta Mouse
- desc: Evilginx, meet BITB – Rasta Mouse
- tags: redteam, phish
Unveiling LummaC2 stealer’s novel Anti-Sandbox technique: Leveraging trigonometry for human behavior detection - Outpost24
- desc: Unveiling LummaC2 stealer’s novel Anti-Sandbox technique: Leveraging trigonometry for human behavior detection - Outpost24
- tags: maldev, redteam
Beyond File Search: A Novel Method for Exploiting the "search-ms" URI Protocol Handler
- desc: "search-ms" URI Protocol Handler initial access research
- tags: phish
Phishing through Slack for initial access
- desc: Phishing through Slack for initial access
- tags: phish
ZipLink - Combine Zips and Lnk for fun and profit | BadOption.eu
- desc: ZipLink - Combine Zips and Lnk for fun and profit | BadOption.eu
- tags: phish
Abusing LNK "Features" for Initial Access and Persistence
- desc: Abusing LNK "Features" for Initial Access and Persistence
- tags: phish
Cloud Threat Landscape
- desc: Cloud Threat Landscape
- tags: cloud
A christmas tale: pwning GTB Central Console (CVE-2024-22107 & CVE-2024-22108)
- desc: DLP software called “GTB” exploit research
- tags: writeup
Talkback
- desc: Talkback
- tags: utils
A short note on AWS KEY ID. As I was playing with AWS… | by Tal Be'ery | Medium
- desc: A short note on AWS KEY ID. As I was playing with AWS… | by Tal Be'ery | Medium
- tags: cloud
Device Code Phishing – Add Your Own Sign-In Methods on Entra ID – Compass Security Blog
- desc: Device Code Phishing – Add Your Own Sign-In Methods on Entra ID – Compass Security Blog
- tags: cloud, azure
A Practical Guide to PrintNightmare in 2024 | itm4n's blog
- desc: A Practical Guide to PrintNightmare in 2024 | itm4n's blog
- tags: windows, redteam, exploit, privesc
Trusted Domain, Hidden Danger: Deceptive URL Redirections in Email Phishing Attacks
- desc: Trusted Domain, Hidden Danger: Deceptive URL Redirections in Email Phishing Attacks
- tags: phish, redteam
ADCS Attack Paths in BloodHound — Part 1 - SpecterOps
- desc: ADCS Attack Paths in BloodHound — Part 1 - SpecterOps
- tags: windows, redteam
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
- desc: Pawn Storm Uses Brute Force and Stealth Against High-Value Targets
- tags: windows, redtream

tools

zblurx/certsync
- desc: Dump NTDS with golden certificates and UnPAC the hash
- tags: windows
AlmondOffSec/PassTheCert
- desc: Proof-of-Concept tool to authenticate to an LDAP/S server with a certificate through Schannel
- tags: windows
netero1010/EDRSilencer
- desc: A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.
- tags: windows
TheCyb3rAlpha/BobTheSmuggler
- desc: "Bob the Smuggler": A tool that leverages HTML Smuggling Attack and allows you to create HTML files with embedded 7z/zip archive.
- tags: maldev
unknownhad/CloudIntel
- desc: This repo contains IOC, malware and malware analysis associated with Public cloud
- tags: cloud, malware
Mr-Un1k0d3r/.NetConfigLoader
- desc: .net config loader
- tags: malware
The-Z-Labs/bof-launcher
- desc: Beacon Object File (BOF) launcher - library for executing BOF files in C/C++/Zig applications
- tags: c2
jacob-baines/concealed_position
- desc: Bring your own print driver privilege escalation tool
- tags: windows, exploit, maldev
Krook9d/PurpleLab
- desc: PurpleLab is an efficient and readily deployable lab solution
- tags: redteam, util
h4wkst3r/ADOKit
- desc: Azure DevOps Services Attack Toolkit
- tags: cloud
narfindustries/http-garden
- desc: Differential testing and fuzzing of HTTP servers and proxies
- tags: web, exploit
FalconForceTeam/SOAPHound
- desc: SOAPHound is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.
- tags: windows, redteam

Issue 048 - Nov 2023

writeups

Less SmartScreen More Caffeine: (Ab)Using ClickOnce for Trusted Code Execution | by Nick Powers | Posts By SpecterOps Team Members
- desc: Less SmartScreen More Caffeine: (Ab)Using ClickOnce for Trusted Code Execution | by Nick Powers | Posts By SpecterOps Team Members
- tags: phish, redteam
Backdooring ClickOnce .NET Apps for Initial Access: A Practical Example | by István Tóth | InfoSec Write-ups
- desc: Backdooring ClickOnce .NET Apps for Initial Access: A Practical Example | by István Tóth | InfoSec Write-ups
- tags: phish, redteam
Fantastic BloodHound Queries and Where to Find Them – LuemmelSec – Just an admin on someone else´s computer
- desc: Fantastic BloodHound Queries and Where to Find Them – LuemmelSec – Just an admin on someone else´s computer
- tags: redteam, util

publish

Zero Effort Private Key Compromise: Abusing SSH-Agent For Lateral Movement
- desc: Zero Effort Private Key Compromise: Abusing SSH-Agent For Lateral Movement
- tags: redteam
Azure AD Security Defaults/MFA Bypass with Graph API | by Root ♊ | Aug, 2023 | Medium
- desc: Azure AD Security Defaults/MFA Bypass with Graph API | by Root ♊ | Aug, 2023 | Medium
- tags: cloud
SVG Smuggling: A picture worth a thousand words | by delivr.to | Medium
- desc: SVG Smuggling: A picture worth a thousand words | by delivr.to | Medium
- tags: phish, redteam
Writing your own RDI /sRDI loader using C and ASM
- desc: Writing your own RDI /sRDI loader using C and ASM
- tags: maldev
A Deep Dive into Penetration Testing of macOS Applications (Part 1)
- desc: A Deep Dive into Penetration Testing of macOS Applications (Part 1)
- tags: mac, redteam

tools

ZeroMemoryEx/Terminator
- desc: Reproducing Spyboy technique to terminate all EDR/XDR/AVs processes
- tags: maldev, redteam
Octoberfest7/DropSpawn_BOF
- desc: CobaltStrike BOF to spawn Beacons using DLL Application Directory Hijacking
- tags: c2, redteam
wavvs/nanorobeus
- desc: COFF file (BOF) for managing Kerberos tickets.
- tags: redteam, windows
WKL-Sec/dcomhijack
- desc: Lateral Movement Using DCOM and DLL Hijacking
- tags: windows, redteam, maldev
S3cur3Th1sSh1t/Ruy-Lopez
- desc: PIC-Code for hooked NtCreateSection function
- tags: maldev

publish

dobin/avred
- desc: Analyse your malware to surgically obfuscate it
- tags: maldev, util
W01fh4cker/VcenterKit
- desc: Vcenter综合渗透利用工具包 | Vcenter Comprehensive Penetration and Exploitation Toolkit
- tags: redteam, cloud
nyxgeek/o365recon
- desc: retrieve information via O365 and AzureAD with a valid cred
- tags: cloud, redteam
CognisysGroup/SweetDreams
- desc: Implementation of Advanced Module Stomping and Heap/Stack Encryption
- tags: maldev
nicocha30/ligolo-ng
- desc: An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.
- tags: redteam, util
x42en/sysplant
- desc: Your syscall factory
- tags: maldev
werdhaihai/AtlasReaper
- desc: A command-line tool for reconnaissance and targeted write operations on Confluence and Jira instances.
- tags: redteam, util
D00Movenok/BounceBack
- desc: ↕️🤫 Stealth redirector for your red team operation security
- tags: util, redteam
lem0nSec/ShellGhost
- desc: A memory-based evasion technique which makes shellcode invisible from process start to end.
- tags: maldev

Issue 047 - Oct 2023

writeups

Attacking and Defending Azure & M365
- desc: Attacking and Defending Azure & M365
- tags: cloud, training
Building a (slightly) better Melkor – Rasta Mouse
- desc: Building a (slightly) better Melkor – Rasta Mouse
- tags: maldev
From C, with inline assembly, to shellcode - 0xTriboulet
- desc: From C, with inline assembly, to shellcode - 0xTriboulet
- tags: maldev
Knocking on Hell’s Gate - EDR Evasion Through Direct Syscalls | Enigma Labs
- desc: Knocking on Hell’s Gate - EDR Evasion Through Direct Syscalls | Enigma Labs
- tags: maldev
Offensive Tool Development - The Shellcode Compiler Was Right There All Along… (Part 1) | Sh3llSp4wn’s Malware Conservatory
- desc: Offensive Tool Development - The Shellcode Compiler Was Right There All Along… (Part 1) | Sh3llSp4wn’s Malware Conservatory
- tags: maldev
Improving the stealthiness of memory injections techniques | Naksyn’s blog
- desc: Improving the stealthiness of memory injections techniques | Naksyn’s blog
- tags: maldev
Revisiting a UAC Bypass By Abusing Kerberos Tickets | WHOAMI
- desc: Revisiting a UAC Bypass By Abusing Kerberos Tickets | WHOAMI
- tags: windows, privesc
Malware EDR Evasion Techniques - G3tSyst3m’s Infosec Blog
- desc: Malware EDR Evasion Techniques - G3tSyst3m’s Infosec Blog
- tags: maldev

publish

How to Rob a Bank – DMCXBLUE
- desc: How to Rob a Bank – DMCXBLUE
- tags: redteam
BlacMass Vol2
- desc: VXUNDERGROUND VOL 2
- tags: maldev
Creating Fully Undetectable JavaScript Payloads to Evade Next-Generation Firewalls | Elliot on Security
- desc: Creating Fully Undetectable JavaScript Payloads to Evade Next-Generation Firewalls | Elliot on Security
- tags: maldev
Living Off the Foreign Land - Part 1/3: Setup Linux VM for SOCKS routing « BITSADMIN Blog - Mystery guest in your IT infrastructure
- desc: Living Off the Foreign Land - Part 1/3: Setup Linux VM for SOCKS routing « BITSADMIN Blog - Mystery guest in your IT infrastructure
- tags: redteam, util
#NoFilter - Abusing Windows Filtering Platform for Privilege Escalation | Deep Instinct
- desc: #NoFilter - Abusing Windows Filtering Platform for Privilege Escalation | Deep Instinct
- tags: windows, redteam, privesc
Understanding Syscalls: Direct, Indirect, and Cobalt Strike Implementation - d01a
- desc: Understanding Syscalls: Direct, Indirect, and Cobalt Strike Implementation - d01a
- tags: maldev
Methods to Backdoor an AWS Account | Mystic0x1
- desc: Methods to Backdoor an AWS Account | Mystic0x1
- tags: cloud
A Deep Dive into Penetration Testing of macOS Applications (Part 2)
- desc: A Deep Dive into Penetration Testing of macOS Applications (Part 2)
- tags: mac, redteam
25 Methods for Pipeline Attacks(RTC0011) | RedTeamRecipe
- desc: 25 Methods for Pipeline Attacks(RTC0011) | RedTeamRecipe
- tags: cloud, redteam
Attacking an EDR - Part 1
- desc: Attacking an EDR - Part 1
- tags: maldev
PNG Steganography from First Principles - XPN InfoSec Blog
- desc: PNG Steganography from First Principles - XPN InfoSec Blog
- tags: maldev
The GitHub Actions Worm: Compromising GitHub Repositories Through the Actions Dependency Tree
- desc: The GitHub Actions Worm: Compromising GitHub Repositories Through the Actions Dependency Tree
- tags: cloud, devops
Redshift Security: Attack Surface Explained
- desc: Redshift Security: Attack Surface Explained
- tags: redteam, cloud
Phishing the anti-phishers: Exploiting anti-phishing tools for internal access — Ophion Security
- desc: Phishing the anti-phishers: Exploiting anti-phishing tools for internal access — Ophion Security
- tags: phish, redteam
Unraveling the Illusion of Trust: The Innovative Attack Methodology Leveraging the "search-ms" URI Protocol Handler
- desc: Unraveling the Illusion of Trust: The Innovative Attack Methodology Leveraging the "search-ms" URI Protocol Handler
- tags: redteam, phish, windows

tools

powerseb/NoPhish
- desc: VNC phish framework
- tags: phish, redteam
LuemmelSec/Client-Checker
- desc: Windows audit framework
- tags: windows, redteam, pentest
surajpkhetani/AutoSmuggle
- desc: Utility to craft HTML or SVG smuggled files for Red Team engagements
- tags: redteam, phish
GPOddity: exploiting Active Directory GPOs through NTLM relaying, and
- desc: GPOddity: exploiting Active Directory GPOs through NTLM relaying, and
- tags: windows, redteam
XiaoliChan/wmiexec-Pro
- desc: New generation of wmiexec.py
- tags: windows
nickvourd/Supernova
- desc: Real fucking shellcode encryption tool.
- tags: maldev
zimnyaa/grpc-ssh-socks
- desc: A minimal reverse proxy implementation over gRPC
- tags: redteam, infra
fin3ss3g0d/cypherhound
- desc: Python3 terminal application that contains 400 Neo4j cyphers for BloodHound data sets and 383 GUI cyphers
- tags: redteam, utils
wh0amitz/S4UTomato
- desc: Escalate Service Account To LocalSystem via Kerberos
- tags: privesc, windows, redteam

publish

0xthirteen/AssemblyHunter
- desc: ClickOnce Abuse for Trusted Code
- tags: redteam, windows
nyxgeek/teamstracker
- desc: using graph proxy to monitor teams user presence
- tags: redteam, windows
dwisiswant0/ipfuscator
- desc: A blazing-fast, thread-safe, straightforward and zero memory allocations tool to swiftly generate alternative IP(v4) address representations in Go.
- tags: utils, web
ShorSec/DllNotificationInjection
- desc: A POC of a new “threadless” process injection technique that works by utilizing the concept of DLL Notification Callbacks in local and remote processes.
- tags: maldev
pushsecurity/saas-attacks
- desc: Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face. #nolockdown
- tags: cloud, redteam
EvanMcBroom/fuse-loader
- desc: Load a dynamic library from memory using a fuse mount
- tags: maldev
FoxIO-LLC/ja4
- desc: JA4+ is a suite of network fingerprinting standards
- tags: util, blueteam

Issue 046 - Sep 2023

writeups

Analyzing Malware with Hooks, Stomps and Return-addresses
- desc: Analyzing Malware with Hooks, Stomps and Return-addresses
- tags: maldev
DLL Notification Injection - ShoreSec
- desc: dll injection research
- tags: research, maldev
Dumping NTHashes from Azure AD - SecureWorks
- desc: Attacking AADDS to dump NTHashes
- tags: redteam, cloud
File Archiver In The Browser | mr.d0x
- desc: File Archiver In The Browser | mr.d0x
- tags: redteam, phish

publish

Threat Actors Leverage Internet Services to Enhance Data Theft and Weaken Security Defenses | Recorded Future
- desc: Threat Actors Leverage Internet Services to Enhance Data Theft and Weaken Security Defenses | Recorded Future
- tags: redteam, c2, phish
Spear Phishing on Modern Platforms | Optiv
- desc: Spear Phishing on Modern Platforms | Optiv
- tags: redteam, phish
TURLA OUTLOOK BACKDOOR - ESET
- desc: Analysis of an unusual Turla backdoor
- tags: research, redteam, novel, c2
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own - Speaker Deck
- desc: How I Hacked Microsoft Teams and got $150,000 in Pwn2Own - Speaker Deck
- tags: research, microsoft
Understanding Passkeys - Michał Sapka
- desc: [Michał Sapka's website] Understanding Passkeys
- tags: research, web
7 lesser-known AWS SSM Document techniques for code execution – Security Café
- desc: 7 lesser-known AWS SSM Document techniques for code execution – Security Café
- tags: redteam, cloud
can I speak to your manager? hacking root EPP servers to take control of zones — hackcompute
- desc: can I speak to your manager? hacking root EPP servers to take control of zones — hackcompute
- tags: web

tools

vulncheck-oss/go-exploit
- desc: A Go-based Exploit Framework
- tags: util
TheD1rkMtr/UnhookingPatch
- desc: Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
- tags: maldev
redskal/SharpAzbelt
- desc: .NET port of Leron Gray's azbelt tool.
- tags: windows, postex
JitPatro/sliver-snap
- desc: Adversary Emulation Framework
- tags: redteam, util
musana/fuzzuli
- desc: fuzzuli is a url fuzzing tool that aims to find critical backup files by creating a dynamic wordlist based on the domain.
- tags: web, recon
reveng007/DarkWidow
- desc: Indirect Dynamic Syscall, SSN + Syscall address sorting via Modified TartarusGate approach + Remote Process Injection via APC Early Bird + Spawns a sacrificial Process as target process + (ACG+BlockDll) mitigation policy on spawned process + PPID spoofing + Api resolving from TIB + API hashing
- tags: maldev
m8sec/CrossLinked
- desc: LinkedIn enumeration tool to extract valid employee names from an organization through search engine scraping
- tags: redteam, utils
hallazzang/syso
- desc: 🔧 tool for embedding various type of resources in go Windows executable
- tags: maldev, util
sufyandaredevil/MALWARE_DEV
- desc: Repo containing different types of malware writing concepts
- tags: maldev
mansk1es/GhostFart
- desc: Leveraging NTAPI to grab NTDLL for unhooking without triggering "PspCreateProcessNotifyRoutine"
- tags: maldev
plackyhacker/Peruns-Fart
- desc: Perun's Fart (Slavic God's Luck). Another method for unhooking AV and EDR, this is my C# version.
- tags: maldev
ihebski/DefaultCreds-cheat-sheet
- desc: One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️
- tags: utils
frank2/packer-tutorial
- desc: A tutorial on how to write a packer for Windows!
- tags: maldev lsecqt/OffensiveCpp
- desc: This repo contains C/C++ snippets that can be handy in specific offensive scenarios.
- tags: maldev
mvelazc0/defcon27_csharp_workshop
- desc: Writing custom backdoor payloads with C# - Defcon 27 Workshop
- tags: maldev
moonD4rk/HackBrowserData
- desc: Decrypt passwords/cookies/history/bookmarks from the browser. 一款可全平台运行的浏览器数据导出解密工具。
- tags: redteam, util
g3tsyst3m/elevationstation
- desc: elevate to SYSTEM any way we can! Metasploit and PSEXEC getsystem alternative
- tags: windows, redteam
frkngksl/NimExec
- desc: Fileless Command Execution for Lateral Movement in Nim
- tags: maldev
persistent-security/hermes-the-messenger
- desc: A PoC for achieving persistence via push notifications on Windows
- tags: windows, redteam
WSP-LAB/FUGIO
- desc: FUGIO: Automatic Exploit Generation for PHP Object Injection Vulnerabilities
- tags: exploit, web

publish

arget13/DDexec
- desc: A technique to run binaries filelessly and stealthily on Linux by "overwriting" the shell's process with another.
- tags: redteam, linux, maldev
tastypepperoni/PPLBlade
- desc: Protected Process Dumper Tool
- tags: redteam, windows
Stage 0 to Hero
- desc: Stage 0 to Hero
- tags: redteam, infra
vulncheck-oss/go-exploit
- desc: A Go-based Exploit Framework
- tags: util
pushsecurity/saas-attacks
- desc: Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face. #nolockdown
- tags: redteam, cloud
fkasler/cuddlephish
- desc: Weaponized Browser-in-the-Middle (BitM) for Penetration Testers
- tags: redteam, phish
ultrafunkamsterdam/undetected-chromedriver
- desc: Custom Selenium Chromedriver | Zero-Config | Passes ALL bot mitigation systems (like Distil / Imperva/ Datadadome / CloudFlare IUAM)
- tags: utils
jojonas/db_nmap
- desc: Standalone Go implementation of Metasploit's "db_nmap" and "db_import" commands.
- tags: utils

Issue 044 - Apr 2023

writeups

Finding Initial Access on a real life Penetration Test | by Warren Butterworth | Mar, 2023 | Medium
- desc: Finding Initial Access on a real life Penetration Test | by Warren Butterworth | Mar, 2023 | Medium
- tags: redteam
Persistence – Context Menu – Penetration Testing Lab
- desc: Persistence – Context Menu – Penetration Testing Lab
- tags: redteam
Persistence – Service Control Manager – Penetration Testing Lab
- desc: Persistence – Service Control Manager – Penetration Testing Lab
- tags: redteam
The SQL Injection Knowledge Base
- desc: The SQL Injection Knowledge Base
- tags: web, exploit
MSI Shenanigans. Part 1 – Offensive Capabilities Overview – mgeeky's lair
- desc: MSI Shenanigans. Part 1 – Offensive Capabilities Overview – mgeeky's lair
- tags: maldev, phish
Malware - Windows API hashing 1 | TRIKKSS Blog
- desc: Malware - Windows API hashing 1 | TRIKKSS Blog
- tags: maldev
Avoiding direct syscall instructions by using trampolines
- desc: Avoiding direct syscall instructions by using trampolines
- tags: maldev

publish

LocalPotato - When Swapping The Context Leads You To SYSTEM
- desc: potato privesc research
- tags: windows, privesc
socgolish and beyond - proofpoint
- desc: socgolish research - dynamic payload / environment keying
- tags: maldev
A Novel Method for Bypassing ETW | shellz.club
- desc: A Novel Method for Bypassing ETW | shellz.club
- tags: maldev
BingBang: AAD misconfiguration led to Bing.com results manipulation and account takeover | Wiz Blog
- desc: BingBang: AAD misconfiguration led to Bing.com results manipulation and account takeover | Wiz Blog
- tags: cloud
Riding the Azure Service Bus (Relay) into Power Platform | Cloud Pentesting
- desc: Riding the Azure Service Bus (Relay) into Power Platform | Cloud Pentesting
- tags: cloud
Attacking Visual Studio for Initial Access - OutFlank
- desc: Attacking Visual Studio for Initial Access
- tags: phish
Get Your SOCKS on with gTunnel. tl;dr: Steps to setup a wicked fast… | by Elliott Grey | Posts By SpecterOps Team Members
- desc: Get Your SOCKS on with gTunnel. tl;dr: Steps to setup a wicked fast… | by Elliott Grey | Posts By SpecterOps Team Members
- tags: utility
SensePost | Attacking smart cards in active directory
- desc: SensePost | Attacking smart cards in active directory
- tags: windows, redteam
Turning Google smart speakers into wiretaps for $100k
- desc: Turning Google smart speakers into wiretaps for $100k
- tags: writeup
DallasFR/WalkerGate
- desc: Find syscall
- tags: maldev
Maldev-Academy/HellHall
- desc: Performing Indirect Clean Syscalls
- tags: maldev
TTPs: JmpNoCall - 0xTriboulet
- desc: TTPs: JmpNoCall - 0xTriboulet
- tags: maldev
15 Ways to Bypass the PowerShell Execution Policy
- desc: 15 Ways to Bypass the PowerShell Execution Policy
- tags: windows, redteam
From on-prem to Global Admin without password reset - Cloudbrothers
- desc: From on-prem to Global Admin without password reset - Cloudbrothers
- tags: redteam, cloud https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/

tools

icyguider/NewPowerDNS
- desc: Updated version of PowerDNS by @domchell. Adds support for transfers over DNS A records and a few other useful features.
- tags: windows
malcomvetter/CSExec
- desc: An implementation of PSExec in C#
- tags: windows
DamonMohammadbagher/NativePayloads
- desc: All my Source Codes (Repos) for Red-Teaming & Pentesting + Blue Teaming
- tags: misc, utility, maldev
nmantani/archiver-MOTW-support-comparison
- desc: MOTW research
- tags: redteam, phish
b4rth0v5k1/EarlyBirdNTDLL
- desc: early bird + ppid (c++)
- tags: maldev
thiagopeixoto/massayo
- desc: Massayo is a small proof-of-concept Rust library which removes AV/EDR hooks in a given system DLL
- tags: maldev
med0x2e/vba2clr
- desc: Running .NET from VBA
- tags: maldev
NUL0x4C/AtomPePacker
- desc: A Highly capable Pe Packer (c lang)
- tags: maldev
SikretaLabs/BlueMap
- desc: A Azure Exploitation Toolkit for Red Team & Pentesters
- tags: cloud
TheD1rkMtr/Shellcode-Hide
- desc: This repo contains : simple shellcode Loader , Encoders (base64 - custom - UUID - IPv4 - MAC), Encryptors (AES), Fileless Loader (Winhttp, socket)
- tags: maldev
TheD1rkMtr/UnhookingPatch
- desc: Bypass EDR Hooks by patching NT API stub, and resolving SSNs and syscall instructions at runtime
- tags: maldev
improsec/BackupOperatorToolkit
- desc: The BackupOperatorToolkit contains different techniques allowing you to escalate from Backup Operator to Domain Admin
- tags: windows, exploit, redteam
reveng007/CheckHooks-n-load
- desc: A Windows stager-cum-PELoader with a capability on Dynamically evading EDR hooks, as well as FUD till now (03/03/23), when Operator wants to Know the the Underlying functions Hooks and then craft Implant based on the previous condition.
- tags: maldev
zblurx/dploot
- desc: DPAPI looting remotely in Python
- tags: windows, redteam, postex
0xb11a1/yetAnotherObfuscator
- desc: C# obfuscator that bypass windows defender
- tags: maldev

publish

trustedsec/orpheus
- desc: opsec oriented kerberoast
- tags: redteam, windows
login-securite/DonPAPI
- desc: Dumping DPAPI creds remotely
- tags: windows, redteam
Maldev-Academy/EntropyReducer
- desc: Reduce Entropy And Obfuscate Youre Payload With Serialized Linked Lists
- tags: maldev
edoardottt/cariddi
- desc: Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more
- tags: web
r4wd3r/Suborner
- desc: Create an invisible machine account with administrative privileges
- tags: windows, exploit, redteam
kyleavery/AceLdr
- desc: Cobalt Strike UDRL for memory scanner evasion.
- tags: maldev
antman1p/freyja
- desc: Golang, Purple Team agent
- tags: purpleteam
mxrch/gitfive
- desc: 🐙 Track down GitHub users.
- tags: osint
MarkoH17/Spray365
- desc: Spray365 makes spraying Microsoft accounts (Office 365 / Azure AD) easy through its customizable two-step password spraying approach. The built-in execution plan features options that attempt to bypass Azure Smart Lockout and insecure conditional access policies.
- tags: initaccess, spray, cloud
knight0x07/Lnk2Vbs
- desc: A Python script that embeds Target VBS into LNK and when executed runs the VBS script from within.
- tags: maldev, phish
praetorian-inc/noseyparker
- desc: Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history.
- tags: utility
knavesec/CredMaster
- desc: Refactored & improved CredKing password spraying tool, uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttling
- tags: spray, cloud
rkbennett/pybof
- desc: Python module for running BOFs
- tags: c2, redteam
garrettfoster13/pre2k
- desc: query for the existence of pre-windows 2000 computer objects which can be leveraged to gain a foothold in a target domain
- tags: windows, exploit
0xdea/tactical-exploitation
- desc: Modern tactical exploitation toolkit.
- tags: framework, windows, exploit, redteam
CCob/ThreadlessInject
- desc: Threadless Process Injection using remote function hooking.
- tags: maldev
eversinc33/BouncyGate
- desc: HellsGate in Nim, but making sure that all syscalls go through NTDLL.DLL (as in RecycledGate).
- tags: maldev
rust-lang/rustlings
- desc: 🦀 Small exercises to get you used to reading and writing Rust code!
- tags: utility
NUL0x4C/AtomLdr
- desc: A DLL loader with advanced evasive features
- tags: maldev

Issue 043 - Mar 2023

writeups

TamperingSyscalls
- desc: Hardware breakpoit EDR evasion
- tags: maldev

publish

Evicting the Adversary
- desc: Evicting the Adversary
- tags: redteam
UNORTHODOX LATERAL MOVEMENT:STEPPING AWAY FROM STANDARD TRADECRAFT - F-Secure
- desc: lateral movement research
- tags: redteam, windows
Obfuscating Rubeus using Codecepticon - pavel
- desc: Obfuscating Rubeus using Codecepticon
- tags: redteam, maldev
Attacking .NET Web Services – Securifera
- desc: Attacking .NET Web Services – Securifera
- tags: web, exploit
Having fun with KeePass2: DLL Hijacking and hooking APIs | Cyberdough
- desc: Having fun with KeePass2: DLL Hijacking and hooking APIs | Cyberdough
- tags: redteam
Defining the Cobalt Strike Reflective Loader - boku
- desc: Defining the Cobalt Strike Reflective Loader
- tags: maldev
Persistence Techniques That Persist
- desc: Persistence Techniques That Persist
- tags: redteam, c2
Attacking With WebView2 Applications | mr.d0x
- desc: Attacking With WebView2 Applications | mr.d0x
- tags: redteam
Sean Pesce's Blog: Leveraging ssh-keygen for Arbitrary Execution (and Privilege Escalation)
- desc: Sean Pesce's Blog: Leveraging ssh-keygen for Arbitrary Execution (and Privilege Escalation)
- tags: privesc, redteam
Microsoft 365 enumeration, spraying and exfiltration - TeamFiltration in the spotlight - Guillaume B.’s Notebook
- desc: Microsoft 365 enumeration, spraying and exfiltration - TeamFiltration in the spotlight - Guillaume B.’s Notebook
- tags: windows, redteam, recon
eXploit – External Trusts Are Evil
- desc: eXploit – External Trusts Are Evil
- tags: windows, redteam
Navigating the Vast Ocean of Sandbox Evasions
- desc: Navigating the Vast Ocean of Sandbox Evasions
- tags: maldev
pre.empt.dev: An Introduction
- desc: pre.empt.dev: An Introduction
- tags: windows, redteam, maldev
Discovering Domains via a Time-Correlation Attack on Certificate Transparency – PT SWARM
- desc: Discovering Domains via a Time-Correlation Attack on Certificate Transparency – PT SWARM
- tags: recon, web, osint
Relaying NTLM Authentication from SCCM Clients
- desc: Relaying NTLM Authentication from SCCM Clients
- tags: windows, redteam

tools

RiccardoAncarani/TaskShell
- desc: c# task scheduler for lateral movement
- tags: window, redteam
Shell-Company/QRExfil
- desc: This tool is a command line utility that allows you to convert any binary file into a QRcode movie. The data can then be reassembled visually allowing exfiltration of data in air gapped systems
- tags: utility
codingo/simple
- desc: simple wordlist generator
- tags: recon, web
xpn/sccmwtf
- desc: Microsoft Windows SCCM exploitation POC
- tags: windows, redteam, exploit
werdhaihai/SharpAltShellCodeExec
- desc: Alternative Shellcode Execution Via Callbacks in C# with P/Invoke
- tags: maldev
snovvcrash/BOFs
- desc: Beacon Object Files (not Buffer Overflows)
- tags: c2
xnl-h4ck3r/waymore
- desc: Find way more from the Wayback Machine!
- tags: web, recon
kleiton0x00/Shelltropy
- desc: A technique of hiding malicious shellcode via Shannon encoding.
- tags: maldev
InitRoot/wodat
- desc: Windows Oracle Database Attack Toolkit
- tags: redteam
DavidBuchanan314/dlinject
- desc: Inject a shared library (i.e. arbitrary code) into a live linux process, without ptrace
- tags: linux, exploit

publish

blacklanternsecurity/badsecrets
- desc: A library for detecting known secrets across many web frameworks
- tags: utility
nettitude/Aladdin
- desc: deseriallization of a .NET payload and execution in memory
- tags: redteam, maldev
praetorian-inc/fingerprintx
- desc: Standalone utility for service discovery on open ports!
- tags: recon, redteam
itm4n/PPLmedic
- desc: Dump the memory of any PPL with a Userland exploit chain
- tags: windows, redteam, postex
infosecn1nja/Red-Teaming-Toolkit
- desc: This repository contains cutting-edge open-source security tools (OST) for a red teamer and threat hunter.
- tags: utility, framework
Mr-Un1k0d3r/Elevate-System-Trusted-BOF
- desc: privilege escalation poc bof
- tags: c2, redteam
mertdas/PrivKit
- desc: PrivKit is a simple beacon object file that detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS.
- tags: c2, redteam
ZeroMemoryEx/Amsi-Killer
- desc: Lifetime AMSI bypass
- tags: redteam, c2
GitGuardian/ggshield
- desc: Find and fix 360+ types of hardcoded secrets and 70+ types of infrastructure-as-code misconfigurations.
- tags: web, recon, redteam, utility
insidegui/VirtualBuddy
- desc: Virtualize macOS 12 and later on Apple Silicon
- tags: utility
nheiniger/SnaffPoint
- desc: A tool for pointesters to find candies in SharePoint
- tags: redteam, utility
Wra7h/FlavorTown
- desc: Various ways to execute shellcode
- tags: maldev

Issue 042 - Mar 2023

writeups

Using Power Automate for Covert Data Exfiltration in Microsoft 365
- desc: Using Power Automate for Covert Data Exfiltration in Microsoft 365
- tags: redteam
Persistence with Azure Policy Guest Configuration - Cloudbrothers
- desc: Persistence with Azure Policy Guest Configuration - Cloudbrothers
- tags: redteam
x86matthew - CreateSvcRpc - A custom RPC client to execute programs as the SYSTEM user
- desc: x86matthew - CreateSvcRpc - A custom RPC client to execute programs as the SYSTEM user
- tags: redteam
Password spraying and MFA bypasses in the modern security landscape | Sprocket Security
- desc: Password spraying and MFA bypasses in the modern security landscape | Sprocket Security
- tags: redteam
Zero Day Initiative — Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks
- desc: Zero Day Initiative — Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks
- tags: windows, exploit
Uncommon office malware stagers. This article discusses the TTPs to… | by Max chee | CSG @ GovTech | Medium
- desc: Uncommon office malware stagers. This article discusses the TTPs to… | by Max chee | CSG @ GovTech | Medium
- tags: windows, redteam, phish
Azure Attack Paths - Cloudbrothers
- desc: Azure Attack Paths - Cloudbrothers
- tags: cloud
What to look for when reviewing a company's infrastructure | Marco Lancini's Blog
- desc: What to look for when reviewing a company's infrastructure | Marco Lancini's Blog
- tags: recon
Make phishing great again. VSTO office files are the new macro nightmare? | by Daniel Schell | Medium
- desc: Make phishing great again. VSTO office files are the new macro nightmare? | by Daniel Schell | Medium
- tags: phish, redteam
quora
- desc: quora
- tags: maldev
Malware AV/VM evasion - part 12: encrypt/decrypt payload via TEA. Simple C++ example. - cocomelonc
- desc: Malware AV/VM evasion - part 12: encrypt/decrypt payload via TEA. Simple C++ example. xor
- tags: maldev
Windows Credential Dumping |
- desc: Windows Credential Dumping |
- tags: windows, redteam
Call function in unmanaged DLL from C#
- desc: Call function in unmanaged DLL from C#
- tags: maldev
Azure AD: Pentesting Fundamentals - cobalt
- desc: Azure AD: Pentesting Fundamentals
- tags: cloud
Mez0: Vulpes: Obfuscating Memory Regions with Timers
- desc: Mez0: Vulpes: Obfuscating Memory Regions with Timers
- tags: maldev

publish

Token Impersonation in C# – Rasta Mouse
- desc: Token Impersonation in C# – Rasta Mouse
- tags: redteam
Home Grown Red Team: Let’s Make Some Malware In C: Part 2 | by assume-breach | Medium
- desc: Home Grown Red Team: Let’s Make Some Malware In C: Part 2 | by assume-breach | Medium
- tags: redteam
Avoiding Detection with Shellcode Mutator - Nettitude Labs
- desc: Avoiding Detection with Shellcode Mutator - Nettitude Labs
- tags: maldev
Pass-the-Challenge: Defeating Windows Defender Credential Guard | by Oliver Lyak | IFCR
- desc: Pass-the-Challenge: Defeating Windows Defender Credential Guard | by Oliver Lyak | IFCR
- tags: windows, redteam
Screenshot Tool: Part 6 - Which Tool Is Best? | White Oak Security
- desc: Screenshot Tool: Part 6 - Which Tool Is Best? | White Oak Security
- tags: recon, utility
.NET Startup Hooks – Rasta Mouse
- desc: .NET Startup Hooks – Rasta Mouse
- tags: maldev
Windows Incident Response: Persistence and LOLBins
- desc: Windows Incident Response: Persistence and LOLBins , registry
- tags: windows, redteam
DLL Sideloading not by DLLMain - Intruder
- desc: DLL Sideloading not by DLLMain - Intruder
- tags: maldev
Bypassing host security checks on a modern VPN solution - RiskInsight
- desc: Bypassing host security checks on a modern VPN solution - RiskInsight
- tags: redteam
SCCM Site Takeover via Automatic Client Push Installation | by Chris Thompson | Jan, 2023 | Posts By SpecterOps Team Members
- desc: SCCM Site Takeover via Automatic Client Push Installation | by Chris Thompson | Jan, 2023 | Posts By SpecterOps Team Members
- tags: redteam
Active Directory: Using LDAP Queries for Stealthy Enumeration -
- desc: Active Directory: Using LDAP Queries for Stealthy Enumeration -
- tags: redteam, windows
snovvcrash/PPN
- desc: Pentester's Promiscuous Notebook
- tags: learn
Kerberoast with OpSec | Microsoft 365 Security
- desc: Kerberoast with OpSec | Microsoft 365 Security
- tags: redteam, windows
Reconnaissance – Geek Freak
- desc: Reconnaissance – Geek Freak
- tags: recon
An introduction to privileged file operation abuse on Windows - Almond Offensive Security Blog
- desc: An introduction to privileged file operation abuse on Windows - Almond Offensive Security Blog
- tags: windows, privesc, redteam
API Unhooking with Perun's Fart - Blog by Dosxuz
- desc: API Unhooking with Perun's Fart - Blog by Dosxuz
- tags: maldev
A few Tailscale tricks for Security Testers
- desc: A few Tailscale tricks for Security Testers
- tags: redteam
Miracle - One Vulnerability To Rule Them All | by Peterjson | Medium
- desc: Miracle - One Vulnerability To Rule Them All | by Peterjson | Medium
- tags: web, exploit

tools

warhorse/warhorse
- desc: Infrastructure Automation
- tags: utility
ax/apk.sh
- desc: apk.sh makes reverse engineering Android apps easier, automating some repetitive tasks like pulling, decoding, rebuilding and patching an APK.
- tags: mobile
google/osv-scanner
- desc: Vulnerability scanner written in Go which uses the data provided by https://osv.dev
- tags: utility
dr4k0nia/MurkyStrings
- desc: A string obfuscator for .NET apps, built to evade static string analysis.
- tags: maldev
CymulateResearch/Blindside
- desc: Utilizing hardware breakpoints to evade monitoring by Endpoint Detection and Response platforms
- tags: maldev
mgeeky/msi-shenanigans
- desc: Proof of Concept code and samples presenting emerging threat of MSI installer files.
- tags: redteam, windows, phish
gh0x0st/wanderer
- desc: An open-source process injection enumeration tool written in C#
- tags: maldev
namazso/linux_injector
- desc: A simple ptrace-less shared library injector for x64 Linux
- tags: maldev, linux
asluppiter/Somnium
- desc: Script to test network prevention and detection capabilities.
- tags: purpleteam, redteam, utility
D1rkMtr/ExplorerPersist
- desc: Explorer Persistence technique : Hijacking cscapi.dll order loading path and writing our malicious dll into C:\Windows\cscapi.dll , when it's get loaded into the explorer process , our malicoius code get executed
- tags: maldev
h4wkst3r/InvisibilityCloak
- desc: Proof-of-concept obfuscation toolkit for C# post-exploitation tools
- tags: maldev
Accenture/Codecepticon
- desc: .NET/PowerShell/VBA Offensive Security Obfuscator
- tags: maldev
mkaring/ConfuserEx
- desc: An open-source, free protector for .NET applications
- tags: maldev
C-Sto/BananaPhone
- desc: It's a go variant of Hells gate! (directly calling windows kernel functions, but from Go!)
- tags: maldev
S3cur3Th1sSh1t/Nim-RunPE
- desc: A Nim implementation of reflective PE-Loading from memory
- tags: maldev
Tw1sm/AesKrbKeyGen
- desc: Generate AES128/256 Kerberos keys for an AD account using a plaintext password and Python3
- tags: utility, windows
LordNoteworthy/al-khaser
- desc: Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.
- tags: maldev
sc0tfree/updog
- desc: Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use http basic auth.
- tags: utility, web
TROUBLE-1/Vajra
- desc: Vajra is a UI-based tool with multiple techniques for attacking and enumerating in the target's Azure and AWS environment. It features an intuitive web-based user interface built with the Python Flask module for a better user experience. The primary focus of this tool is to have different attacking techniques all at one place with web UI interfa…
- tags: cloud
chvancooten/CloudLabsAD
- desc: Terraform + Ansible deployment scripts for an Active Directory lab environment.
- tags: utility
NetSPI/NetblockTool
- desc: Find netblocks owned by a company
- tags: web, recon
hakluke/hakip2host
- desc: hakip2host takes a list of IP addresses via stdin, then does a series of checks to return associated domain names.
- tags: recon
Qazeer/OffensivePythonPipeline
- desc: Static standalone binaries for Linux and Windows (x64) of Python offensive tools. Compiled using PyInstaller, Docker for Windows, WSL2, and Make.
- tags: redteam, utility
xnl-h4ck3r/xnLinkFinder
- desc: A python tool used to discover endpoints (and potential parameters) for a given target
- tags: recon, web, bounty
Stealerium/Stealerium
- desc: Stealer + Clipper + Keylogger
- tags: maldev

publish

deepinstinct/Dirty-Vanity
- desc: A POC for the new injection technique, abusing windows fork API to evade EDRs. https://www.blackhat.com/eu-22/briefings/schedule/index.html#dirty-vanity-a-new-approach-to-code-injection--edr-bypass-28417
- tags: maldev
bw3ll/sharem
- desc: SHAREM is a shellcode analysis framework, capable of emulating more than 12,000 WinAPIs and virutally all Windows syscalls. It also contains its own custom disassembler, with many innovative features, such as being able to show the deobfuscated disassembly of an encoded shellcode, or integrating emulation data to enhance the disassembly.
- tags: utility, maldev
KINGSABRI/ServerlessRedirector
- desc: Serverless Redirector in various cloud vendor for red team
- tags: redteam, phish
jackmichalak/phishim
- desc: Easy red team phishing with Puppeteer
- tags: phish
Octoberfest7/Inline-Execute-PE
- desc: Execute unmanaged Windows executables in CobaltStrike Beacons
- tags: c2, redteam
Aetsu/OffensivePipeline
- desc: OfensivePipeline allows you to download and build C# tools, applying certain modifications in order to improve their evasion for Red Team exercises.
- tags: maldev, utility
mgeeky/ProtectMyTooling
- desc: Multi-Packer wrapper letting us daisy-chain various packers, obfuscators and other Red Team oriented weaponry. Featured with artifacts watermarking, IOCs collection & PE Backdooring. You feed it with your implant, it does a lot of sneaky things and spits out obfuscated executable.
- tags: maldev, utility
SygniaLabs/ScallOps
- desc: infra / payload automation
- tags: maldev, utility
Anof-cyber/PyCript
- desc: Burp Suite extension that allows for bypassing client-side encryption using custom logic for manual and automation testing with Python and NodeJS. It enables efficient testing of encryption methods and identification of vulnerabilities in the encryption process.
- tags: web, utility
xforcered/SQLRecon
- desc: A C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation.
- tags: windows, redteam
google/gcp_scanner
- desc: gcp recon tool
- tags: recon, cloud
AutomoxSecurity/iShelly
- desc: A tool to generate macOS initial access vectors using Prelude Operator payloads
- tags: macos, redteam, phish
yrutschle/sslh
- desc: Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)
- tags: utility
ariary/Dogwalk-rce-poc
- desc: 🐾Dogwalk PoC (using diagcab file to obtain RCE on windows)
- tags: phish, windows, redteam
fr0gger/Unprotect_Submission
- desc: Repository to publish your evasion techniques and contribute to the project
- tags: maldev
optiv/Mangle
- desc: Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs
- tags: maldev
Azure/aztfy
- desc: A tool to bring existing Azure resources under Terraform's management
- tags: utility, cloud

Issue 041 - Mar 2023

writeups

publish

Writing Tiny, Stealthy & Reliable Malware - ruptura
- desc: Writing Tiny, Stealthy & Reliable Malware
- tags: maldev
Home Grown Red Team: From Workstation To Domain Controller With Havoc C2 and Microsoft EDR - assume-breach
- desc: malware evasion research
- tags: maldev, redteam
Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass - h1pmnh
- desc: rce via ssti vs akamai waf writeup
- tags: bounty, web, exploit
Leveraging Microsoft Teams for Initial Access
- desc: Microsoft Teams initial access research
- tags: redteam, phish
Detecting and Evading Sandboxing through Time based evasion - shubakki
- desc: malware evasion via sleep research
- tags: maldev
Hooking System Calls in Windows 11 22H2 like Avast Antivirus. Research, analysis and bypass - the-deniss
- desc: Hooking System Calls in Windows 11 22H2 like Avast Antivirus. Research, analysis and bypass
- tags: maldev
Unmanaged Code Execution with .NET Dynamic PInvoke - bohops
- desc: Unmanaged Code Execution with .NET Dynamic PInvoke
- tags: maldev
String Obfuscation The Malware Way | dr4k0nia
- desc: String Obfuscation The Malware Way | dr4k0nia
- tags: maldev

tools

C-Sto/goWMIExec
- desc: Really stupid re-implementation of invoke-wmiexec
- tags: windows
jsecu/BOF-pack-1
- desc: A care package of useful bofs for red team engagments
- tags: redteam
Amzza0x00/go-impacket
- desc: golang impacket
- tags: windows, pivot
NUL0x4C/TerraLdr
- desc: A Payload Loader Designed With Advanced Evasion Features
- tags: maldev
0xAbdullah/Offensive-Snippets
- desc: A repository with my code snippets for research/education purposes.
- tags: maldev
ustayready/wnfexec
- desc: WNF Code Execution Library Using C#
- tags: maldev
wsummerhill/CSharp-Alt-Shellcode-Callbacks
- desc: A collection of (even more) alternative shellcode callback methods in CSharp
- tags: maldev

publish

daddycocoaman/azbelt
- desc: AAD related enumeration in Nim
- tags: windows, redteam
reveng007/SharpGmailC2
- desc: Our Friendly Gmail will act as Server and implant will exfiltrate data via smtp and will read commands from C2 (Gmail) via imap protocol
- tags: redteam
icyguider/MoreImpacketExamples
- desc: More examples using the Impacket library designed for learning purposes.
- tags: windows, pivot
elceef/subzuf
- desc: a smart DNS response-guided subdomain fuzzer
- tags: utility, recon
rad9800/WTSRM
- desc: WTSRM
- tags: maldev
ironmansoftware/psmsi
- desc: Create MSIs using PowerShell.
- tags: phish, utility
Flangvik/TeamFiltration
- desc: TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts
- tags: utility, cloud, redteam, recon

Issue 040 - Feb 2023

writeups

publish

Hooking System Calls in Windows 11 22H2 like Avast Antivirus. Research, analysis and bypass (the-deniss)
- desc: reversing Avast for bypass/evasion
- tags: re, malware
Gaining the upper hand(le) - aptw.tf
- desc: Hunting for privilege escalations and UAC bypasses by looking for leaked handles in unprivileged processes
- tags: windows, redteam, exploit
Electron Shellcode Loader
- desc: Edge.js Library and .NET Shellcode Loader
- tags: phish, redteam
Modern Initial Access and Evasion Tactics
- desc: Moder (2022) initial access research
- tags: phish, redteam
Microsoft OneNote (.One File Extension) Attachment Delivers AsyncRAT
- desc: OneNote initial access payload research
- tags: redteam, phish
Unicode for Security Professionals - gosecure
- desc: misuse unicode for offense
- tags: utility

tools

publish

assume-breach/Home-Grown-Red-Team
- desc: redteam/malware related collection including harriet and highborn
- tags: redteam, malware
arch4ngel/bl-bfg
- desc: modular framework to perform brute-force attacks
- tags: util
nodauf/GoMapEnum
- desc: User enumeration and password bruteforce on Azure, ADFS, OWA, O365, Teams and gather emails on Linkedin
- tags: cloud
capt-meelo/laZzzy
- desc: laZzzy is a shellcode loader, developed using different open-source libraries, that demonstrates different execution techniques.
- tags: maldev, framework
daem0nc0re/PrivFu
- desc: Kernel mode WinDbg extension and PoCs for testing how token privileges work
- tags: windows, privesc
X-C3LL/FreshyCalls-VBA.vba
- desc: Retrieving SSN for syscalling in VBA following FreshyCalls technique
- tags: windows, redteam, phish, malwardev

Issue 039 - Nov 2022

writeups

publish

On Prem Active Directory - Windows Server 2022 Domain Controller setup - haxor.no
- desc: home lab setup
- tags: windows, lab
GCP Penetration Testing Notes 2 - 0xd4y
- desc: GCP exploitation research
- tags: cloud
Confusing .NET Decompilers: The Call OpCode - washi.dev\
- desc: .net obfuscation research
- tags: maldev

tools

alfarom256/MCP-PoC
- desc: Minifilter Callback Patching Proof-of-Concept
- tags: maldev

publish

Z4kSec/Masky
- desc: Python library with CLI allowing to remotely dump domain user credentials via an ADCS without dumping the LSASS process memory
- tags: windows, postex
sherlock-project/sherlock
- desc: 🔎 Hunt down social media accounts by username across social networks
- tags: osint
D1rkMtr/IORI_Loader
- desc: UUID shellcode Loader with dynamic indirect syscall implementation, syscall number/instruction get resolved dynamicaly at runtime, and the syscall number/instruction get unhooked using Halosgate technique. Function address get resolved from the PEB by offsets and comparaison by hashes
- tags: maldev
Accenture/Spartacus
- desc: Spartacus DLL Hijacking Discovery Tool
- tags: postex, maldev
FuzzySecurity/AdvSim.Compression
- desc: Simple and sane compression wrapper library.
- tags: maldev
mdsecactivebreach/DragonCastle
- desc: A PoC that combines AutodialDLL lateral movement technique and SSP to scrape NTLM hashes from LSASS process.
- tags: postex, windows
resyncgg/dacquiri
- desc: A strong, compile-time enforced authorization framework for rust applications.
- tags: util
anvilsecure/ulexecve
- desc: ulexecve is a userland execve() implementation which helps you execute arbitrary ELF binaries on Linux from userland without the binaries ever having to touch storage. This is useful for red-teaming and anti-forensics purposes.
- tags: postex, linux
projectdiscovery/katana
- desc: A next-generation crawling and spidering framework.
- tags: recon, osint, web
fr0gger/Awesome_Malware_Techniques
- desc: This is a repository of resource about Malware techniques
- tags: maldev
ccob/volumiser
- desc: Utility for working with virtual machine images
- tags: postex, windows, linux
mbrg/power-pwn
- desc: A demo showing how to repurpose Microsoft-trusted executables, service accounts and cloud services to power a malware operation
- tags: windows, cloud

Issue 038 - Oct 2022

writeups

publish

Lessons Learned from Cloning Windows Binaries and Code Signing Implants
- desc: assembly/cert clonging research
- tags: maldev
Divin'n'phishin with executable filetypes on Windows
- desc: windows executable file type research
- tags: windows, phish, redteam
Skidaddle Skideldi - I just pwnd your PKI - lummelsec
- desc: ADCS research
- tags: windows, redteam
Engineering antivirus evasion (Part III) - scrt
- desc: syscall-based evasion techniques
- tags: maldev
WireSocks for Easy Proxied Routing - sensepost
- desc: network options with a wireguard-based socks proxy
- tags: postex, redteam, util

tools

Synzack/ldapper
- desc: go ldap client
- tags: util, windows
ayoubfathi/leaky-paths
- desc: A collection of special paths linked to major web CVEs, known misconfigurations, juicy APIs ..etc. It could be used as a part of web content discovery, to scan passively for high-quality endpoints and quick-wins.
- tags: web, recon
Ge0rg3/requests-ip-rotator
- desc: A Python library to utilize AWS API Gateway's large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.
- tags: web, recon, util
ST1LLY/dc-sonar
- desc: Analyzing AD domains for security risks related to user accounts
- tags: windows, redteam

publish

p0dalirius/Coercer
- desc: A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 9 methods.
- tags: windows, redteam
daem0nc0re/AtomicSyscall
- desc: Tools and PoCs for Windows syscall investigation.
- tags: maldev
d3lb3/KeeFarceReborn
- desc: A standalone DLL that exports databases in cleartext once injected in the KeePass process.
- tags: windows, postex, redteam
Mr-Un1k0d3r/AMSI-ETW-Patch
- desc: Patch AMSI and ETW
- tags: maldev
Idov31/Sandman
- desc: Sandman is a NTP based backdoor for red team engagements in hardened networks.
- tags: redteam
sensepost/impersonate
- desc: A windows token impersonation tool
- tags: windows, redteam, postex
hosch3n/msmap
- desc: Msmap is a Memory WebShell Generator.
- tags: util
DISREL/Ring0VBA
- desc: CVE-2018-6066 using VBA
- tags: maldev, Nday
knavesec/max
- desc: Maximizing BloodHound. Max is a good boy.
- tags: windows, redteam, postex

Issue 037 - Oct 2022

writeups

Defeating Javascript Obfuscation - perimeterx
- desc: deobfuscate javascript research
- tags: utility
Automating C2 Infrastructure with Terraform, Nebula, Caddy and Cobalt Strike - malicious.group
- desc: infrastructure as code research
- tags: utility, infrastructure
Myths About External C2 - xret2pwn
- desc: External C2 development research
- tags: redteam

publish

Scraping Login Credentials With XSS - trustedsec
- desc: xss post exploitation research
- tags: web, exploit, phish
Bypassing Firefox's HTML Sanitizer API - portswigger
- desc: Firefox xss bypass research
- tags: web, exploit
Did You Know Your Browser’s Autofill Credentials Could Be Stolen via Cross-Site Scripting (XSS) - GoSecure
- desc: Browser credential theft research
- tags: web, exploit
Researching Open Source apps for XSS to RCE flaws - ptswarm
- desc: Xss in desktop app for RCE research
- tags: exploit
Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling - portswigger
- desc: NTLM theft via request smuggling research
- tags: web, windows, exploit
Tool Release – Project Kubescout: Adding Kubernetes Support to Scout Suite - nccgroup
- desc: Scoutsuite updated with kerberos
- tags: cloud
Giving JuicyPotato a second chance: JuicyPotatoNG - decoder
- desc: Windows privilege escalation research
- tags: windows, exploit
Find threats: Cloud credential theft on Windows endpoints - sumo logic
- desc: credential harvesting post exploitation research
- tags: cloud
Spoofing Calendar Invites Using .ics Files - mrd0x
- desc: novel phishing research
- tags: phish
Skidaddle Skideldi - I just pwnd your PKI - luemmelsec
- desc: ADCS research and guide
- tags: windows, redteam
New Attack Paths? AS Requested Service Tickets - semperis
- desc: Kerberoast research
- tags: windows, redteam
I Wanna Go Fast, Really Fast, like (Kerberos) FAST - trustedsec
- desc: Kerberos FAST research
- tags: windows, redteam
WireSocks for Easy Proxied Routing - sensepost
- desc: Proxy support via wireguard research
- tags: utility
Phishing With Chromium's Application Mode - mrd0x
- desc: novel phishing research
- tags: phish, redteam
How we Abused Repository Webhooks to Access Internal CI Systems at Scale - cidersecurity
- desc: CI/CD post exploitation
- tags: redteam
Relaying YubiKeys - cube0x0
- desc: Yubikey relay research
- tags: windows, redteam

tools

HackmichNet/AzTokenFinder
- desc: extract JWT (or JWT like looking data) from different processes, like PowerShell, Excel, Word or others
- tags: windows, postex
D1rkMtr/ChTimeStamp
- desc: Changing the Creation time and the Last Written time of a dropped file by the timestamp of other one , like the "kernel32.dll" timestamp
- tags: maldev
m417z/winapiexec
- desc: A small tool that allows to run WinAPI functions through command line parameters
- tags: maldev
CCob/PinSwipe
- desc: Smart Card PIN swiping DLL
- tags: windows, redteam
Ge0rg3/requests-ip-rotator
- desc: A Python library to utilize AWS API Gateway's large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.
- tags: utility
CrackerCat/evildll
- desc: Malicious DLL (Reverse Shell) generator for DLL Hijacking
- tags: maldev
cepxeo/dll4shell
- desc: Shellcode launcher for AV bypass
- tags: maldev
jazzpizazz/BloodHound.py-Kerberos
- desc: A Python based ingestor for BloodHound
- tags: windows, redteam
punk-security/dnsReaper
- desc: dnsReaper - subdomain takeover tool for attackers, bug bounty hunters and the blue team!
- tags: web, exploit
ORCx41/Syscallslib
- desc: a library that automates some clean syscalls to make it easier to implement
- tags: maldev
ORCx41/KnownDllUnhook
- desc: Replace the .txt section of the current loaded modules from \KnownDlls\ to bypass edrs
- tags: maldev
D1rkMtr/DumpThatLSASS
- desc: Dumping LSASS by Unhooking MiniDumpWriteDump by getting a fresh DbgHelp.dll copy from the disk , plus functions and strings obfuscation , it contains Anti-sandbox , if you run it under unperformant Virtual Machine you need to uncomment the code related to it and recompile.
- tags: windows, redteam, postex
smokeme/airstrike
- desc: lite c2 poc
- tags: redteam
D1rkMtr/UUIDRegistryShellcode
- desc: Write and Hide each UUID in the char* array of UUIDS shellcode in a registry key value location as REG_SZ (the location could be different from the other), then retrieve them and assemble them in UUIDs char* array shellcode and Run it
- tags: maldev
epi052/feroxfuzz
- desc: A structure-aware HTTP fuzzing library
- tags: web, recon
daem0nc0re/TangledWinExec
- desc: C# PoCs for investigation of Windows process execution techniques
- tags: maldev
redeye-framework/Redeye
- desc: Collaborative pen testing framework
- tags: utility
n0kovo/awesome-password-cracking
- desc: A curated list of awesome tools, research, papers and other projects related to password cracking and password security.
- tags: cracking
lkarlslund/ldapnomnom
- desc: Anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP)
- tags: windows, redteam
D1rkMtr/MasqueradingPEB
- desc: Maquerade any legitimate Windows binary by changing some fields in the PEB structure
- tags: maldev

publish

soxoj/maigret
- desc: 🕵️‍♂️ Collect a dossier on a person by username from thousands of sites
- tags: osint, recon
projectdiscovery/asnmap
- desc: Go CLI and Library for quickly mapping organization network ranges using ASN information.
- tags: recon
PortSwigger/oauth-scan
- desc: Burp Suite Extension useful to verify OAUTHv2 and OpenID security
- tags: utility
fin3ss3g0d/evilgophish
- desc: evilginx2 + gophish
- tags: phish, redteam
silverhack/monkey365
- desc: Monkey365 provides a tool for security consultants to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews.
- tags: cloud
iustin24/chameleon
- desc: Content discovery by using wappalyzer's set of technology fingerprints alongside custom wordlists tailored to each detected technologies
- tags: web, recon
nccgroup/scrying
- desc: A tool for collecting RDP, web and VNC screenshots all in one place
- tags: recon, utility
xRET2pwn/Teamsniper
- desc: Teamsniper is a tool for fetching keywords in a Microsoft Teams such as (passwords, emails, database, etc.).
- tags: redteam
blacklanternsecurity/offensive-azure
- desc: Collection of offensive tools targeting Microsoft Azure
- tags: cloud
memN0ps/srdi-rs
- desc: Rusty Shellcode Reflective DLL Injection (sRDI)
- tags: maldev
gkucherin/de4dot
- desc: .NET deobfuscator and unpacker (with a control flow unflattener for DoubleZero added).
- tags: maldev
optiv/Freeze
- desc: Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods
- tags: maldev
Mr-Un1k0d3r/ATP-PowerShell-Scripts
- desc: Microsoft Signed PowerShell scripts
- tags: windows, redteam
BishopFox/cloudfox
- desc: Automating situational awareness for cloud penetration tests.
- tags: cloud
ezra-buckingham/terry-the-terraformer
- desc: A CLI for deploying red team infrastructure across mutliple cloud providers, all integrated with a virtual Nebula network, and full ELK integration
- tags: utility, infrastructure

Issue 036 - Sep 2022

writeups

publish

Masky release (v0.0.3)
- desc: ADCS credential harvester
- tags: windows, redteam
In the footsteps of the Fancy Bear: PowerPoint mouse-over event abused to deliver Graphite implants - duskrise
- desc: FancyBear + Powerpoint Mouseover research
- tags: apt, phish
Writing a Beginner's Guide to Sliver Because the Devs Won't - notateamserver
- desc: Sliver tutorial
- tags: redteam, c2
Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors - mandiant
- desc: Unknown APT research
- tags: ir, maldev
The Blind Spots of BloodHound - syss
- desc: Methods to increase BloodHound edge visibility
- tags: windows, redteam
Certipy 4.0: ESC9 & ESC10, BloodHound GUI, New Authentication and Request Methods — and more! - ifcr
- desc: Certipy improvements
- tags: windows, redteam
SMTP Matching Abuse in Azure AD - semperis
- desc: Azure AD SMTP Abuse research
- tags: cloud
Automating Cobalt Strike with Python - redxorblue
- desc: Cobalt Strike automation research
- tags: redteam, c2

tools

surajpkhetani/Active-Directory-Permission-Abuse
- desc: BloodHound edge summary
- tags: windows

publish

blacklanternsecurity/bbot
- desc: OSINT automation for hackers.
- tags: web, osint, utility
HavocFramework/Havoc
- desc: The Havoc Framework
- tags: redteam, c2
Gerenios/AADInternals
- desc: AADInternals PowerShell module for administering Azure AD and Office 365
- tags: windows, redteam, cloud
emcghee/PayloadAutomation
- desc: Python classes to serve as a bridge between Sleep and Python which can be used to help automate payload development
- tags: maldev
Running Shellcode Through Windows Callbacks - marcoramilli
- desc: callback shellcode execution research
- tags: maldev
ProcEnvInjection - Remote code injection by abusing process environment strings - x86mathew
- desc: Code injection research
- tags: maldev

Issue 035 - Aug 2022

writeups

publish

Bypassing AppLocker by abusing HashInfo - shell.systems
- desc: applocker bypass research
- tags: redteam, windows
Break me out of sandbox in old pipe - CVE-2022-22715 Windows Dirty Pipe - k0shl
- desc: Windows LPE disclosure
- tags: windows, privesc
Investigating .NET CLR Usage Log Tampering Techniques For EDR Evasion (Part 2) - bohops.com
- desc: EDR evasion research
- tags: redteam, windows
Guide to DLL Sideloading - Ahmed Sher
- desc: Windows DLL hijack research
- tags: windows, redteam
Hijacking DLLs in Windows - wietzebeukema
- desc: Windows DLL hijack research
- tags: windows, redteam
code-scrap/awesome-tunneling
- desc: List of ngrok alternatives and other ngrok-like tunneling software and services. Focus on self-hosting.
- tags:utility
Concealed code execution: Techniques and detection - huntandhackett
- desc: Evasive code execution research
- tags: maldev, redteam
Multi-factor Authentication In-The-Wild bypass methods - yuval fischer
- desc: mfa bypass research
- tags: web, exploit
Vulnerable GitHub Actions Workflows Part 1: Privilege Escalation Inside Your CI/CD Pipeline - legitsecurity
- desc: CI/CD exploitation research
- tags: redteam

tools

redballoonsecurity/ofrak
- desc: OFRAK: unpack, modify, and repack binaries.
- tags: utility
sneakerhax/Arsenal
- desc: Offensive security tools weaponized
- tags: utility
D1rkMtr/FileLessRemoteShellcode
- desc: Run Fileless Remote Shellcode directly in memory with Module Unhooking , Module Stomping, No New Thread. This repository contains the TeamServer and the Stager
- tags: maldev

publish

secureworks/whiskeysamlandfriends
- desc: GoldenSAML Attack Libraries and Framework
- tags: cloud
httptoolkit/httptoolkit
- desc: HTTP Toolkit is a beautiful & open-source tool for debugging, testing and building with HTTP(S) on Windows, Linux & Mac 🎉 Open an issue here to give feedback or ask for help.
- tags: utility
hahwul/WebHackersWeapons
- desc: ⚔️ Web Hacker's Weapons / A collection of cool tools used by Web hackers. Happy hacking , Happy bug-hunting
- tags: web, utility
joelgmsec/evilnovnc
- desc: Ready to go Phishing Platform
- tags: phish, redteam
subglitch1/osripper
- desc: AV evading OSX Backdoor and Crypter Framework
- tags: mac, redteam, maldev

Issue 034 - July 2022

write ups

publish

Give Me Some (macOS) Context… - cedowens
- desc: macos redteam research regarding TCC (Transparency, Consent, and Control)
- tags: mac, redteam
Res260/conti_202202_leak_procedures
- desc: This repository contains procedures found in the Feb 2022 conti leaks. They were taken from the "manual_teams_c" rocketchat channel in the leak and posted on may 10th, 2021 in the channel.
- tags: misc
Plugins for Persistence - vivi
- desc: common software plugin persistence research
- tags: redteam

notes

productivity_text_file/
- desc: ...
- tags: utility
Bypassing EDR real-time injection detection logic
- desc: driploader investigation
- tags: maldev

tools

publish

V3ded/ToolDump-v1
- desc: Some of my custom "tools".
- tags: maldev
N7WEra/BofAllTheThings
- desc: Creating a repository with all public Beacon Object Files (BoFs)
- tags: redteam, utility
Allevon412/TeamsImplant
- desc: evasive, proxied-dll for MS Teams
- tags: maldev, redteam
cipher387/Dorks-collections-list
- desc: List of Github repositories and articles with list of dorks for different search engines
- tags: utility
shogunlab/Sukoshi
- desc: Sukoshi is a proof-of-concept Python/C++ implant that leverages the MQTT protocol for C2 and uses AWS IoT Core as infrastructure.
- tags: maldev, redteam

notes

c-sto/bananaphone
- desc: It's a go variant of Hells gate! (directly calling windows kernel functions, but from Go!)
- tags: maldev
optiv/talon
- desc: A password guessing tool that targets the Kerberos and LDAP services within the Windows Active Directory environment.
- tags: windows
CorrieOnly/google-dorks
- desc: collection of google dorks
- tags: utility

Issue 033 - July 2022

write ups

publish

In-Process Patchless AMSI Bypass - ethicalchaos
- desc: In-Process Patchless AMSI Bypass
- malwaredev
Anatomy of the Process Environment Block (PEB) (Windows Internals) - ntopcode
- desc: windows internals research
- tags: maldev
Introducing the Golden GMSA Attack - semperis
- desc: windows GMSA persistence
- tags: redteam, windows
macOS Red Teaming: Get Active Directory credentials from NoMAD - wojciechregula
- desc: NoMAD research
- tags: mac, redteam
macOS Red Teaming: Initial access via AppleScript URL - wojciechregula
- desc: macos initial access
- tags: redteam, maldev
LSASS dumping in 2021/2022 - from memory - without C2 - s3cur3th1ss1t
- desc: modern lsass dumping
- tags: windows, postex, redteam

notes

tools

publish

code-scrap/DynamicWrapperDotNet
- desc: Dynamically Loads Assembly and Calls Methods from JScript
- tags: maldev
CompassSecurity/BloodHoundQueries
- desc: Custom bloodhound queries
- tags: utility
warhorse/warhorse
- desc: Warhorse consists of a fully-featured Ansible playbook to deploy infrastructure in the cloud for conducting security assessments.
- tags: infra, utility
Orange-Cyberdefense/arsenal
- desc: Arsenal is just a quick inventory and launcher for hacking programs
- tags: utility
S4ntiagoP/freeBokuLoader
- desc: A simple BOF that frees UDRLs
- tags: maldev
dhondta/awesome-executable-packing
- desc: A curated list of awesome resources related to executable packing
- tags: maldev, utility
thefLink/DeepSleep
- desc: A variant of Gargoyle for x64 to hide memory artifacts using ROP only and PIC
- tags: maldev
fortalice/bofhound
- desc: Generate BloodHound compatible JSON from logs written by ldapsearch BOF and pyldapsearch
- tags: windows, postex, redteam
mandiant/DueDLLigence
- desc: Shellcode runner framework for application whitelisting bypasses and DLL side-loading
- tags: maldev

notes

AdrianVollmer/PowerHub
- desc: A post exploitation tool based on a web application, focusing on bypassing endpoint protection and application whitelisting
- tags: windows, postex
xct/elevatedrv
- desc: Simple Driver that elevates any process to SYSTEM
- tags: windows, postex, redteam
cocomelonc/peekaboo
- desc: Simple undetectable shellcode and code injector launcher example. Inspired by RTO malware development course.
- tags: maldev
antonioCoco/SharPyShell
- desc: SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications
- tags: web, exploit, maldev
frkngksl/HintInject
- desc: A PoC project for embedding shellcode to Hint/Name Table
- tags: maldev
morph3/Windows-RPC-Backdoor
- desc: Simple windows rpc server for research purposes only
- tags: maldev
Luct0r/KerberOPSEC
- desc: OPSEC safe Kerberoasting in C#
- tags: windows, postex, redteam
abdulkadir-gungor/JPGtoMalware
- desc: It embeds the executable file or payload inside the jpg file. The method the program uses isn't exactly called one of the steganography methods. For this reason, it does not cause any distortion in the JPG file. The JPG file size and payload do not have to be proportional.The JPG file is displayed normally in any viewing application or web appli…
- tags: maldev
nick-frischkorn/SysWhispers-FunctionRandomizer
- desc: Quick python script to replace the NtAPI functions within SysWhispers' assembly and header files with random strings
- tags: maldev
Octoberfest7/XLL_Phishing
- desc: XLL Phishing Tradecraft
- tags: phish
DataDog/stratus-red-team
- desc: ☁️ ⚡ Granular, Actionable Adversary Emulation for the Cloud
- tags: utility, blue
cheat/cheatsheets
- desc: Community-sourced cheatsheets
- tags: resources
trickster0/OffensiveRust
- desc: Rust Weaponization for Red Team Engagements.
- tags: maldev
sherlocksecurity/VMware-CVE-2022-22954
- desc: POC for VMWARE CVE-2022-22954
- tags: web, exploit

Issue 032 - June 2022

writeups

Publish

DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach - Volexity
- desc: "DriftingCloud" APT investigation
- tags: maldev
Chaining vulnerabilities to criticality in Progress WhatsUp Gold - assetnote.io
- desc: bounty writeup
- tags: web, exploit
ProcEnvInjection - Remote code injection by abusing process environment strings - x86mathew
- desc: abuse of lpEnvironment to execute code in CreateProcess
- tags: maldev
Multi-factor Authentication In-The-Wild bypass methods - Yuval Fischer
- desc: mfa bypass research
- tags: redteam
Extracting Clear-Text Credentials Directly From Chromium’s Memory - cyberark
- desc: investigating stored secrets in chrome browser
- tags: redteam, postex
Rust BOFs for Cobalt Strike
- desc: Building BOFs in Rust
- tags: redteam, maldev
Hang Fire: Challenging our Mental Model of Initial Access - SpecterOps
- desc: initial access research
- tags: redteam
Spear Phishing on Modern Platforms - optiv
- desc: cloud spear phish research
- tags: cloud

Note

Running Shellcode Through Windows Callbacks - marcoramili
- desc: windows callback research
- tags: maldev
Yours Truly, Signed AV Driver: Weaponizing an Antivirus Driver - aon
- desc: investigation of abuse of AV vendor code signing certificates
- tags: maldev
Managed Identity Attack Paths, Part 2: Logic Apps - SpecdterOps
- desc: Managed Identity research
- tags: cloud
Relaying 101
- desc: relaying overview
- tags: windows, exploit
Arbitrary File Upload Tricks In Java - pyn3rd
- desc: java file upload abuse
- tags: web
Enumeration and lateral movement in GCP environments - Security Shenanigans
- desc: GCP pivot research
- tags: cloud

tools

Publish

S3cur3Th1sSh1t/Nim_DInvoke
- desc: D/Invoke implementation in Nim
- tags: maldev
icyguider/Shhhloader
- desc: SysWhispers Shellcode Loader (Work in Progress)
- tags: maldev
D00MFist/PersistentJXA
- desc: Collection of macOS persistence methods and miscellaneous tools in JXA
- tags: mac
improsec/SharpEventPersist
- desc: Persistence by writing/reading shellcode from Event Log
- tags: windows, postex

Note

WhiteOakSecurity/GoAWSConsoleSpray
- desc: Tool to spray AWS Console IAM Logins
- tags: utility
ChoiSG/sNanoDumpInject
- desc: NanoDumpInject from https://s3cur3th1ssh1t.github.io/Reflective-Dump-Tools/ , minor edits with a few syscalls
- tags: windows, postex mgeeky/ShellcodeFluctuation
- desc: An advanced in-memory evasion technique fluctuating shellcode's memory protection between RW/NoAccess & RX and then encrypting/decrypting its contents
- tags: maldev
mattifestation/AntimalwareBlight
- desc: Execute PowerShell code at the antimalware-light protection level.
- tags: windows, redteam
Idov31/Nidhogg
- desc: Nidhogg is an all-in-one simple to use rootkit for red teams.
- tags: maldev
firefart/gosocks
- desc: gosocks is a golang based implementation of a socks5 server which supports custom handlers
- tags: utility
lawiet47/STFUEDR
- desc: Silence EDRs by removing kernel callbacks
- tags: maldev

Issue 031 - May 2022

writeups

Building an Active Directory Lab - Part 1 - spookysec
- desc: home lab guide
- tags: utility
yeswerhackers/subdomains-tools-review-full-detailed-comparison
- desc: sub hunt tool investigation
- tags: recon, osint, web
Making NtCreateUserProcess Work - Capt Meelo
- desc: NtCreateUserProcess research
- tags: maldev
malapi.io
- desc:MalAPI.io maps Windows APIs to common techniques used by malware.
- tags: maldev
Steal Credentials & Bypass 2FA Using noVNC - mr.d0x
- desc: noVNC credential harvesting technique
- tags: phish
Automating a Red Team Lab (Part 1): Domain Creation - nickzero
- desc: home lab guide
- tags: utility

tools

projectdiscovery/uncover
- desc: Quickly discover exposed hosts on the internet using multiple search engine.
- tags: osint, recon, web
HuskyHacks/RustyProcessInjectors
- desc: Just some Rust process injector POCs, nothing weird.
- tags: maldev
Hurn99/ImitateCobaltStrikeShellcode
- desc: Imitate CobaltStrike's Shellcode Generation
- tags: maldev
klezVirus/SysWhispers3
- desc: SysWhispers on Steroids - AV/EDR evasion via direct system calls
- tags: maldev
paranoidninja/O365-Doppelganger
- desc: A quick handy script to harvest credentials off of a user during a Red Team and get execution of a file from the user
- tags: phish
cube0x0/SyscallPack
- desc: BOF and Shellcode for full DLL unhooking using dynamic syscalls
- tags: c2, maldev
Arinerron/CVE-2022-0847-DirtyPipe-Exploit
- desc: A root exploit for CVE-2022-0847 (Dirty Pipe)
- tags: exploit
clibs/clib
- desc: C package manager-ish
- tags: utility
alfarom256/StinkyLoader
- desc: WIP implementation of a reflective loader written in C++
- tags: maldev
citronneur/rdpy
- desc: Remote Desktop Protocol in Twisted Python
- tags: windows, utility
Semperis/GoldenGMSA
- desc: GolenGMSA tool for working with GMSA passwords
- tags: windows, postex
crummie5/FreshyCalls
- desc: FreshyCalls tries to make the use of syscalls comfortable and simple, without generating too much boilerplate and in modern C++17!
- tags: maldev
Cracked5pider/ShellcodeTemplate
- desc: An easily modifiable shellcode template for Windows x64/x86
- tags: maldev

Issue 030 - Apr 2022

writeups

Azure Dominance Paths - Cloudbrothers
- desc: Azure dominance research
- tags: cloud
ABC-Code Execution for Veeam - MDsec
- desc: Veeam Backup & Replication vuln research
- tags: windows, cloud
New Ransomware Family Identified: LokiLocker RaaS Targets Windows Systems - BlackBerry Threat Vector
- desc: LokiLocker Raas Investigation
- tags: ransom
Docker for Pentesters - ropnop
- desc: docker how to
- tags: utility, guide
Backdooring WordPress using PyShell - WPSEC
- desc: WP persistence
- tags: exploit, web
How I bypassed disable_functions in php to get a remote shell - Asem Eleraky
- desc: PHP protection bypass
- tags: exploit, web
Introducing RunOF – Arbitrary BOF tool - nettidtude
- desc: Arbitrary BOF tool
- tags: c2
Decrypting Viscosity Passwords - Scottie Austin
- desc: Viscosity attack research
- tags: guide, postex
Oracle Access Manager Pre-Auth RCE (CVE-2021–35587 Analysis) - Jan
- desc: Oracle Access Manager (OAM) vuln research
- tags: exploit, web
In the Potato family, I want them all - HideAndSec
- desc: Potato tooling overview
- tags: windows, postex, exploit
Password spraying and MFA bypasses in the modern security landscape - Sprocket
- desc: Bypassing MFA (owa, exchange, o365) research
- tags: recon, windows, cloud

tools

VirtualAlllocEx/Payload-Download-Cradles
- desc: Download cradle PoCs
- tags: maldev
VirtualAlllocEx/Shellcode-Downloader-CreateThread-Execution
- desc: CreateThread download cradle loader
- tags: maldev
shogunlab/Mochi
- desc: shaiscript loader
- tags: maldev
skahwah/hollow.cs
- desc: Custom assembly that is compatible with SQL CLR attacks.
- tags: maldev, windows, exploit
shellfarmer/WeakestLink
- desc: LinkedIn exfil browser extension
- tags: osint
resyncgg/ripgen
- desc: Rust-based high performance domain permutation generator
- tags: web, osint
whoismept/IronSharp
- desc: detects CVEs caused by missing updates and privilege escalation vulnerabilities caused by misconfigurations on Windows
- tags: windows, postex, privesc
cybercdh/kitphishr
- desc: A tool designed to hunt for Phishing Kit source code
- tags: blue
Group3r/Group3r
- desc: Find vulnerabilities in AD Group Policy, but do it better than Grouper2 did.
- tags: windows, postex

Issue 029 - Apr 2022

writeups

red-team-operations/initial-access
- desc: IIS + SOAP code exec
- tags: windows, exploit
PTSwarm - Twiiter
- desc: GenericWrite/GenericAll exploitation tip
- tags: windows, postex
Escalating from Logic App Contributor to Root Owner in Azure
- desc: Azure Logic App research
- tags: cloud
Bind Payload using SFX archive with Trojanizer - Raj Chandel
- desc: SFX malware
- tags: maldev

tools

posts/exploring-dll-loads
- desc:
- tags:
zblurx/acltoolkit
- desc: ACL abuse swiss-knife
- tags: utility
mandiant/SharPersist
- desc: Windows persistent tool
- tags: Windows, postex
horizon3ai/vcenter_saml_login
- desc: vCenter SAML session forge tool
- tags: exploit
clem9669/hashcat-rule
- desc: hashcat rules
- tags: cracking
s0md3v/Smap
- desc: passive nmap-like scanner using shodan
- tags: utility, recon
adamsvoboda/nim-loader
- desc: WIP shellcode loader in nim with EDR evasion techniques
- tags: maldev
pathtofile/bad-bpf
- desc: bad eBPF programs
- tags: exploit
IcebreakerSecurity/DelegationBOF
- desc: Kerberos delegation BOF
- tags: windows, postex
daem0nc0re/AtomicSyscall
- desc: Tools/PoC for windows syscall investigation
- tags: maldev
qeeqbox/octopus
- desc: Pure Honeypots with an automated bash script
- tags: utility, blue
ivre/ivre
- desc: Network recon framework
- tags: recon, web, bounty
NtQuerySystemInformation/CustomKeyboardLayoutPersistence
- desc: Persistence PoC using Custom Keyboard Layout
- tags: maldev
Orange-Cyberdefense/fenrir-ocd
- desc: WiFi attack tool
- tags: wireless
Orange-Cyberdefense/GOAD
- desc: AD lab automated setup
- tags: lab

Issue 028 - Feb 2022

writeups

A primer on DCSync attack and detection - alteredsecurity
- desc: dsync attack research
- tags: windows, redteam
Bypassing Little Snitch Firewall with Empty TCP Packets - Rhino
- desc: little snitch research
- tags: macos
I’m bringing relaying back: A comprehensive guide on relaying anno 2022 - trustedsec
- desc: relay research (already outdated) (when did relaying go away?)
- tags: windows, exploit, redteam
Hacking .Net Games With DnSpy - Brandon Roldan
- desc: DnSpy how to
- tags: maldev
EmbedExeLnk - Embedding an EXE inside a LNK with automatic execution - x86mathew
- desc: LNK research
- tags: maldev, phishing, redteam
Reading and writing remote process data without using ReadProcessMemory / WriteProcessMemory - x86mathew
- desc: ReadProcessMemroy alternative - malwaredev
- tags: maldev
Downloads and the Mark-of-the-Web - textslashplain
- desc: Mark of the web research
- tags: windows
SIM Hijacking
- desc: sim hijacking research
- tags: phishing, redteam
Attack Surface Reduction - commial
- desc: ASR research
- tags: windows, redteam
Windows Persistence Using WSL2 - themayor.tech
- desc: windows wsl persistence research
- tags: windows
PPE — Poisoned Pipeline Execution - Omer Gil
- desc: CI/CD pipeline exploitation research
- tags: redteam
(Rust) Parallel Syscalls - memn0ps
- desc: rust based parallel syscalls
- tags: maldev
Abusing Exceptions for Code Execution, Part 1 - Bill Demirkapi
- desc: executing just-in-time code by abusing existing memory regions tool
- tags: maldev
Retrieving Syscall ID with Hell's Gate, Halo's Gate, FreshyCalls and Syswhispers2 - Alice Climent Pommeret
- desc: process injection research
- tags: maldev
Staged vs Stageless Payloads - spookysec
- desc: malware evasion research
- tags: maldev, redteam
10 ways of gaining control over Azure function Apps - Billuk21
- desc: azure functions exploit research
- tags: cloud
Useful Libraries for Malware Development - captmeelo
- desc: collection of useful malwaredev libs
- tags: maldev
GitHub: The Red-Teamer’s Cheat-Sheet - Komodo Consulting
- desc: github hacking guide
- tags: web, osint
Password spraying and MFA bypasses in the modern security landscape - sprocketsecurity
- desc: (NTLM) authentication over HTTP password spraying
- tags: windows
Exploring Windows UAC Bypasses: Techniques and Detection Strategies - elastic security research
- desc: uac bypass research
- tags: windows, privesc
AD CS: from ManageCA to RCE - BlackArrow
- desc: adcs research
- tags: windows, redteam
ShadowCoerce - pentestlaboratories
- desc: MS-EFSR research
- tags: windows

tools

michelin/ChopChop
- desc: web endpiont scanner
- tags: web
dosxuz/ProcessGhosting
- desc: ghosting poc - blog
- tags: maldev
chdav/GoWard
- desc: golang redteam proxy
- tags: utilities
FourCoreLabs/EDRHunt
- desc: golang edr scanner
- tags: redteam
codewhitesec/RogueRemotingServer
- desc: .net remoting server to deliver BinaryFormatter/SoapFormatter payloads
- tags: web, exploit
pwn1sher/KillDefender
- desc: defender token integrity poc
- tags: windows, exploit
RedTeamOperations/Advanced-Process-Injection-Workshop
- desc: malware dev research
- tags: maldev
bugch3ck/SharpLdapWhoami
- desc: whoami alternative using ldap
- tags: windows
carlospolop/PurplePanda
- desc: identify priv escalation paths within & across clouds
- tags: cloud
cldrn/InsecureProgrammingDB
- desc: insecure programming functions database
- tags: utility
icyguider/Shhhloader
- desc: SysWhispers Shellcode Loader
- tags: maldev
Tw1sm/spraycharles
- desc: low and slow password sprayer
- tags: windows
PwnDexter/Invoke-EDRChecker
- desc: edr scanner (powershell)
- tags: windows, redteam
fofapro/fapro
- desc: rogue protocol server
- tags: utility
ChadMotivation/TymSpecial
- desc: SysWhispers integrated shellcode loader w/ ETW patching, anti-sandboxing, & spoofed code signing certificates
- tags: maldev
sbasu7241/HellsGate
- desc: hellsgate poc
- tags: maldev
Allevon412/PPL_Sandboxer
- desc: defender token integrity poc
- tags: windows, exploit
daem0nc0re/PrivFu
- desc: Kernel mode WinDbg extension
- tags: reversing
0xthirteen/SharpStay
- desc: .net persistence pocs
- tags: redteam
S3cur3Th1sSh1t/Invoke-HandleKatzInject.ps1
- desc: handlekatz powershell wrapper
- tags: windows, redteam
dbrwsky/Nuclei-BurpExtension
- desc: nuclei in burp
- tags: web, exploit
whydee86/SnD_AMSI
- desc: start new powershell without etw and amsi in pure nim
- tags: windows, redteam, maldev
adrianyy/KeInject
- desc: kernel LdrLoadDll injector
- tags: maldev
alexfrancow/offensive-vlang
- desc: V lang pocs
- tags: maldev
ly4k/SpoolFool
- desc: CVE-2022-21999 poc
- tags: windows, exploit
mgeeky/PackMyPayload
- desc: python payload packer
- tags: maldev
dadas190/Heavens-Gate-2.0
- desc: heaven's gate poc
- tags: maldev
Puliczek/awesome-list-of-secrets-in-environment-variables
- desc: env var secret db
- tags: utility
cube0x0/KrbRelay
- desc: framework for kerberos relaying
- tags: windows, redteam
Arno0x/ShellcodeWrapper
- desc: shellcode packer (python)
- tags: maldev
mkellerman/Invoke-CommandAs
- desc: Invoke Command As System/Interactive/GMSA/User on Local/Remote machine & returns PSObjects.
- tags: windows
asherezade/process_overwriting
- desc: Yet another variant of Process Hollowing
- tags: maldev
horizon3ai/backup_dc_registry
- desc: Backup Operator priv esc poc
- tags: windows, redteam
mpgn/BackupOperatorToDA
- desc: Backup Operator priv esc poc
- tags: windows, redteam

Issue 027 - Feb 2022

writeups

Alternative Process Injection - Netero1010
- desc: alternative process injection research
- tags: maldev
Sandboxing Antimalware Products for Fun and Profit - Elastic Security Research
- desc: nerfing PPL research
- tags: redteam, windows
Object Overloading - TrustedSec
- desc: dll loading research - poc
- tags: maldev
Shadow Credentials - Penetration Testing Lab
- desc: Windows Hello for Business (WHfB) research
- tags: windows, redteam
Custom Previews For Malicious Attachments - Mrd0x
- desc: gdrive esq previews phishing pretext research
- tags: phishing, redteam
Adding DCSync Permissions from Linux - n00py
- desc: DCSync attack from linux
- tags: windows, redteam
Unpacking CVE-2021-40444: A Deep Technical Analysis of an Office RCE Exploit - Bill Demirkapi
- desc: Maldoc technique investigation
- tags: phishing, redteam, exploit
Defeating EDRs with Office Products - Ivy
- desc: WSH evasion and generation
- tags: maldev
Exploiting URL Parsing Confusion - Claroty
- desc: URL parser research
- tags: web, exploit
Delegate to KRBTGT service - Skyblue
- desc: Kerberos delegation research
- tags: windows, redteam
How To Extract Credentials from Azure Kubernetes Service (AKS) - NetSpi
- desc: Azure credential theft research
- tags: cloud, redteam
Pass the Cloud with a Cookie - misconfig.io
- desc: Cloud cookie research
- tags: cloud, redteam
Hacking the Apple Webcam (again) - ryanpickren
- desc: macos vuln research
- tags: mac, exploit
.NET Remoting Revisited - codewhite
- desc: .net vuln/dev research
- tags: windows, maldev
ZohOwned :: A Critical Authentication Bypass on Zoho ManageEngine Desktop Central - srcincite
- desc: vuln research manageengine
- tags: exploit

tools

elastic/PPLGuard
- desc: PPL threat mitigation
- tags: windows, privesc
thefLink/RecycledGate
- desc: Hellsgate + Halosgate/Tartarosgate. Ensures that all systemcalls go through ntdll.dll
- tags: maldev
juanfont/headscale
- desc: OSS self-hosted Tailscale control server
- tags: utility
xenoscr/manual-syscall-detect
- desc: A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.
- tags: maldev
b1tg/Ox-C2
- desc: rust c2
- tags: redteam
Kudaes/DInvoke_rs
- desc: Rust DInvoke port
- tags: maldev
Idov31/FunctionStomping
- desc: "novel" shellcode injection technique
- tags: maldev
chvancooten/NimPackt-v1
- desc: nim assembly packer and loader
- tags: maldev
R4yGM/garlicshare
- desc: Private and self-hosted file sharing over the Tor network written in golang
- tags: utility
Cyb3r4rch3r/PasswordList
- desc: password dump collection
- tags: cracking, utility
notdodo/LocalAdminSharp
- desc: c# make local admin
- tags: windows, privesc
3xpl01tc0d3r/ProcessInjection
- desc: various process injection technique PoCs
- tags: maldev
lkarlslund/adalanche
- desc: Active Directory ACL Visualizer and Explorer - who's really Domain Admin?
- tags: redteam, windows
0xsp-SRD/mortar
- desc: memory stream encryption evasion technique to defeat and divert detection and prevention of security products (AV/EDR/XDR)
- tags: maldev
theparanoids/ashirt-server
- desc: Adversary Simulators High-Fidelity Intelligence and Reporting Toolkit
- tags: utility
mdsecactivebreach/ParallelSyscalls
- desc: Syscall alternative PoC
- tags: maldev
DarkCoderSc/PowerRemoteDesktop
- desc: RDP Powershell port
- tags: utility
ad-995/bluffy
- desc: Convert shellcode into different formats
- tags: maldev
trickster0/LdrLoadDll-Unhooking
- desc: LdrLoadDll unhooking
- tags: maldev
dhondta/awesome-executable-packing
- desc: curated list of resources related to executable packing
- tags: maldev
0vercl0k/CVE-2021-31166
- desc: http.sys RCE PoC
- tags: web, exploit
zimawhit3/HellsGateNim
- desc: Nim port Hellsgate
- tags: maldev
voutilad/BloodHound-Tools
- desc: misc. tools for bloodhound
- tags: utility, redteam
zyn3rgy/LdapRelayScan
- desc: ldapS protections against relay scanner
- tags: windows
89luca89/pakkero
- desc: go binary packer
- tags: maldev
trustedsec/SeeYouCM-Thief
- desc: Cisco phone raider
- tags: exploit, infra
six2dez/OneListForAll
- desc: rockyou.txt for web fuzzing
- tags: web
blacklanternsecurity/TREVORspray
- desc: pw sprayer
- tags: exploit
Wra7h/SharpGhosting
- desc: c# port process ghosting
- tags: maldev
dosxuz/ProcessGhosting
- desc: c# port process ghosting
- tags: maldev
BishopFox/CVE-2021-35211
- desc: SERV-U RCE PoC
- tags: exploit, web
jfmaes/AmsiHooker
- desc: hook (not patch) amsi
- tags: maldev
wireghoul/htshells
- desc: htaccess shell collection
- tags: web, exploit
khuedoan/homelab
- desc: homelab automation
- tags: utility
nasbench/C2-Matrix-Indicators
- desc: c2 indicator collection
- tags: maldev
AttackForge
- desc: pentest management platform
- tags: utility
resyncgg/ripgen
- desc: rust dns resolver
- tags: recon, web
hlldz/RefleXXion
- desc: Parralell-ysis like, Syscall collection / evasion
- tags: maldev
Qianlitp/crawlergo
- desc: go web crawler
- tags: web, recon
icyguider/nimcrypt
- desc: PE crypter written in Nim
- tags: maldev
S3cur3Th1sSh1t/NimGetSyscallStub
- desc: Syscall nim port
- tags: maldev
frkngksl/ParallelNimcalls
- desc: Parallel-asis Nim port
- tags: maldev
rustrat/rustrat
- desc: rust c2
- tags: redteam
ly4k/PwnKit
- desc: Polkit-giest PoC
- tags: exploit
plackyhacker/Suspended-Thread-Injection
- desc: shellcode injection technique
- tags: maldev
optiv/Ivy
- desc: advanced WSH shellcode runner
- tags: maldev, redteam
knavesec/CredMaster
- desc: CredKing port (pw spraying)
- tags: exploit
ORCA666/T.D.P
- desc: Shellcode runner using Thread Description Poisoning
- tags: maldev
scythe-io/community-threats
- desc: largest, public library of adversary emulation plans in JSON
- tags: redteam
login-securite/DonPAPI
- desc: DPAPI remote dumper
- tags: windows, redteam
fyoorer/ShadowClone
- desc: tool to distribute local command to N servers
- tags: utility

Issue 026 - Jan 2022

writeups

Domain Persistence – AdminSDHolder - pentestlab
- desc: persistence research
- tags: windows, redteam
Staging Cobalt Strike with mTLS using Caddy - improsec
- desc: caddy relay/redirector research
- tags: redteam
Converting C# Tools to PowerShell - Icyguider
- desc: Packing C# tools into powershell scripts
- tags: maldev, windows
How to install Elastic SIEM and Elastic EDR - On the Hunt
- desc: OSS EDR installation tut
- tags: maldev
PKI Abuse Cheatsheet - Flangvik
- desc: ADCS cheatsheet
- tags: redteam, windows
From LoadLibrary to Manually Mapping, the Art of DLL Injection - Abraxu
- desc: dll injection research
- tags: maldev
10 real-world stories of how we’ve compromised CI/CD pipelines - NCCGroup
- desc: CI/CD exploitation research
- tags: exploit
Recon Weekly #1 : Attack Surface Basics - sshell
- desc: recon research
- tags: web, recon
EDR Parallel-asis through Analysis - MDSec
- desc: Syscall alternative research
- tags: maldev

tools

FULLSHADE/WARFOX-C2
- desc: An HTTPS beaconing Windows implant and multi-layered proxy C2 network designed for covert APT emulation focused offensive operations
- tags: redteam
notdodo/adduser-dll
- desc: Simple DLL that add a user to the local Administrators group
- tags: maldev
icyguider/Shhhloader
- desc: SysWhispers Shellcode Loader
- tags: maldev
improsec/CaddyStager
- desc: caddy relay/redirector for use with cobalstrike
- tags: redteam
kyleavery/inject-assembly
- desc: inject .net into existing process
- tags: maldev, redteam
2vg/blackcat-rs
- desc: rust runners
- tags: maldev
fiatjaf/jiq
- desc: interactive JSON query tool
- tags: utility
qtc-de/remote-method-guesser
- desc: Java RMI Vuln Scanner
- tags: web, exploit
pry0cc/relevant-wordlist
- desc: Headlines related wordlist
- tags: cracking, utility
Boku7/BokuLoader
- desc: Cobalt Strike User-Defined Reflective Loader
- tags: maldev
CravateRouge/bloodyAD
- desc: AD Priv Esc framework built on Impacket
- tags: windows, redteam
Ccob/MirrorDump
- desc: LSASS dumper
- tags: windows
paranoidninja/EtwTi-Syscall-Hook
- desc: Syscall hunter
- tags: maldev
cube0x0/ParallelSyscalls/
- desc: C# implementation of MDSec's Parallel-asys
- tags: maldev
thiagomayllart/Harvis
- desc: c2 infra automation
- tags: redteam
tothi/azure-function-proxy
- desc: azure function proxy serverless app
- tags: redteam, cloud
lz520520/Stowaway
- desc: multi-hop proxy tool
- tags: redteam, utility
Cerbersec/Ares
- desc: C/C++ transacted hollowing PoC
- tags: maldev
mrd0x/pe2shc-to-cdb
- desc: CDB lolbin shellcode converter
- tags: maldev
filesec.io
- desc: attacker file extension reference
- tags: windows, redteam

Issue 025 - Jan 2022

writeups

Dumping LSASS with Duplicated Handles - Rasta Mouse
- desc: lsass dump research
- tags: windows, redteam
ADCS: Playing with ESC4 - fortalicesolutions
- desc: ADCS research
- tags: windows, redteam
responder and IPv6 attacks - laurent gaffie
- desc: responder.py feature announcement
- tags: windows, exploit, redteam
How to exploit Log4j vulnerabilities in VMWare vCenter - SprocketSecurity
- desc: vcenter log4j exploitation research
- tags: exploit
Downgrading Kerberos Encryption & Why It Doesn’t Work In Server 2019 - vbscrub
- desc: kerberos exploitation research
- tags: windows, redteam
Windows 10 RCE: The exploit is in the link - positive.security
- desc: Win 10 URI handler 0day
- tags: windows, exploit
31k$ SSRF in Google Cloud Monitoring led to metadata exposure - david nechuta
- desc: bug bounty gcp research
- tags: web, exploit
Antivirus evasion by user mode unhooking on Windows 10 - Broumels & Ubink
- desc: EDR/AV unhooking evasion research
- tags: maldev
Quick & Lazy Malware Development - capt. meelo
- desc: malware evasion research
- tags: maldev
Why is Exposing the Docker Socket a Really Bad Idea? - Quarkslab
- desc: docker exploitation research
- tags: cloud
This is how I bypassed almost every EDR! - omri baso
- desc: edr evasion research
- tags: maldev
RCE-0-day-for-GhostScript-9.50 - duc-nt
- desc: RCE 0-day for GhostScript 9.50 - Payload generator
- tags: web, exploit
PHP LFI with Nginx Assistance - 0xbb
- desc: php+lfi research
- tags: web, exploit
Turning bad SSRF to good SSRF: Websphere Portal - assetnote
- desc: ssrf research
- tags: web, exploit
Attacking Java RMI via SSRF - qtc
- desc: ssrf research
- tags: web, exploit
Unlocking the Vault :: Unauthenticated Remote Code Execution against CommVault Command Center - srcincite
- desc: vuln research
- tags: web, exploit
Defeating Malicious Launch Persistence - 4n7m4n
- desc: malware hunting research
- tags: macos, blueteam

tools

phith0n/zkar
- desc: ZKar is a Java serialization protocol analysis tool implement in Go.
- tags: utility, web
clr2of8/DPAT
- desc: Domain Password Audit Tool for Pentesters
- tags: windows, postex
ShutdownRepo/ShadowCoerce
- desc: MS-FSRVP coercion abuse PoC
- tags: windows, exploit, redteam
plackyhacker/CmdLineSpoofer
- desc: How to spoof the command line when spawning a new process from C#.
- tags: maldev
sliverarmory/armory
- desc: The Official Sliver Armory
- tags: redteam
Cracked5pider/KaynLdr
- desc: KaynLdr is a Reflective Loader written in C/ASM
- tags: maldev
trickster0/TartarusGate
- desc: TartarusGate, Bypassing EDRs
- tags: maldev
plackyhacker/Sys-Calls
- desc: An example of using Syscalls in C# to get a meterpreter shell
- tags: maldev
plackyhacker/Peruns-Fart
- desc: Perun's Fart (Slavic God's Luck). Another method for unhooking AV and EDR, this is my C# version
- tags: maldev
boku7/CobaltStrikeReflectiveLoader
- desc: Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.
- tags: maldev
enkomio/AlanFramework
- desc: A C2 post-exploitation framework
- tags: redteam
soteria-security/365Inspect
- desc: A PowerShell script that automates the security assessment of Microsoft Office 365 environments.
- tags: cloud
c3c/ADExplorerSnapshot.py
- desc: ADExplorerSnapshot.py is an AD Explorer snapshot ingestor for BloodHound
- tags: redteam
ajpc500/NimlineWhispers2
- desc: A tool for converting SysWhispers2 syscalls for use with Nim projects
- tags: maldev
adamcaudill/EquationGroupLeak HTA
- desc: equationgroup hta
- tags: maldev
antonioCoco/MalSeclogon
- desc: A little tool to play with the Seclogon service, lsass dump + PPID spoofing
- tags: windows, postex
l0ggg/VMware_vCenter
- desc: VMware vCenter 7.0.2.00100 unauth Arbitrary File Read + SSRF + Reflected XSS
- tags: exploit, web
GovTech-CSG/ProxyAgent
- desc: tool that is created to ease the proxy connection setup process between a rooted Android device to a computer that is running BurpSuite
- tags: mobile
h3x0crypt/HostSpider
- desc: domain info gathering tool
- tags: recon, web
diversenok/NtTools
- desc: random system tools for windows
- tags: windows, redteam, utility
vmware-labs/attack-surface-framework
- desc: asset finder
- tags: web, recon
knownsec/Kunyu
- desc: Kunyu, more efficient corporate asset collection
- tags: web, recon
iomoath/PowerShx
- desc: Run Powershell without software restrictions.
- tags: windows, redteam
XiaoliChan/wmiexec-RegOut
- desc: Modify version of impacket wmiexec.py, get output(data,response) from registry, don't need SMB connection, also bypassing antivirus-software in lateral movement like WMIHACKER.
- tags: windows, redteam
pwn1sher/WMEye
- desc: WMEye is a post exploitation tool that uses WMI Event Filter and MSBuild Execution for lateral movement
- tags: windows, redteam
infosecn1nja/Red-Teaming-Toolkit
- desc: This repository contains cutting-edge open-source security tools (OST) for a red teamer and threat hunter.
- tags: redteam
sbasu7241/kernelcallback.cs
- desc: edr evasion using kernel callbacks PoC
- tags: maldev
noperator/panos-scanner
- desc: pan os scanner
- tags: web
icyguider/DumpNParse
- desc: A Combination LSASS Dumper and LSASS Parser. All Credit goes to @slyd0g and @cube0x0.
- tags: windows, postex
nationalcptc/report_examples
- desc: Example reports from prior years of the Collegiate Penetration Testing Competition
- tags: utility
connormcgarr/tgtdelegation
- desc: BOF TGT delegation trick
- tags: windows, redteam
oldboy21/LDAP-Password-Hunter
- desc: Password Hunter in the LDAP infamous database
- tags: windows, redteam
ariary/fileless-xec
- desc: Stealth dropper executing remote binaries without dropping them on disk .(HTTP3 support, ICMP support, invisible tracks, cross-platform,...)
- tags: maldev

Issue 024 - Dec 2021

writeups

Blinding EDR On Windows - Zach Stein
- desc: edr evasion research
- tags: maldev
Alternative Process Injection - Netero1010
- desc: process injection research
- tags: maldev
Writing Beacon Object Files: Flexible, Stealthy, and Compatible - Coresecurity
- desc: bof creation research
- tags: redteam
Bypass the Detection & Prevention Obstacle: Red Teaming Technique - Lawrence Amer | CRESTCon Asia
- desc: edr evasion research
- tags: maldev
Process Ghosting - pentestlaboratories.com
- desc: edr evasion research
- tags: maldev
CVE-2021-42287/CVE-2021-42278 Weaponisation - exploit-ph
- desc: CVE-2021-42278, CVE-2021-42291, CVE-2021-42287 and CVE-2021-42282 research (nopac/sam-the-admin)
- tags: windows, redteam
Remote Deserialization Bug in Microsoft's RDP Client through Smart Card Extension (CVE-2021-38666) - THALIUM
- desc: RDP 0day research
- tags: windows, exploit
Abusing Windows’ Implementation of Fork() for Stealthy Memory Operations - Bill Demirkapi
- desc: evasion research
- tags: redteam, maldev
DLL Hollowing - Dimitri Di Cristofaro
- desc: evasion research
- tags: maldev
When You sysWhisper Loud Enough for AV to Hear You - capt. meelo
- desc: evasion research
- tags: maldev
EDR, a closer look at protected services - infosec.tirol
- desc: edr workings research
- tags: maldev, redteam
Skrull: run malware on the victim using the Process Ghosting technique - do son
- desc: evasion research
- tags: maldev

tools

WazeHell/sam-the-admin
- desc: Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
- tags: windows, exploit, privesc
cube0x0/noPac
- desc: CVE-2021-42287/CVE-2021-42278 Scanner & Exploiter.
- tags: windows, exploit, privesc
wavestone-cdt/EDRSandblast
- desc: tool written in C that weaponize a vulnerable signed driver to bypass EDR detections
- tags: maldev
netmeld/netmeld
- desc: A tool suite for use during system assessments.
- tags: utility
airbus-cert/Invoke-Bof
- desc: Load any Beacon Object File using Powershell!
- tags: redteam
veracode-research/rogue-jndi
- desc: malicious ldap server used for JNDI exploitation
- tags: web
dirkjanm/forest-trust-tools
- desc: poc tools for trust misuse
- tags: redteam
nettitude/RunPE
- desc: C# Reflective loader for unmanaged binaries.
- tags: maldev, redteam
DarkCoderSc/PowerRunAsAttached
- desc: This script allows to spawn a new interactive console as another user account in the same calling console (console instance/window).
- tags: windows, postex
skahwah/SSHClient
- desc: c# ssh client
- tags: maldev
checkymander/Sharp-SMBExec
- desc: c# smbexec
- tags: windows, redteam
MartinSohn/Office-phish-templates
- desc: Tricks the target into enabling content (macros) with fake messages.
- tags: phish
trickster0/OffensiveRust
- desc: Rust Weaponization for Red Team Engagements.
- tags: maldev
mrthefakeperson/Excel-Virtual-Machine
- desc: c compiler which targets Excel
- tags: maldev
zeronetworks/BloodHound-Tools
- desc: collection of tools that reflect the network dimension into bloodhound's data
- tags: windows
ExperienceOne/apikit
- desc: Generates Golang client and server based on OpenAPI2 (swagger) definitions
- tags: web
9emin1/charlotte
- desc: c++ fully undetected shellcode launcher
- tags: maldev
sdcampbell/Internal-Pentest-Playbook
- desc: internal pentest playbook
- tags: utility
nodauf/GoMapEnum
- desc: User enumeration and password bruteforce on Azure, ADFS, OWA, O365, Teams and gather emails on Linkedin
- tags: phish, redteam
0xDexter0us/Scavenger
- desc: Burp extension to create target specific and tailored wordlist from burp history.
- tags: web
GoSecure/ldap-scanner
- desc: Checks for signature requirements over LDAP
- tags: windows, redteam
moloch--/leakdb
- desc: Web-Scale NoSQL Idempotent Cloud-Native Big-Data Serverless Plaintext Credential Search
- tags: utility
danports/cassia
- desc: Cassia is a .NET library for accessing the native Windows Remote Desktop Services API
- tags: maldev
sbasu7241/findhooks.cs
- desc: identify edr hooks script
- tags: maldev
KaLendsi/CVE-2021-43224-POC
- desc: Windows Common Log File System Driver POC
- tags: privesc
tothi/log4shell-vulnerable-app
- desc: A Basic Java Application Vulnerable to the Log4Shell RCE
- tags: web
mufeedvh/moonwalk
- desc: Cover your tracks during Linux Exploitation by leaving zero traces
- tags: linux, postex
fullhunt/log4j-scan
- desc: lof4j header list
- tags: web
EspressoCake/NativeFunctionStaticMap
- desc: A very imperfect attempt to correlate Kernel32 function calls to native API (Nt/Zw) counterparts/execution flow.
- tags: maldev
FULLSHADE/Jektor
- desc: A Windows user-mode shellcode execution tool that demonstrates various techniques that malware uses
- tags: maldev
pwn1sher/uuid-loader
- desc: UUID based Shellcode loader for your favorite C2 (cpp)
- tags: maldev
ricardojba/Invoke-noPac
- desc: CVE-2021-42278 and CVE-2021-42287 exploitation (noPac/sam-the-admin)
- tags: windows, redteam
Yaxser/COFFLoader2
- desc: Load and execute COFF files and Cobalt Strike BOFs in-memory
- tags: redteam, maldev
PalindromeLabs/STEWS
- desc: A Security Tool for Enumerating WebSockets
- tags: web
KINGSABRI/goCabrito
- desc: Super organized and flexible script for sending phishing campaigns
- tags: phish, utility
Souhardya/ChimeraLdr
- desc: Multipurpose malware framework utilizing vk.com as c2
- tags: redteam, maldev
cedowens/EntitlementCheck
- desc: Python3 script for macOS to recursively check for binaries with problematic/interesting entitlements.
- tags: macos
FDlucifer/Proxy-Attackchain
- desc: proxylogon, proxyshell, proxyoracle and proxytoken full chain exploit tool
- tags: windows, exploit
jthuraisamy/TelemetrySourcerer
- desc: Enumerate and disable common sources of telemetry used by AV/EDR.
- tags: maldev
Retrospected/kerbmon
- desc: Continuous kerberoast monitor
- tags: windows, redteam
bigb0sss/Bankai
- desc: Another Go Shellcode Loader using Windows APIs
- tags: maldev

Issue 023 - Nov 2021

writeups

Evading EDR Detection with Reentrancy Abuse - deepinstinct
- desc: EDR evasion research
- tags: maldev
The Kerberos Key List Attack: The return of the Read Only Domain Controllers - secureauth
- desc: new credential gathering attack vector involving Read Only Domain Controllers
- tags: redteam
Becoming A Super Admin In Someone Elses Gsuite Organization And Taking It Over - secreltyhiddenwriteups
- desc: gsuite exploitation writeup
- tags: phish, redteam
Pentest tale - Dumping cleartext credentials from antivirus - exandroid.dev
- desc: eset creds extraction
- tags: postex
Mimikatz - hacker recipes
- desc: mimikatz research
- tags: windows, postex

tools

CravateRouge/bloodyAD
- desc: python priv esc framework (eg powerview esq)
- tags: redteam, windows
nnsee/fileless-elf-exec
- desc: fileless elf exec
- tags: linux, exploit
mandatoryprogrammer/CursedChrome
- desc: proxy pivot chrome extension
- tags: redteam
t3hbb/NSGenCS
- desc: Extendable payload obfuscation and delivery framework
- tags: maldev
N4kedTurtle/LocalDllParse
- desc: Local DLL enum
- tags: maldev, redteam
helpsystems/nanodump
- desc: Dumping LSASS has never been so stealthy
- tags: redteam, windows
mai1zhi2/SharpBeacon
- desc: c# beacon
- tags: redteam, maldev
lkarlslund/azureimposter
- desc: Go module that allows you to authenticate to Azure with a well known client ID using interactive logon and grab the token
- tags: redteam
CCob/lsarelayx
- desc: NTLM relaying for Windows made easy
- tags: windows, exploit, redteam
Living Off Trusted Sites (LOTS) Project
- desc: trusted site compilation
- tags: redteam
Sh0ckFR/InlineWhispers2
- desc: Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2
- tags: redteam, maldev
filesec.io - latest file extensions being used by attackers
- desc: Stay up-to-date with the latest file extensions being used by attackers.
- tags: redteam
tothi/dll-hijack-by-proxying
- desc: Exploiting DLL Hijacking by DLL Proxying Super Easily
- tags: maldev
rasta-mouse/ExternalC2.NET
- desc: .NET implementation of Cobalt Strike's External C2 Spec
oXis/GPUSleep
- desc: PoC Move CS beacon to GPU memory when sleeping
- tags: maldev
securifybv/Visual-Studio-BOF-template
- desc: A Visual Studio template used to create Cobalt Strike BOFs
- tags: utility
login-securite/DonPAPI
- desc: remote DPAPI
- tags: redteam, windows
S3cur3Th1sSh1t/MultiPotato
- desc: SeImpersonate RoguePotato variation
- tags: redteam, windows
echtdefault/MalDoc-Embedded-EXE-Bin-
- desc: maldoc gen technique
- tags: maldev, phish
thalpius/Microsoft-Kerberos
- desc: PoC KerberosSecurityTokenProvider tgs
- tags: redteam, windows
klinix5/InstallerFileTakeOver
- desc: windows lpe 0day poc
- tags: windows, lpe
two06/Inception
- desc: Provides In-memory compilation and reflective loading of C# apps for AV evasion.
- tags: maldev
dievus/Firefox-Dumper
- desc: Tool to transfer credential files from Firefox to your local machine to decrypt offline.
- tags: utility
andre3llo/apachestruts
- desc: Exploit para Apache Struts v2 (RCE)
- tags: web, exploit
thehappydinoa/rootOS
- desc: macos priv esc helper
- tags: apple, lpe
nettitude/SharpSocks
- desc: Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
- tags: utility
dievus/Oh365UserFinder
- desc: Python3 o365 User Enumeration Tool
- tags: cloud
mrd0x/dll_inject_lolbin
- desc: LOLBINs that inject a DLL into a given process ID.
- tags: windows, redteam

Issue 022 - Nov 2021

writeups

Moodle - Stored XSS and blind SSRF possible via feedback answer text - r0.haxor.org
- desc: moodle exploitation
- tags: web
Interview with Kajit - vx-underground
- desc: crowd-sourced interview with ransomware operator
- tags: misc
Process Hollowing explanation
- desc: process hollowing explanation
- tags: maldev
Windows & Active Directory Exploitation Cheat Sheet and Command Reference - casvancooten
- desc: ad cheatsheet
- tags: redteam, windows
lolbin cmdl32.exe download - @elliotkillick
cmd.exe shortname command obfuscation - @jonaslyk
Sitecore Experience Platform Pre-Auth RCE - assetnote
- desc: 0day writeup
- tags: web, exploit
Go’s best friend: UPX, the executable compressor
- desc: packing/compressing go bins
- tags: maldev
Cybersecurity Collaboration Report - noraj
- desc: list of report collaboration tools
- tags: utility
This is how I bypassed almost every EDR!
- desc: EDR evasion research
- tags: maldev
SAML and SAML Attacks - RedSiege
- desc: SAML exploitation research
- tags: web
Master of Puppets Part II – How to tamper the EDR? - infosec.tirol
- desc: EDR evasion research
- tags: maldev
Kerberoast with OpSec - m365internals
- desc: Kerberoasting opsec considerations and research
- tags: redteam
Malicious Document Analysis: Example 1 - Alexandre Borges
- desc: analysis of a malware doc
- tags: redteam, maldev
Windows Red Team Persistence Techniques | Persistence With PowerShell Empire - HackerSploit
- desc: overview of persistence techniques using Empire
- tags: redteam
How to exploit CVE-2021-40539 on ManageEngine ADSelfService Plus - SynAcktiv
- desc: ManageEngine Nday exploit research
- tags: web, exploit
Servers are overrated – Bypassing corporate proxies (ab)using serverless for fun and profit - Jean Maes
- desc: proxy bypasses and abuses
- tags: redteam
Attacking Access Control Models In Modern Web Applications - snapsec
- desc: ACL bypass research
- tags: web, exploit
Finding An Unauthenticated RCE Vulnerability In MovableType - nemesis.sh
- desc: MovableType vuln research/disclosure
- tags: web, exploit, research
Auth Bypass in Google Assistant - xdavidhu
- desc: Webpage can execute Google Assistant commands without any permissions
- tags: exploit, research
Escalating XSS to Sainthood with Nagios
- desc: Nagios exploitation research and disclosure
- tags: web, exploit
From Zero to Domain Admin - the dfir report
- desc: Google Feed Proxy campaign IR report
- tags: research, phish, redteam
D/Invoke Baguette - rastamouse
- desc: Introduction of new, related DInvoke projects
- tags: maldev

tools

gwen001/DataExtractor
- desc: burp extension to extract datas from source code
- tags: web
NetSPI/MicroBurst
- desc: A collection of scripts for assessing Microsoft Azure security
- tags: cloud
optiv/Go365
- desc: o365 user attack tool
- tags: cloud
Binject/forger
- desc: varios code signing attacks against multiple byte binary types
- tags: maldev
kkrypt0nn/Wordlists
- desc: collection of wordlists
- tags: utility
ByteJunkies-co-uk/Metsubushi
- desc: go packer
- tags: maldev
EspressoCake/DLL-Hijack-Search-Order-BOF
- desc: DLL Hijack Search Order Enumeration BOF
- tags: redteam, windows
plackyhacker/Sys-Calls
- desc: c# syscall runner PoC
- tags: maldev
evilsocket/ditto
- desc: tool for IDN homograph attacks and detection
- tags: utility, phish, redteam
3ndG4me/AutoBlue-MS17-010
- desc: auto eternal blue
- tags: exploit, windows
mez-0/CSharpWinRM
- desc: .NET 4.0 WinRM API Command Execution
- tags: windows, redteam
iangcarroll/cookiemonster/
- desc: cookie auditor
- tags: web
gfek/Lepus
- desc: Subdomain finder
- tags: web
mgeeky/VisualBasicObfuscator
- desc: Universal VBA obfuscator
- tags: maldev
checkymander/Carbuncle
- desc: Outlook interop tool
- tags: redteam, windows
scriptchildie/powershelletwbypass
- desc: Powershell ScriptBlock Log Bypass / ETW bypass
- tags: windows, maldev
mobdk/WinBoost
- desc: Execute Mimikatz with different technique
- tags: windows, redteam
lesnuages/CredManBOF
- desc: BOF to dump credential manager
- tags: redteam
secdev-01/AllTheThingsExec
- desc: rundll32 compatible c#
- tags: maldev
C-Sto/gosecretsdump
- desc: stupid fast ntds dumper written in go
- tags: windows, redteam
chr0n1k/AH2021Workshop
- desc: Malware development for red teaming workshop
- tags: maldev
Charterino/AsStrongAsFuck
- desc: C# obfuscation engine
- tags: maldev
SecuProject/ADenum
- desc: AD Enum is a pentesting tool that allows to find misconfiguration through the the protocol LDAP and exploit some of those weaknesses with kerberos.
- tags: windows, redteam
LordNoteworthy/al-khaser
- desc: Public malware techniques used in the wild
- tags: maldev
cyberark/DLLSpy
- desc: DLL hijacking detection tool
- tags: utility, maldev
bytecode77/self-morphing-csharp-binary
- desc: Executable that mutates its own code
- tags: maldev

Issue 021 - Nov 2021

writeups

A Primer for Testing the Security of GraphQL APIs - forceunseen
- desc: GraphQL exploitation
- tags: web
CVE-2021-34484 bypass as 0day
- desc: CVE-2021-34484 poc
- tags: privesc
What’s New in Impacket Release v0.9.24? - SecureAuth
- desc: impacket release notes
- tags: windows, exploit
Create a proxy DLL with artifact kit - CobaltStrike
Revisiting Unconstrained Delegation - Microsoft 365 Security
- desc: Unconstrained Delegation research
- tags: windows, redteam
SpoolSample -> NetNTLMv1 -> NTLM -> Silver Ticket - NotMedic
- desc: SpoolSample -> NetNTLMv1 -> NTLM -> Silver Ticket
- tags: windows, exploit
PHP-FPM local root vulnerability - ambionics
- desc: PHP-FPM lpe
- tags: web, privesc
Formalized Curiosity - SpecterOps
- desc: notes on how to research
- tags: research
Pentest Deep-Dive: Custom RUNAS - dolosgroup
- desc: runas research
- tags: research, windows
Tortellini in Brodobuf - aptwtf
- desc: How serializing data using Google’s Protobuf is not protecting your web app
- tags: web, exploit
Agent 007: Pre-Auth Takeover of Build Pipelines in GoCD - SonarSource
- desc: GoCD exploitation research
- tags: web, exploit
Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2 - Nvisio Labs
- desc: Decrypting CS traffic
- tags: maldev, redteam, research
Zimbra “zmslapd” Local Root Exploit - darren martyn
- desc: Zimbra LPE
- tags: privesc
AWS WAF's Dangerous Defaults - Osama Elnaggar
- desc: aws waf research
- tags: web, research
All Your (d)Base Are Belong To Us, Part 2: Code Execution in Microsoft Office (CVE-2021–38646) - Eugene Lim
- desc: office 0day writeup
- tags: research, windows, exploit
Windows User Profile Service 0day LPE - halov
- desc: windows privesc 0day writeup
- tags: windows, privesc
GO Reverse Engineering Tool Kit - go-re.tk
- desc: go reverse framework
- tags: utility

tools

ly4k/CallbackHell
- desc: Exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)
- tags: windows, privesc
qwqdanchum/MultiRDP
- desc: consosle application to make multiple RDP (Remote Desktop) sessions possible by patching termsrv.dll correctly
- tags: windows, redteam
Rices/Phishious
- desc: An open-source Secure Email Gateway (SEG) evaluation toolkit designed for red-teamers.
- tags: redteam, phish
lkarlslund/adalanche
- desc: Active Directory ACL Visualizer and Explorer
- tags: windows, redteam
klezVirus/SharpSelfDelete
- desc: C# implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs self delete runner
- tags: maldev
klezVirus/inceptor
- desc: template driven av/edr evasion framework
- tags: maldev
rvrsh3ll/TokenTactics
- desc: Azure JWT Token Manipulation Toolset
- tags: cloud, web
byt3bl33d3r/ItWasAllADream
- desc: PrintNightmare python scanner
- tags: windows, exploit, redteam
dev-2null/ADCollector
- desc: lightweight tool to quickly extract valuable information from the Active Directory
- tags: windows, redteam
matterpreter/OffensiveCSharp
- desc: Collection of Offensive C# Tooling
- tags: windows, redteam
cube0x0/SharpMapModules
- desc: c# recon modules
- tags: redteam
rasta-mouse/DInvoke
- desc: minimalist DInvoke
- tags: maldev
michaelweber/Macrome
- desc: Excel Macro Document Reader/Writer for Red Teamers & Analysts
- tags: maldev, phish
N7WEra/SharpAllTheThings
- desc: collection of c# cobalt strike related projects
- tags: redteam
NetSPI/ESC
- desc: evil sql client
- tags: windows, post
1modm/petereport
- desc: vulnerability reporting tool
- tags: utility
DarkCoderSc/PowerAssembly
- desc: Map remote .NET assemblies to memory for further invocation
- tags: maldev
VoidSec/DriverBuddyReloaded
- desc: Driver Buddy Reloaded is an IDA Pro Python plugin that helps automate some tedious Windows Kernel Drivers reverse engineering tasks
- tags: utility
blurbdust/ldd2bh
- desc: Convert ldapdomaindump to Bloodhound
- tags: redteam, utility
gtworek/PSBits
- desc: AMSI persistence research/poc
- tags: redteam, windows
praetorian-inc/snowcat
- desc: tool to audit istio service mesh
- tags: exploit
morph3/crawpy
- desc: content discovery tool
- tags: web, recon
ceres-c/bulldozer
- desc: javascript decompiler
- tags: utility

Issue 020 - Oct 2021

writeups

Using Kerberos for Authentication Relay Attacks - Project Zero
- desc: kerberos relaying more
- tags: windows, redteam
Compromising a Domain With the Help of a Spooler - Cymulate
- desc: domain takeover simulation
- tags: redteam, windows
Testing Methodology for Insecure Deserialization Vulnerability
- desc: methods for blackbox deserialization testing
- tags: web, exploit
Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis
- desc: cobaltstrike breakdown
- tags: redteam
rootsecdev/Azure-Red-Team
- desc: Azure exploitation notes
- tags: cloud
Exploiting Hibernate Injections - SonarSource
- desc: Java Hibernate ORM framework exploitation
- tags: web
From Default Printer Credentials to Domain Admin - boschko.ca
- desc: The tail of a Xerox pass-back-attack. How to exploit trust relationships between devices that are generally considered benign.
- tags: windows, redteam, exploit
Compromising vCenter via SAML Certificates - horizon3.ai
- desc: SAML identity provider exploitation
- tags: exploit, web

tools

neex/ghostinthepdf
- desc: GhostScript PDF payload generator
- tags: web, exploit
Tyrrrz/CliFx
- desc: Declarative framework for building command line interfaces
- tags: utility
improsec/ImproHound
- desc: Identify the attack paths in BloodHound breaking your AD tiering
- tags: windows, redteam
johnnypea/useful-one-liners.sh
- desc: collection of 1-liners
- tags: utility
aead/minisign
- desc: A dead simple tool to sign files and verify digital signatures.
- tags: maldev
shadow-workers/shadow-workers
- desc: Shadow Workers is a free and open source C2 and proxy designed for penetration testers to help in the exploitation of XSS and malicious Service Workers (SW)
- tags: web, exploit
EncodeGroup/BOF-RegSave
- desc: Dumping SAM / SECURITY / SYSTEM registry hives with a Beacon Object File
- tags: redteam, windows, exploit, postex
CCob/Jboss-Wilfly-Hashes-to-Hashcat
- desc: Converts JBoss/Wildfly management users properties file to hashcat format compatible with mode 20
- tags: utility
rasta-mouse/EncryptedKeyExchange
- desc: Encrypted Key Exchange in .NET
- tags: redteam, utility
aaaddress1/Skrull
- desc: DRM malware, process ghosting
- tags: maldev
six2dez/reconftw
- desc: automated recon
- tags: web
kitabisa/teler
- desc: real-time HTTP intrusion detection
- tags: utility
looCiprian/GC2-sheet
- desc: google sheets c2
- tags: redteam
snovvcrash/DInjector
- desc: collection of injectors
- tags: maldev
S3cur3Th1sSh1t/OffensiveVBA
- desc: AV Evasion methods for Macros in Office documents
- tags: redteam, windows, phish
redherd-project/redherd-framework
- desc: collaborative and serverless framework for orchestrating a geographically distributed group of assets.
- tags: redteam
Cobalt-Strike/sleep_python_bridge
- desc: This project is 'bridge' between the sleep and python language
- tags: redteam
MythicAgents/hermes
- desc: Swift 5 macOS implant
- tags: maldev
im2nguyen/rover
- desc: terraform visualization
- tags: utility
LuemmelSec/SAML2Spray
- desc: Python Script for SAML2 Authentication Passwordspray
- tags: exploit, web
plackyhacker/Shellcode-Injection-Techniques
- desc: A collection of C# shellcode injection techniques.
- tags: maldev
Tylous/ZipExec
- desc: A unique technique to execute binaries from a password protected zip
- tags: maldev
ideaslocas/aDLL
- desc: automatic discovery of DLL Hijacking vulnerabilities
- tags: maldev
ptswarm/reFlutter
- desc: Flutter Reverse Engineering Framework
- tags: reverse
codewhitesec/HandleKatz
- desc: PIC lsass dumper using cloned handles
- tags: windows, postex, redteam
decay88/bytearray2exe.cs
- desc: Execute base64 encoded byte array from memory without wrting to disk as a disguised process
- tags: maldev
p0dalirius/LDAPmonitor
- desc: real-time LDAP object monitor
- tags: redteam, windows
pry0cc/gorgo
- desc: A multi-threaded password sprayer based on Medusa, built for distributed spraying.
- tags: utility

Issue 019 - Oct 2021

writeups

Exploiting Jinja SSTI with limited payload size. - niebardzo
- desc: exploit jinja ssti with small payload
- tags: web
Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program - Habr
- desc: ios 0day disclosure
- tags: mobile
Socially Acceptable Methods to Walk in the Front Door - rvrsh3ll/bhis
- desc: initial access
- tags: phish, redteam
Chasing a Dream :: Pre-authenticated Remote Code Execution in Dedecms - srcincite
- desc: dedecms 0day
- tags: web
Resetting Expired Passwords Remotely - n00py
- desc: remote pw reset
- tags: windows, postex, redteam
Javascript Anti Debugging - Some Next Level Stuff (Part 1 - Abusing SourceMappingURL) - perimeterx
- desc: js antidebug
- tags: web
Pre-Auth SSRF To Full MailBox Access (Microsoft Exchange Server Exploit) - vanshal gaur
- desc: Pre-Auth SSRF To Full MailBox Access (Microsoft Exchange Server Exploit)
- tags: windows, web
CVE-2021-26420: Remote Code Execution in SharePoint via Workflow Compilation - zerodayinitiative
- desc: a remote code execution bug in the supported versions of Microsoft SharePoint Server
- tags: windows, exploit
The fugitive in Java: Escaping to Java to escape the Chrome sandbox - man yue mo
- desc: chrome sbox escape
- tags: web, exploit
Backdoor .NET assemblies with… dnSpy 🤔 - Rasta Mouse
- desc: backdoor .net
- tags: maldev
gcpHound : A Swiss Army Knife Offensive Toolkit for Google Cloud Platform (GCP) - desi-jarvis
- desc: gcp priv esc
- tags: cloud

tools

dnSpyEx/dnSpy
- desc: Revival of the well known .NET debugger and assembly editor, dnSpy
- tags: maldev, reverse
klezVirus/CandyPotato
- desc: Pure C++, weaponized, fully automated implementation of RottenPotatoNG
- tags: windows, postex
Deserialization on Rails - zenn
- desc: Rails deserialization
- tags: web, exploit
hotnops/gtunnel
- desc: golang tunnel proxy
- tags: postex
0xrawsec/whids
- desc: foss edr
- tags: redteam, maldev
postrequest/link
- desc: rust c2
- tags: redteam
N1ght-W0lf/WinDbgCheatSheet
- desc: windbg cheatsheet
- tags: maldev, reverse
snovvcrash/GetZip.py
- desc: remote lsass
- tags: windows, postex
NotSoSecure/SerializedPayloadGenerator
- desc: Web Interface to generate payload using various deserialization exploitation framework
- tags: web
nyxgeek/o365recon
- desc: retrieve info via o365/azure
- tags: windows, redteam
mm0r1/exploits
- desc: php filter bypasses
- tags: web
r3nt0n/bopscrk
- desc: wordlist generator
- tags: utility
Dewera/Pluto
- desc: A manual system call library that supports functions from both ntdll.dll and win32u.dll
- tags: maldev
FunnyWolf/Viper
- desc: Intranet pentesting tool with webui
- tags: redteam
Kudaes/DInvoke_rs
- desc: rustlang dinvoke
- tags: maldev

Issue 018 - Oct 2021

writeups

CodeQL as an Audit Oracle (workshop) by Alvaro Muñoz during HacktivityCon 2021
- desc: CodeQL as an Audit Oracle (workshop) more more
- tags: exploit
Full-Spectrum Cobalt Strike Detection
- desc: cobalt strike detection
- tags: blue
The discovery of Gatekeeper bypass CVE-2021-1810
- desc: uncovering the gatekeeper cve-2021-1810 vuln
- tags: apple, exploit
Life is Pane: Persistence via Preview Handlers - SpecterOps
XSS to RCE - WhyNotSecurity
- desc: xss to rce
- tags: web, redteam

tools

bharadwajyas/ppdump-public
- desc: Uses Zemana AntiMalware Engine To Open a Privileged Handle to a PP/PPL Process And Inject MiniDumpWriteDump() Shellcode
- tags: windows, redteam
rvrsh3ll/BOF-ForeignLsass
- desc: LSASS dumping with foreign handles
- tags: redteam
ovotech/gitoops/
- desc: abusing CI/CD pipelines and GitHub access controls
- tags: redteam, exploit
tnpitsecurity/ligolo-ng
- desc: tun0 vpn-esq tunneling
- tags: redteam
tanc7/EXOCET-AV-Evasion
- desc: AV-evading, undetectable, payload delivery tool
- tags: maldev
trickster0/OffensiveRust
- desc: Rust Weaponization for Red Team Engagements.
- tags: maldev
nyxgeek/AzureAD_Autologon_Brute
- desc: Brute force attack tool for Azure AD Autologon/Seamless SSO
- tags: cloud, redteam
sensepost/offensive-rpc
- desc: Offensive RPC PoC
- tags: redteam, windows
jfmaes/DeepSleep
- desc: shellcode sleeper
- tags: maldev
Flangvik/RosFuscator
- desc: project for obfuscating C# source code using Roslyn
- tags: maldev
mgeeky/ShellcodeFluctuation
- desc: A PoC implementation for an another in-memory evasion technique
- tags: maldev
Unknow101/FuckThatSmuggler
- desc: html smuggle generator
- tags: redteam, phish
tufanbarisyildirim/gonginx
- desc: golang nginx conf parser/generator
- tags: phish, redteam
xforcered/InvisibilityCloak
- desc: Proof-of-concept obfuscation toolkit for C# post-exploitation tools
- tags: redteam
w1u0u1/minidump
- desc: Custom implementation of DbgHelp's MiniDumpWriteDump function. Uses static syscalls to replace low-level functions like NtReadVirtualMemory
- tags: redteam, maldev
Orange-Cyberdefense/arsenal
- desc: Arsenal is just a quick inventory and launcher for hacking programs
- tags: utility
GetRektBoy724/TripleS
- desc: Syscall Stub Stealer - Freshly steal Syscall stub straight from the disk, DInvoke-esq
- tags: maldev
EspressoCake/PPLDump_BOF
- desc: faithful transposition of the key features/functionality of @itm4n's PPLDump project as a BOF
- tags: redteam
hosch3n/ProxyVulns
- desc: exchange proxy* PoCs
- tags: exploit, windows
codewhitesec/HandleKatz
- desc: PIC lsass dumper using cloned handles
- tags: windows, postex
ollypwn/Certipy
- desc: python version of certify
- tags: windows, redteam
as0ler/r2flutch
- desc: Tool to decrypt iOS apps using r2frida
- tags: mobile
boku7/Ninja_UUID_Dropper
- desc: Module Stomping, No New Thread, HellsGate syscaller, UUID Dropper for x64 Windows 10!
- tags: maldev
vyrus001/go-mimikatz
- desc: A wrapper around a pre-compiled version of the Mimikatz executable for the purpose of anti-virus evasion.
- tags: windows, postex
theepicpowner/dcom_av_exec
- desc: "diskless" lateral movement to a target on the same network via DCOM
- tags: maldev
rvrsh3ll/Nobelium-PdfDLRunAesShellcode
- desc: A recreation of the "Nobelium" malware based on Microsofts Malware analysis - Part 1: PDF2Pwn
- tags: phish, redteam
ReverendThing/Carnivore
- desc: Microsoft External attack tool
- tags: phish, recon, web

Issue 017 - Sep 2021

writeups

Beginners Guide to 0day/CVE AppSec Research
- desc: vuln research 101
- tags: web, exploit
secret.club
- desc: game/malware hacking
- tags: maldev
D/Invoke & GadgetToJScript (rastamouse)
- desc: DInvoke GadgetToJscript
- tags: windows, redteam, phish
NightHawk
- desc: new c2 from MDsec
- tags: redteam
office persistence (NoRed0x)
- desc: office persistence
- tags: redteam
Obfuscating Malicious, Macro-Enabled Word Docs
- desc: maldoc evasion
- tags: phish, redteam
Offensive WMI - Interacting with Windows Registry (Part 3)
- desc: wmi pt 3
- tags: windows
CVE-2021-40444 Analysis/Exploit (Ret2pwn)
- desc: CVE-2021-40444 analysis
- tags: phish, windows

tools

btbd/access
- desc: Access without a real handle
- tags: maldev
bohops/GhostBuild
- desc: ghostpack msbuild automation
- tags: windows, redteam
secdev-01/AllTheThingsExec (subtee)
- desc: mimikatz jscript
- tags: windows, redteam
SolomonSklash/SleepyCrypt
- desc: memory encryptor ; blog
- tags: maldev
outflanknl/Scripts/AMSIbypasses.vba
- desc: vba amsi patch
- tags: phish
outflanknl/PrintNightmare
- desc: PrintNightmare exploit with bonus
- tags: windows, exploit, redteam
mez-0/winrmdll
- desc: WinRM C++ reflective DLL with Agressor script
- tags: windows, redteam
aslitsecurity/CVE-2021-40444_builders
- desc: CVE-2021-40444 builder
- tags: redteam, phish
karttoon/trigen
- desc: win32 api shellcode running vba automatic generator
- tags: phish, redteam
preludeorg/community
- desc: resources for prelude operator c2
- tags: redteam, blue
vikmik/scratch
- desc: no consequences shell
- tags: utility
D4Vinci/elpscrk
- desc: intelligent wordlist generator
- tags: web, exploit
the-xentropy/samlists
- desc: common crawl generated param wordlists
- tags: web

Issue 016 - Sep 2021

writeups

S3cur3Th1sSh1t/NTLMv1_Downgrade.md
- desc: rainbow table NetNTLMv1 downgrade attack
- tags: redteam, windows, exploit
CPTC - Better Pentest Reports w/ Examples!
- desc: pentest report examples
- tags: documentation
Introducing Process Hiving & RunPE
- desc: pe runner
- tags: maldev
Zero-Day Exploits in SonicWall Email Security Lead to Enterprise Compromise
- desc: SonicWall 0day
- tags: web, exploit
SleepyCrypt: Encrypting a running PE image while it sleeps
- desc: Encrypting a running PE image while it sleeps
- tags: maldev
CVE-2020-1300: Remote Code Execution Through Microsoft Windows CAB Files - ZeroDay Initiative
- desc: office cab Nday
- tags: phishing, redteam
Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs
- desc: office cab Nday
- tags: phishing, redteam
gcpHound : A Swiss Army Knife Offensive Toolkit for Google Cloud Platform (GCP)
- desc: gcp audit
- tags: cloud
The complete GraphQL Security Guide: Fixing the 13 most common GraphQL Vulnerabilities to make your API production ready - Wundergraph
- desc: graphql audit
- tags: web
Critical Vulnerability in Microsoft Azure Cosmos DB
- desc: azure vuln
- tags: cloud

tools

NotMedic/NetNTLMtoSilverTicket
- desc: rainbow table NetNTLMv1 downgrade attack
- tags: redteam, windows, exploit
aaaddress1/PR0CESS
- desc: fileless 'ghosting' malware poc
- tags: maldev
mpast/mobileAudit
- desc: Android APK scanner
- tags: mobile
SecIdiot/TitanLdr
- desc: reflective loader
- tags: maldev
RCE-0-day-for-GhostScript-9.50
- desc: ghostscript Nday
- tags: web, exploit
ceramicskate0/BOF-Builder
- desc: .net 5.0 BOF builder
- tags: redteam, cobalt
TheCruZ/kdmapper
- desc: exploits iqvw64e.sys Intel driver to manually map non-signed drivers in memory
- tags: maldev
JKornev/hidden
- desc: Windows driver with usermode interface which can hide processes, file-system and registry objects, protect processes and etc
- tags: maldev
nwork/WIN_JELLY
- desc: GPU rootkit
- tags: maldev
cube0x0/SharpSystemTriggers
- desc: collection of remote authentication triggers written in c#
- tags: windows, exploit, redteam
Flangvik/SharpExfiltrate
- desc: Modular C# framework to exfiltrate loot over secure and trusted channels.
- tags: redteam
ASkyeye/ElusiveMice
- desc: Cobalt Strike User-Defined Reflective Loader with AV/EDR Evasion in mind
- tags: maldev, windows, redteam
lockedbyte/CVE-2021-40444
- desc: office cab Nday
- tags: phishing, redteam, exploit
BishopFox/iam-vulnerable
- desc: aws dvwa
- tags: cloud
NoOne-hub/bypass-BeaconEye
- desc: beacon hunter
- tags: maldev
nccgroup/SocksOverRDP
- desc: socks over RDP
- tags: redteam
geemion/Khepri
- desc: foss c2
- tags: redteam
pucarasec/zuthaka
- desc: A collaborative free open-source Command & Control integration framework that allows developers to concentrate on the core function and goal of their C2.
- tags: redteam
knight0x07/ImpulsiveDLLHijack
- desc: c# tool to automate dll hijacking
- tags: windows, exploit, redteam
iomoath/PowerShx
- desc: Unmanaged PowerShell exec via dll
- tags: windows, exploit, redteam
countercept/chainsaw
- desc: Event Log search and hunt
- tags: blue
Wra7h/Single-Dose
- desc: Generate process injection binaries
- tags: maldev
ahmedkhlief/Ninja
- desc: Open source C2 server created for stealth red team operations
- tags: redteam
inguardians/peirates
- desc: Kubernetes Penetration Testing tool
- tags: cloud
dolevf/graphw00f
- desc: graphql fingerprint
- tags: web
analyticsearch/DllLoadAnythingViaScript
- desc: DLL load via WSH
- tags: windows, redteam, maldev
STMCyber/boobsnail
- desc: xlm excel 4.0 maldoc generator
- tags: phishing, maldev
SDA-SE/cluster-image-scanner
- desc: container vuln scanner
- tags: cloud
rexguowork/phantom-attack
- desc: Phantom Attack (Linux post evasion)
- tags: linux, post

Issue 015 - Sep 2021

writeups

Operation Bypass Catch My Payload If You Can - Matthew Eidelberg
- desc: av/edr evasion, ScareCrow & SourcePoint
- tags: maldev
Blinding EDR On Windows
- desc: EDR intro
- tags: redteam, maldev
AWS ReadOnlyAccess: Not Even Once - SpecterOps
- desc: AWS exploitation
- tags: cloud
Fetching SharpHound data entirely in-memory (no dropped ZIP or JSON files) using BOF.NET and Cobalt Strike
- desc: in-memory sharphound collection
- tags: redteam
Workstation Takeover
- desc: petit walkthrough
- tags: windows, exploit
Email Security (SPF, DKIM, and DMARC)
- desc: email security overview
- tags: phishing
SAML is insecure by design - joonas
- desc: saml investigation
- tags: web
Powershell Logging: Obfuscation and Some Newe (ish) Bypasses Part 2
- desc: powershell evasion
- tags: windows, exploit, redteam
Companies hiring remote
- desc: remote jobs
- tags: utility
Pre-Auth RCE in ManageEngine OPManager
- desc: manage engine opmanger pre-auth rce writeup
- tags: web, exploit
HTML Maldoc Remote Macro Injection
- desc: load macros remotely in html
- tags: phishing
Golden Certificate and OCSP
- desc: Certified Pre-Owned DPERSIST1 mitigation investigation
- tags: windows
CVE-2021-26084 Remote Code Execution on Confluence Servers
- desc: Confluence Nday
- tags: web
The Art of the Device Code Phish
- desc: Azure Device Code Phishing attack
- tags: cloud, windows
rootsecdev/Azure-Red-Team
- desc: Azure sec notes & resources
- tags: cloud, windows
Exploiting GraphQL
- desc: Exploiting GraphQL
- tags: web
Offensive WMI - The Basics (Part 1)
- desc: intro to wmi offensive use
- tags: windows, redteam, postex
Understanding Cobalt Strike Profiles
- desc: CS profile overview
- tags: redteam
Blinding EDR On Windows
- desc: EDR evasion research
- tags: maldev

tools

j3ssie/goverview
- desc: golang url overview tools
- tags: web
RiccardoAncarani/BOFs
- desc: collection of BOFs
- tags: redteam
mobdk/Upsilon
- desc: syscall shellcode limited apis
- tags: maldev
stacscan/stacs
- desc: secrets static code analyzer
- tags: utility, web
Marshall-Hallenbeck/red_team_attack_lab
- desc: auto ad lab deployment
- tags: windows, redteam
itm4n/VBA-RunPE
- desc: vba pe runner
- tags: redteam, phishing
geeknik/nuclei-templates
- desc: Community edition nuclei templates, a simple tool that allows you to organize all the Nuclei templates offered by the community in one place
- tags: web
CMatri/Gotato
- desc: golang GenericPotato
- tags: windows, exploit, privesc
frkngksl/Huan
- desc: encrypted pe loader
- tags: maldev
rulz.py - silentbreak
- desc: malicious Exchange rules generator
- tags: redteam
evilsocket/medusa
- desc: rust honeypot
- tags: utility
rootsecdev/Azure-Red-Team
- desc: Azure pentest/redteam resources
- tags: cloud
ernw/static-toolbox
- desc: collection of statically compiled tools such as nmap and socat
- tags: recon, utility
t3hbb/NSGenCS
- desc: AV/EDR evasion framework
- tags: maldev
connormcgarr/LittleCorporal
- desc: c# maldoc generator
- tags: phishing
daffainfo/Key-Checker
- desc: golang api key etc checker
- tags: web
armosec/kubescape
- desc: kubernetes vuln scanner
- tags: cloud
Fahrj/reverse-ssh
- desc: ssh for shells
- tags: postex
skelsec/aiosmb
- desc: full smb server in python
- tags: utility
zcgonvh/EfsPotato
- desc: EfsPotato exploit
- tags: privesc, windows
boku7/spawn
- desc: CS BOF souped-up spawn
- tags: windows, exploit, redteam
Mattiwatti/PPLKiller
- desc: protected process killer
- tags: windows, exploit, redteam
tokyoneon/CredPhish
- desc: powershell password prompts
- tags: redteam, phish
capt-meelo/Beaconator
- desc: Alaris, PEzor, & ScareCrow generator
- tags: redteam, maldev
signedsecurity/sigurlfind3r
- desc: passively fetch known URLs for a host
- tags: web
mxrch/GHunt
- desc: gmail/gdocs osint
- tags: osint
p3nt4/Nuages
- desc: modular c2
- tags: redteam, maldev
Ne0nd0g/go-shellcode
- desc: extensive golang shellcode generator
- tags: maldev
iomoath/sharpstrike
- desc: c# wmi/cim queries and command exec
- tags: windows, exploit, postex, redteam
hpthreatresearch/subcrawl
- desc: SubCrawl is a modular framework for discovering open directories
- tags: web
RiccardoAncarani/LiquidSnake
- desc: WMI Event Subscriptions and GadgetToJScript lateral movement
- tags: redteam
antman1p/Jir-Thief
- desc: Jira exfil
- tags: web
pwn.college
- desc: pwn dev beginner's course
- tags: maldev

Issue 014 - Aug 2021

writeups

Java giving more shells on everything
- desc: exploitating java
- tags: exploit
Dechaining Macros and Evading EDR
- desc: macro exploit dev
- tags: phishing
How to Hack APIs in 2021
- desc: API hacking
- tags: web
Linux Privilege Escalation - Package Managers
- desc: Linux package manager privilege escalation
- tags: linux, exploit
A New Attack Surface on MS Exchange Part 1 - ProxyLogon!
- desc: Microsoft Exchange exploitation
- tags: web, windows, exploit
A New Attack Surface on MS Exchange Part 2 - ProxyOracle!
- desc: Microsoft Exchange exploitation
- tags: web, windows, exploit
silence-is-best/files
- desc: conti playbook leak
- tags: windows, redteam
Burp Automation | Automating Burp Scanning Via Rest API & Robot Framework Using Python3
- desc: automating burp via python
- tags: web
Demons in the database: Hiding backdoors/malware in (r)DBMS Services – Part #1
- desc: DB persistence
- tags: redteam
Defense Evasion Series Part 1 AMSI Bypass
- desc: Bypassing AMSI
- tags: redteam
Introduction to Cyber Security Research
- desc: subtee short
- tags: exploit

tools

cube0x0/MiniDump
- desc: C# lsass parser
- tags: windows
thau0x01/dementor
- desc: python printer bug
- tags: windows, exploit
boku7/AsmHalosGate
- desc: x64 Assembly HalosGate direct System Caller
- tags: maldev
jacob-baines/concealed_position
- desc: Bring your own print driver privilege escalation tool. more
- tags: windows, exploit
SharpC2/SharpC2
- desc: c# c2
- tags: redteam
med0x2e/SigFlip
- desc: SigFlip is a tool for patching authenticode signed PE files
- tags: maldev
flaws.cloud
- desc: damn vulnerable aws
- tags: web, exploit
N7WEra/PublicVulnerableMachines
- desc: vulnerable by design compilation
- tags: exploit
Tylous/Limelighter
- desc: generate fake code signing certificates or signing real ones
- tags: maldev
JamesCooteUK/BOFs
- desc: collection of BOFs
- tags: redteam
damienvanrobaeys/Run-in-Sandbox
- desc: Run PS1, VBS, EXE, MSI in Windows Sandbox very quickly
- tags: utility
boku7/CobaltStrikeReflectiveLoader
- desc: CS User-Defined Reflective Loader written in Assembly & C
- tags: redteam
netero1010/ServiceMove-BOF
- desc: "new" lateral movement technique abusing Windows Perception Simulation Service + DLL hijacking
- tags: redteam
cube0x0/SharpMapExec
- desc: c# cme
- tags: windows, exploit, redteam
FalconForceTeam/SysWhispers2BOF
- desc: Use SysWhispers2 from BOFs
- tags: redteam
Udyz/proxyshell-auto
- desc: automated ProxyShell exploit
- tags: windows, exploit
eloypgz/certi
- desc: ADCS abuser
- tags: windows, exploit, redteam
jonaslejon/malicious-pdf
- desc: Malicious PDF generator
- tags: phishing
optiv/Microsoft365_devicePhish
- desc: Microsoft 365 OAuth abuse
- tags: windows, exploit, redteam
Tylous/SourcePoint
- desc: CS profile generator
- tags: redteam
Razer USB gadget on Android for Local Privilege Escalation on Windows
- desc: razor lpe exploit
- tags: windows, exploit

Issue 13 - Aug 2021 pt1

writeups

Cobalt Strike and Tradecraft
- desc: various CS commands' opsec considerations
- tags: redteam
A pinch of XLL and a splash of rust has the potential to be a sharp combination
- desc: csharp and rust xll (dll) PoC
- tags: maldev
HTTP/2: The Sequel is Always Worse
- desc: http/2 request smuggling
- tags: web
AD CS – The ‘Certified Pre-Owned’ Attacks
- desc: Overview of attacks covered in 'Certified Pre-Owned'
- tags: windows, exploit
From Stranger to DA // Using PetitPotam to NTLM relay to Domain Administrator
- desc: Overview of the PetitPotam attack
- tags: windows, exploit
Everything You Need to Know About Web Socket Pentesting
- desc: web socket penetration testing
- tags: web
Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive Extraction – CVE-2021-22937 (Patch Bypass)
- desc: bypass for cve-2021-22937
- tags: exploit
Hotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt
- desc: Cobalt Strike DoS
- tags: exploit, redteam
Never had a bad day phishing. How to set up GoPhish to evade security controls.
- desc: GoPhish OpSec modifications
- tags: redteam, phish
Playing with PuTTY - F-Secure
- desc: leveraging PuTTY during adversarial simulation
- tags: redteam
Universal Privilege Escalation and Persistence – Printer
- desc: privilege escalation with printer drivers
- tags: windows, exploit, redteam
Fuzzing Windows RPC with RpcView
- desc: fuzzing RPC protocol
- tags: windows, exploitdev
Technique of the Week: Reflected File Download (Intro)
- desc: Reflected File Download overview
- tags: web
Evading EDR in 15 Minutes with ScareCrow
- desc: edr/av evasion
- tags: maldev
Finding and Exploiting Unintended Functionality in Main Web App APIs
The dying knight in the shiny armour
- desc: killing defender
- tags: windows

tools

sensepost/assless-chaps
- desc: Crack MSCHAPv2 challenge/responses quickly using a database of NT hashes
- tags: windows, cracking
GhostPack/Certify
- desc: Active Directory certificate abuse
- tags: windows, exploit
GhostPack/ForgeCert
- desc: "Golden" certificates
- tags: exploit, windows, redteam
boku7/HellsGatePPID
- desc: Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process
- tags: maldev
warhorse/ansible-role-cobaltstrike-docker
- desc: Ansible Cobalt Strike (Docker)
- tags: utils, redteam
Flangvik/DeployPrinterNightmare
- desc: C# tool for installing a shared network printer abusing the PrinterNightmare bug to allow other network machines easy privesc!
- tags: exploit, windows, redteam
ShutdownRepo/targetedKerberoast
- desc: Kerberoast with ACL abuse capabilities
- tags: redteam, windows
klezVirus/inceptor
- desc: Template-Driven AV/EDR Evasion Framework
- tags: maldev
- more: The path to code execution in the era of EDR, Next-Gen AVs, and AMSI
boku7/injectAmsiBypass
- desc: Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.
- tags: redteam, maldev
ShutdownRepo/smartbrute
- desc: Password spraying and bruteforcing tool for Active Directory Domain Services.
- tags: windows, redteam
bashexplode/cs2webconfig
- desc: Convert Cobalt Strike profiles to IIS web.config files
- tags: redteam
community_kit
- desc: currated community addons
- tags: redteam
Greenwolf/ntlm_theft
- desc: generate ntlm stealing files
- tags: windows, redteam
outflanknl/WdToggle
- desc: WDigest cred caching BOF
- tags: redteam
outflanknl/RedFil
- desc: Serving files with conditions, serverside keying and more.
- tags: phishing
jfmaes/Invoke-DLLClone
- desc: dll side-load generator
- tags: maldev
IlanKalendarov/PyHook
- desc: offensive API hooking tool written in python designed to catch various credentials
- tags: windows, redteam
puzzlepeaches/sneaky_gophish
- desc: hiding gophish
- tags: phishing
KoreLogicSecurity/wmkick
- desc: MITM tool that targets NTLM authentication message flows in WMI (135/tcp) and Powershell-Remoting/WSMan/WinRM (5985/tcp) to capture NetNTLMv2 hashes
- tags: redteam
DamonMohammadbagher/ETWProcessMon2
- desc: ETWProcessMon2 is for Monitoring Process/Thread/Memory/Imageloads/TCPIP via ETW + Detection for Remote-Thread-Injection & Payload Detection by VirtualMemAlloc Events (in-memory) etc.
- tags: maldev, redteam

Issue 12 - July 2021 pt2

writeups

FuzzySecurity Presentations
- desc: Collection of presentation resources.
- tags: exploit
CredBandit (In memory BOF MiniDump) – Tool review – Part 1
- desc: CS BOF of CredBandit
- tags: redteam
Hide-HTA-window-for-RedTeam
- desc: hide hta windows
- tags: phish, redteam, windows, exploit
Ten process injection techniques: A technical survey of common and trending process injection techniques
- desc: 10 proc injection techniques
- tags: maldev
On Disk, The Devil’s In The Details
- desc: data about data
- tags: maldev
A guide to non-conventional WAF/IDS evasion techniques
- desc: waf bypass techniques
- tags: web
Shellcoding: Process Injection with Assembly
- desc: analysis and study of SK Chong’s work that was published in issue 62 of Prack in 2001
- tags: maldev
Introduction to Threat Intelligence ETW
- desc: A quick look into ETW capabilities against malicious API calls.
- tags: maldev, windows, redteam
Representing Password Reuse in BloodHound
- desc: password reuse bloodhound paths
- tags: windows, redteam
Introducing Mimikatz Kit
- desc: Cobalt Strike updated Mimikatz
- tags: redteam
CredPhish
- desc: CredPhish is a PowerShell script designed to invoke legitimate credential prompts and exfiltrate passwords over DNS.
- tags: windows, exploit, redteam
NTLM Relaying via Cobalt Strike
- desc: relay via c2
- tags: redteam
NTLM relaying to AD CS - On certificates, printers and a little hippo
- desc: ADCS, printers, petit
- tags: windows, exploit, redteam
Fantastic Windows Logon types and Where to Find Credentials in Them
- desc: Windows Logon Research
- tags: windows, exploit, redteam

tools

SharpImpersonation
- desc: A User Impersonation tool - via Token or Shellcode injection
- tags: windows, exploit, redteam
- more: Intro Blog
ADHuntTool
- desc: official report for the AdHuntTool (part of the old RedTeamCSharpScripts
- tags: redteam
EDD
- desc: .NET to enumerate domain data
- tags: redteam
PlumHound
- desc: Bloodhound for Blue and Purple Teams
- tags: redteam
SpoolSploit
- desc: Docker PrintNightmare
- tags: exploit, windows
Nobelium-PdfDLRunAesShellcode
- desc: A recreation of the "Nobelium" malware based on Microsofts Malware analysis - Part 1: PDF2Pwn
- tags: phish, redteam
CS-BOFs
- desc: collection of BOFs
- tags: redteam
pybeacon
- desc: collection of scripts for dealing with a beacon
- tags: blue
PowerShellArmoury
- desc: A PowerShell armoury for penetration testers or other random security guys
- tags: windows, redteam
Phant0m
- desc: Windows Event Log Killer
- tags: windows, exploit, redteam
Vanara
- desc: A set of .NET libraries for Windows implementing PInvoke calls to many native Windows APIs with supporting wrappers.
- tags: maldev
Offensive VBA and XLS Entanglement
- desc: Offensive VBA examples
- tags: phish, redteam
- more: intro blog
gotator
- desc: Gotator is a tool to generate DNS wordlists through permutations.
- tags: recon
awesome-powershell
- desc: A curated list of delightful PowerShell modules and resources
- tags: util
SharpSword
- desc: Read the contents of DOCX files using Cobalt Strike's Execute-Assembly
- tags: windows, redteam
SharpTransactedLoad
- desc: Load .net assemblies from memory while having them appear to be loaded from an on-disk location.
- tags: maldev
LoGiC.NET
- desc: A more advanced free and open .NET obfuscator using dnlib.
- tags: maldev
ScareCrow-CobaltStrike
- desc: Cobalt Strike script for ScareCrow payloads
- tags: redteam, maldev
bof-spawnSuspendedProcess
- desc: CS BOF suspended state spawn
- tags: redteam
redirect.rules
- desc: Quick and dirty dynamic redirect.rules generator
- tags: phish, redteam
PetitPotam
- desc: PoC ntlm auth via MS-EFSRPC EfsRpcOpenFileRaw function
- tags: windows, exploit
CVE-2021-3493
- desc: priv esc poc
- tags: linux, exploit
Awesome-CobaltStrike
- desc: list of awesome cobalt strike resources
- tags: redteam
DcRat
- desc: simple c# implant / c2
- tags: redteam
sns
- desc: golang shortscan
- tags: recon, web
violentfungus-c2
- desc: Violent Fungus is a command and control (C2) software suite, providing red teams post-exploitation persistence and other juicy stuff
- tags: redteam
BadAssMacros
- desc: BadAssMacros - C# based automated Malicous Macro Generator.
- tags: phish, redteam
hivenightmare
- desc: unprotected hive exploitation
- tags: windows, privesc
MMInject
- desc: Kernel DLL Injector using NX Bit Swapping and VAD hide for hiding injected DLL
- tags: maldev
PKINIT tools
- desc: Tools for Kerberos PKINIT and relaying to AD CS
- tags: windows, exploit, redteam
Windows Command-Line Obfuscation
- desc: Project for identifying executables that have command-line options that can be obfuscated, possibly bypassing detection rules.
- tags: exploit, windows, redteam
- blog: https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
GoPEInjection
- desc: Golang PE injection on windows
- tags: maldev
Cent
- desc: Community edition nuclei templates, a simple tool that allows you to organize all the Nuclei templates offered by the community in one place
- tags: web

Issue 12 - July 2021 pt1

writeups

Anatomy of a Red-Team exercise – Chapter 3
- desc: Continuation of 'Anatomy of a Red-Team exercise' series
- tags: redteam
Initial Access: Macro Cheat sheet
- desc: Descriptions of various Macro techniques
- tags: redteam, phish
Get a Windows 10 development environment
- desc: free win 10 dev VMs
- tags: windows
Process Creation is Dead, Long Live Process Creation — Adding BOFs Support to PEzor
- desc: PEzor BOF
- tags: maldev
Don’t Be Rude, Stay: Avoiding Fork&Run .NET Execution With InlineExecute-Assembly
- desc: BOF/Inline execute-assembly
- tags: redteam, maldev
Abusing Resource-Based Constrained Delegation (RBCD) using Linux
- desc: RBCD with Linux
- tags: redteam, windows, exploit
Obtaining LAPS Passwords Through LDAP Relaying Attacks
- desc: Stealing LAPS creds
- tags: windows, exploit, redteam
Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros
- desc: evasive macro research
- tags: exploit, windows, redteam, phish
Red Team Privilege Escalation – RBCD Based Privilege Escalation – Part 2
- desc: Resource Based Constrained Delegation
- tags: windows, exploit, redteam

tools

The Extended BApp Store
- desc: One stop shop for burp extensions
- tags: web
CVE-2021-3156 LPE POC (kill sudo)
- desc: Python LPE POC
- tags: privesc, linux
dnMerge
- desc: A lightweight .NET assembly dependency merger that uses dnLib and 7zip's LZMA SDK for compressing dependant assemblies.
- tags: maldev
- more: dnMerge intro
Print Nightmare
- desc: C++ version of PrintNightmare
- tags: windows, exploit
Impacket Print Nightmare
- desc: impacket version of PrintNightmare
- tags: windows, exploit
Injector
- desc: Complete arsenal of memory injection techniques
- tags: maldev
Invoke-Nightmare
- desc: powershell PrintNightmare
- tags: windows, exploit
Docker-PrintNightmare
- desc: docker image for PrintNightmare
- tags: windows, exploit
spoofing-office-macro
- desc: PoC of a VBA macro spawning a process with a spoofed parent and command line.
- tags: redteam, phish
bflat
- desc: C# as you know it but with Go-inspired tooling
- tags: maldev
PayloadAutomation
- desc: Runner/dropper payload automation framework
- tags: maldev
- more: Introducing Striker and the Payload Automation Libraries
Evasor
- desc: A tool to be used in post exploitation phase for blue and red teams to bypass APPLICATIONCONTROL policies
- tags: redteam, windows, exploit, maldev
Backstab
- desc: A tool to kill antimalware protected processes
- tags: maldev
InlineExecute-Assembly
- desc: BOF to perform in process .NET assembly execution
- tags: redteam
Invoke-BuildAnonymousSMBServer
- desc: Use to build an anonymous SMB file server.
- tags: windows, utils
TokenTactics
- desc: Azure JWT Token Manipulation Toolset
- tags: exploit, cloud
gMSADumper
- desc: Reads any gMSA password blobs the user can access and parses the values.
- tags: redteam
msspray.py
- desc: Password attacks and MFA validation against various endpoints in Azure and Office 365
- tags: redteam, windows, exploit
SharpPhish
- desc: outlook COM objects to create convincing phishing emails without the user noticing
- tags: redteam, phish
hakrawlerx8chain
- desc: wrapper around hakrawler that implements data sanitization and parameter discovery (x8)
- tags: web, recon
x8
- desc: Rust-based parameter discovery tool
- tags: web, recon, exploit

Issue 11 - June 2021 pt1

writeups

Click your shortcut and… you got pwned.
- tool: SharpLNKGen-UI
- Malicious LNK generator
- tags: redteam, phishing, exploit, windows
Another Delegation Edge Case
- S4U Edge Case exploitation
- tags: windows, exploit, redteam
Active Directory forest trusts part 2 - Trust transitivity and finding a trust bypass
- CVE-2020-0665 SID filtering bypass
- related: forest-trust-tools
- tags: windows, redteam
What you need to know about Process Ghosting
- New Executable Image Tampering Attack
- tags: maldev
ASP.NET Cryptography for Pentesters
- practical exploitation ASP.NET cryptography
- tags: web, exploit
Certified Pre-Owned
- Active Directory Certificate Services research & exploitation
- Related: PSPKIAudit
- tags: windows, redteam
AD CS relay attack - practical guide
- Active Directory Certificate Services + PrinterBug
- tags: windows, redteam
Potatoes - Windows Privilege Escalation
- Overview of LPE Potatos
- tags: windows, exploit, privesc
Bypassing Image Load Kernel Callbacks (DarkLoadLibrary Introduction)
- Introduction of DarkLoadLibrary
- tags: maldev

tools

polkadots
- CVE-2021-3560 Local PrivEsc Exploit
- tags: privesc, linux, exploit https://github.com/passthehashbrowns/hiding-your-syscalls
pywerview
- A (partial) Python rewriting of PowerSploit's PowerView
- tags: windows
StandIn
- StandIn is a small .NET35/45 AD post-exploitation toolkit
- tags: windows, post, redteam
hiding-your-syscalls
- Detection bypass for using SysCalls in loaded copy of NTDLL
- tags: maldev
ForgeCert
- "Certified Pre-Owned: Abusing Active Directory Certificate Services" tool
- tags: windows, redteam
sRDI
- Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode
- tags: maldev
transacted_hollowing
- Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging
- tags: maldev
Zolom
- C# Executable with embedded Python that can be used reflectively to run python code on systems without Python installed
- tags: maldev
SharpUnhooker
- C# Based Universal API Unhooker
- tags: maldev
openedr
- Open EDR public repository
- tags: maldev, redteam
SharpWebServer
- Red Team oriented C# Simple HTTP & WebDAV Server with Net-NTLM hashes capture
- tags: windows, exploit, redteam
KnockOutlook
- A little tool to play with Outlook
- tags: windows, post, redteam
siemsframework
- MultiSIEM Modular Python3 Attack Framework
- tags: exploit
page-fetch
- Fetch web pages using headless Chrome, storing all fetched resources including JavaScript files. Run arbitrary JavaScript on many web pages and see the returned values
- tags: exploit, web
HookDump
- Security product hook detection
- tags: maldev
Whisker
- manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the target account.
- tags: windows, redteam
CornerShot
- Amplify network visibility from multiple POV of other hosts
- tags: recon https://www.youtube.com/watch?v=jGpgreUY4H8
shosubgo
- Small tool to Grab subdomains using Shodan api.
- tags: recon
dementor
- Python Print Bug
- related: printerbuy.py
- tags: exploit, windows
SharpHose
- Asynchronous Password Spraying Tool in C# for Windows Environments
- tags: windows, exploit, redteam
worawit/CVE-2021-3156
- desc: Sudo Baron Samedit Exploit
- tags: linux, privesc
ADCSPwn
- desc: A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service.
- tags: windows, privesc, exploit, redteam

Issue 10 - May 2021 pt2

writeups

AV Evasion - a PE injection method
- Malware Development by Sektor7 exercise writeup
- tags: maldev
- related: sektor7 templates (cpp)
Unveiling DNSStager: A tool to hide your payload in DNS
- DNSStager is is an open-source tool used to help Pentesters/RedTeamers to hide their payload in DNS and resolve it based on multiple DNS records
- tags: redteam
Dumping Stored Credentials with SeTrustedCredmanAccessPrivilege
- SeTrustedCredmanAccessPrivilege Research - "Access Credential Manager as a trusted caller"
Episode 1. Mr Un1k0d3r and his Fur Coat
- Mr Un1k0d3r talks hacking, imposter syndrome, CTF's and learning.
- tags: redteam
What the F#*%
- F# injection routines, evasion techniques, and an unmanaged F# loader
- tags: maldev, windows, exploit
Abusing LNK "Features" for Initial Access and Persistence
- tags: redteam, phish
Cracking NetNTLMv1/v2 using NT hashes
- tags: windows
WeaponisingCSharp-Fundamentals
- Weaponising C# - Fundamentals Training Content
- tags: windows, maldev
Relaying Potatoes: Another Unexpected Privilege Escalation Vulnerability in Windows RPC Protocol
- NTLM Relay Privilege Escalation
- tags: windows, exploit, privesc

tools

DomainBorrowingC2
- method to hide C2 traffic using CDN
- tags: windows, redteam
AMSI-Provider
- A fake AMSI Provider which can be used for persistence.
- tags: windows, redteam
Suspending-Techniques
- Comparing, discussing, and bypassing various techniques for suspending and freezing processes on Windows.
- tags: maldev
UnhookMe
- Windows API resolver & unhooker addressing problem of invoking unmonitored system calls
- tags: maldev
SharpRDPDump
- Create a minidump of TermService for clear text pw extraction
- tags: windows
SimulateInternetZoneTest.ps1
- SmartScreen evasion because Mark-of-the-Web (MOTW) cannot be applied to non NTFS volumes via ISO/IMG as a delivery mechanism
- tags: redteam
vCenter RCE PoC (CVE-2021-21985)
Candy Potato (Caramelized Juicy Potato)
- Pure C++, weaponized, fully automated implementation of RottenPotatoNG
- tags: windows, exploit
CheeseTools
- Tools for Lateral Movement/Code Execution (based on Rasta's MiscTools)
- tags: windows, exploit
SyscallAmsiScanBufferBypass
- AmsiScanBufferBypass using D/Invoke
- tags: windows, maldev
whoamsi
- An effort to track security vendors' use of Microsoft's Antimalware Scan Interface
- tags: windows, exploit
forkatz
- SeTrustedCredmanAccessPrivilege credential dump
- tags: windows, post

Issue 9 - May 2021 pt1

writeups

Weird Ways to Run Unmanaged Code in .NET
- benign looking functions to achieve unmanaged code execution in weird ways
- tags: windows, maldev
Domain Borrowing: Catch My C2 Traffic if You Can
- new method to hide your C2 traffic with CDN to circumvent censorship
- tags: redteam

tools

SharpNamedPipePTH
- Pass the Hash to a named pipe for token Impersonation
- tags: windows, post
Nebula
- Cloud C2 Framework, which at the moment offers reconnaissance, enumeration, exploitation, post exploitation on AWS
- tags: cloud
adsec
- An introduction to Active Directory security
- tags: windows, exploit, homelab
SharpTransactedLoad
- Load .net assemblies from memory while having them appear to be loaded from an on-disk location.
- tags: windows, maldev
Awesome_Firebase_DomainFront
- Firebase Domain Front Code
- tags: redteam
NautilusProject
- Collection of weird ways to execute unmanaged code in .NET
- tags: windows, maldev
rewolf-wow64ext
- library for x86 programs that runs under WOW64 layer on x64 windows
- tags: windows, maldev
DomainBorrowing
- new method to hide your C2 traffic with CDN to circumvent censorship
- tags: redteam
RunasCs
- RunAs C#
- tags: windows, post
SharpNukeEventLog
- nuke that event log using some epic dinvoke fu
- tags: windows, malwaredewv
Dent
- framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors
- tags: windows, maldev
charlotte
- c++ fully undetected shellcode launcher
- tags: maldev

Issue 8 - Apr 2021 pt1

writeups

A Beginner’s Guide to Windows Shellcode Execution Techniques
A Journey Into the Beauty of DNSRebinding - Part 1
Executing Shellcode via Callbacks
- evasion via function pointer execution
- tags: windows, maldev

tools

cook
- A customizable wordlist and password generator.
- tags: utility
lunar
- DLL mapping library that supports mapping directly from memory
- tags: maldev
kiterunner
- Contextual content discovery
- tags: recon, web
NPK
- AWS serverless distributed hash cracking platform
- tags: cracking
PyMailSniper
- Python port of MailSniper
- tags: windows, redteam, phish
dnsx
- dnsprobe sucessor
- tags: web, recon
EvasiveProcessHollowing
- evasive process hollowing techniques
- tags: windows, maldev
Sim
- C# User Simulation
- tags: windows
Internal Monologue
- Retrieving NTLM Hashes without Touching LSASS
- tags: windows,
MineSweeper
- User-land hooks manipulation tool
- tags: windows, maldev
weirdhta
- generate obfuscated hta
- tags: windows, exploit
ZoomPersistence
- Zoom Persistence Aggressor and Handler
- tags: windows, exploit
remote-method-guesser
- Java RMI Vulnerability Scanner
- tags: exploit, infra
universal-syscall-64
- Resolve syscall numbers at runtime for all Windows versions.
- tags: windows, maldev
spacerunner
- C# exec PowerShell code, without launching PowerShell processes through the use of runspace
- tags: windows, exploit
dll-exports
- Collection of DLL function export forwards for DLL export function proxying
- tags: windows, maldev
leaky-paths
- Special content discovery paths
- tags: web, recon
RemotePotato0
- Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin.
- tags: windows, exploit
TransactedSharpMiniDump
- SharpMiniDump using NTFS transactions to avoid writting the minidump to disk and exfiltrating it via HTTPS using sockets.
- tags:, windows, post
DripLoader
- Evasive shellcode loader for bypassing event-based injection detection (PoC)
- tags: windows, maldev
DoUCMe
- NetUserAdd Win32API to add machine accounts instead of user. Generates a 4741, not a 4720
- tags: windows, post

Issue 7 - Mar 2021 pt1

writeups

UuidFromStringA VBA Shellcode Exec (RIFT)
- alternative method of executing shellcode in VBA
- tags: windows, redteam
Most Common On Premise Vulns & Misconfigs (s3cur3th1sh1t)
- most common methods for domain compromise
- tags: windows, exploit
Silencing the EDR
- Disable process, threads, and image-loading detection callbacks
- tags: windows, maldev
- related: http://deniable.org/windows/windows-callbacks
Malware Development Part 8
- Malicious software development series
- tags: windows, maldev

tools

DoppleGate
- reading ntdll on disk to grab syscall stubs, and patches these syscall stubs into desired functions
- tags: windows, exploit, maldev, redteam
Mod_Rewrite_Automation
- Scripts to automate standing up apache2 with mod_rewrite
- tags: redteam
RunDLL.Net
- Execute .NET assemblies using Rundll32.exe
- tags: windows, exploit, maldev
AlternativeShellcodeExec
- Alternative Shellcode Execution Via Callbacks
- tags: exploit, windows, maldev
CredBandit
- BOF , syscall , MiniDumpWriteDump
- tags: exploit, windows, post
resh.now.sh
- reverse shell script generation for auto testing
- tags: exploit
fireELF
- Fileless Linux Malware Framework
- tags: linux, exploit
puredns
- fast & accurate dns resolve
- tags: recon, web
dnschef
- configurable DNS proxy
SqlmapDnsCollaborator
- Bapp for configuring sqlmap to use burp collab
- tags: web, exploit

Issue 7 - Feb 2021 pt3

writeups

Relay Attacks via Cobalt Strike Beacons
- tags: windows, exploit
Farmer for Red Teams: Harvesting NetNTLM (MDSEC)
- tags: windows, exploit
A Journey Combining Web Hacking and Binary Exploitation in Real World!
- PHPWind binary exploitation
- tags: web, exploit
Unauthorized RCE in VMware vCenter (PT SWARM)
- vcenter rce
- tags: web, exploit
Coff Builder (trustedsec blog)
- BOFs without Cobalt Strike
- tags: windows, exploit, redteam
Lsass Memory Dumps Stealthier than Ever Before Pt2 (deepinstinct)
- tags: windows, post, redteam

tools

CVE-2021-1727 PoC (klinix5)
- warning: possibly backdoored
- tags: windows, privesc
CVE-2021-1727 PoC (horizon3ai)
- better
- tags: windows, privesc
MaliciousClickOnceMSBuild
- C# automated ClickOnce builder using MSBuild as payload
- tags: windows, exploit, phish
WinAPI-Tricks
- Collection of WINAPI tricks used by malware
- tags: windows, exploit, maldev
BadOutlook
- Outlook Application Interface (COM Interface) execution
- tags: windows, exploit, redteam
tinyPEgen
- webservice to create tiny windows dropper executables with arbitrary commands using http://winExecGen.py
- tags: windows, exploit, redteam
Callback Shellcode Injection PoC Collection
- PoC shellcode injection via Callbacks
- tags: windows, exploit
juicy_2 (decoder-it)
- tags: windows, post
cobalt_strike_extension_kit
- All in one Agressor repo
- tags: windows, redteam
AggressivbeGadgetToJScript
- Cobalt Strike GadgetToJScript Agressor script
- tags: windows, exploit, redteam
Priv2Admin
- Exploitation paths abusing Windows privs
- tags: windows, exploit, privesc

Issue 6 - Feb 2021 pt2

writeups

One thousand and one ways to copy your shellcode to memory
- tags: windows, exploit
Malware-Dev Course
- tags: maldev
Laravel <= v8.4.2 debug mode: Remote code execution (ambionics.io)
- tags: web, exploit
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
- related: https://github.com/visma-prodsec/confused
- tags: web, exploit
Exploiting Out-of-Band XXE
- exploiting XXE out-of-band with DAV, LOCK methods
- tags: web, exploit
What Should a Hacker Know about WebDav
- tags: web, exploit
UsefulSources (malwarehenri)
- collection of interesting, malware related, resources
- tags: maldev, collection
Middleware Misconfigurations (detectify)
- nginx proxy misconfigurations
- tags: web, exploit
Hijacking connections without injections: a ShadowMoving approach to the art of pivoting
- 'ShadowMove' novel technique for alternative to process injection
- tags: windows, post
Lone SharePoint
- tags: windows, web, exploit
Hacking Chess.com (samcurry)
- tags: web, exploit
Active C2 IOCs
- tags: windows, redteam
The Anatomy of Deserialization Attacks
- tags: web, exploit
OffSecOps Stage Two
- Offensive Pipeline Development
- related: OffSecOps Basic Setup
- tags: windows, maldev

tools

OffensivePipeline
- tags: windows, maldev
PEzor Custom Cobalt Strike Artifacts
- tags: windows, redteam, maldev
SharpLAPS
- C# for Abusing LAPS
- tags: windows, post
CIMplant (fortynorth)
- C# port of WMImplant which uses either CIM or WMI to query remote systems
- tags: windows, exploit
- related: CIMplant Part 1: Detection of a C# Implementation of WMImplant
VBA-Macro-Projects
- Collection of malicious VBA projects
- tags: windows, exploit, phish
SharpEDR
- C# Port to enumerate EDR present on system
- tags: windows, post
MimiDumpWriteDump BOF
- tags: windows, post
SharpSecDump
- .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py
- tags: windows, post
Mose
- Ansible/Puppet/Chef/Salt Post Exploitation Framework
- tags: exploit, post
trigen
- Trigen is a Python script which uses different combinations of Win32 function calls in generated VBA to execute shellcode.
- tags: windows, phish
Neo-reGeorg
- web shell proxy
- tags: windows, exploit, post
RunasCs
- impersonate user in a non-interactive environment
- tags: windows, exploit, post
ThrowBack (silentbreaksec)
- HTTP/S Beaconing Implant
- tags: windows, maldev
Mono
- Open Source ECMA CLI, C# and .NET Implementation
- tags: windows, utility
NTLMRecon
- Enumerate information from NTLM authentication enabled web endpoints (OWA)
- tags: windows, exploit, web, recon
LsassSilentProcessExit
- Dump LSASS memory to disk via SilentProcessExit
- tags: windows, post

Issue 5 - Feb 2021 pt1

writeups

Blind SSRF Chains (assetnote)
- tags: web, exploit
The Secret Parameter - LFR & Potential RCE in NodeJS Apps
- tags: web, exploit
Relaying 101 (Luemmelsec)
- tags: windows, exploit
MSBuild without MSBuild
- tags: windows, exploit
Some Ways to Dump Lsass
- tags: windows, post
Malicious VBA Macros Trials and Tribulations
- tags: windows, phish

tools

ComputerDefaults.exe UAC Bypass
- tags: windows, post
RedTeamCCode (Mr-Un1c0d3r)
- tags: windows, exploit, post
ScareCrow
- tags: windows, exploit, redteam
microsubs
- Collection for interacting with API sources for recon
- tags: web, recon
link (rust-based c2)
- tags: windows, post, future
Dumping Lsass with MiniDumpWriteDump
- tags: windows, post
physmem2profit (minidump of a target hosts' LSASS process by analysing physical memory remotely )
- tags: windows, post

Issue 4 - Jan 2021 pt3

VBA-Macro-Reverse-Shell
- pure VBA rev shell, no shellcode injection or powershell
- tags: windows, exploit, phish
Enemies Of Symfony (EOS)
- Enemies Of Symfony - Debug mode Symfony looter
- tags: web, exploit
SpooNmap (trustedsec)
- IDS-evading nmap wrapper written in python3
- related: https://www.trustedsec.com/blog/get-to-hacking-massively-faster-the-release-of-spoonmap/
- tags: enumeration, recon

Issue 3 - Jan 2021 pt2

NetNTLMtoSilverTicket
- SpoolSample -> Responder w/NetNTLM Downgrade -> NetNTLMv1 -> NTLM -> Kerberos Silver Ticket
- tags: windows, post
emp3r0r
- linux post-exploitation framework made by linux user
- tags: linux, post
SprayKatz
- Credentials gathering tool automating remote procdump and parse of lsass process.
- tags: windows, post
burp-piper-custom-scripts
- Custom scripts for the PIPER Burp extensions.
- tags: web, utility
muraena
- an almost-transparent reverse proxy aimed at automating phishing and post-phishing activities
- tags: utility
BOFs (ajpc500)
- Collection of Beacon Object Files
- tags: cstrike
RogueWinRm (antonioCoco)
- Windows Local Privilege Escalation from Service Account to System. Use if WinRM service is not running (default on Win10 but NOT on Windows Server 2019).
- tags: windows, post
CS-Situational-Awareness-BOF (trustedsec)
- Situational Awareness commands implemented using Beacon Object Files
- tags: cstrike
terraform-phishing (boh)
- Build a phishing server (Gophish) together with SMTP-redirector (Postfix) automatically in Digital Ocean with terraform and ansible..
- tags: phish, utility
Red-Terroir
- Terraform resources for building HTTP, DNS, phishing, and mail server red team infrastructure
- tags: phish, utility
SharpShares
- .NET 4.0 Share Hunting and ACL Mapping
- tags: windows, post
UltimateWDACBypassList
- A centralized resource for previously documented WDAC bypass techniques
- tags: windows, post
- Related: https://swapcontext.blogspot.com/2020/10/uacme-35-wd-and-ways-of-mitigation.html
- Related: https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html
Using a C# shellcode runner and confuserex to Bypass uac while evading av
- tags: windows, post
SharpClipHistory
- C# program used to read contents of a user's clipboard starting from Win 10 1809 build
- tags: windows, post

Issue 2 - Jan 2021 pt1

(SysWhispers2](https://github.com/jthuraisamy/SysWhispers2)
- AV/EDR evasion via direct system calls
Red Team Tactics: Utilizing Syscalls in C# - Writing The Code
CrackQ
- Web GUI & API for queuing hashcat jobs
SharpHandler
- Reuses open handles to lsass to parse or minidump lsass
wraith
- Digital Secret finder in golang
burp-send-to
- Customizable 'Send to' context menu
New year, new anti-debug: Don't Thread On Me
- Windows, debugging

Issue 1 - Dec 2020

Purgalicious VBA - inverse VBA stomping for Office maldocs
netbiosX/Checklists - RedTeam & PenTest Checklists (mostly outdated)
sshgobrute - golang ssh brute
FireEye's Red Team Tools - TTPs (PICUS)
DecryptAutoLogon (securesean) - cobaltstrike autologon extractor
Word Doc Video Embed EXE PoC (rvrsh3ll)
NoMSBuild (rvrsh3ll)
- D/Invoke MSbuild alternative - sleek
SharpZipRunner
- Executes position independent shellcode from an encrypted zip
SharPyShell
- AV-evading asp shell used in SolarWinds breach
Direct Sys Calls in Beacon Object Files (BOF)

Files

resources-queue.md

Latest commit

History

resources-queue.md

File metadata and controls

Tagged +

Issue 059 - Jan 2025

writeups

tools

Issue 058 - Jan 2025

writeups

tools

Issue 057 - Nov 2024

writeups

tools

Issue 057 - Nov 2024

writeups

tools

Issue 056 - Nov 2024

writeups

tools

Issue 055 - Sep 2024

writeups

tools

Issue 054 - Jun 2024

writeups

tools

Issue 053 - Apr 2024

writeups

tools

Issue 052 - Mar 2024

writeups

tools

Issue 051 - Mar 2024

writeups

tools

Issue 050 - Feb 2024

writeups

tools

Issue 049 - Feb 2024

writeups

tools

Issue 048 - Nov 2023

writeups

publish

tools

publish

Issue 047 - Oct 2023

writeups

publish

tools

publish

Issue 046 - Sep 2023

writeups

publish

tools

publish

Issue 044 - Apr 2023

writeups

publish

tools

publish

Issue 043 - Mar 2023

writeups

publish

tools

publish

Issue 042 - Mar 2023

writeups

publish

tools

publish

Issue 041 - Mar 2023

writeups

publish

tools

publish

Issue 040 - Feb 2023

writeups