VirtualAlllocEx / DSC_SVC_REMOTE
This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.
☆51Updated last year
Alternatives and similar repositories for DSC_SVC_REMOTE:
Users that are interested in DSC_SVC_REMOTE are comparing it to the libraries listed below
- A small Aggressor script to help Red Teams identify foreign processes on a host machine☆85Updated 2 years ago
- a variety of tools,scripts and techniques developed and shared with different programming languages by 0xsp Lab☆63Updated 3 months ago
- in-process powershell runner for BRC4☆45Updated last year
- Programmatically start WebClient from an unprivileged session to enable that juicy privesc.☆74Updated 2 years ago
- Creation and removal of Defender path exclusions and exceptions in C#.☆31Updated last year
- ☆59Updated last year
- A script that greps composite key-like strings from a KeePassXC process dump, then uses a customized version of pykeepass library to unlo…☆32Updated 2 years ago
- ☆48Updated 2 years ago
- Lateral Movement via the .NET Profiler☆81Updated 5 months ago
- A care package of useful bofs for red team engagments☆55Updated 4 months ago
- Launches a limited shell using PowerShell Runspaces with an optional AMSI Bypass. Does not invoke Powershell.exe☆13Updated last year
- Rewrite to fit my needs☆27Updated 9 months ago
- lsassdump via RtlCreateProcessReflection and NanoDump☆81Updated 6 months ago
- A repository with my code snippets for research/education purposes.☆50Updated last year
- ☆48Updated last year
- These are the slide decks and source code for Brute Ratel Seminar conducted on 24th August 2023. The youtube video for the seminar can be…☆19Updated last year
- Just another ntdll unhooking using Parun's Fart technique☆74Updated 2 years ago
- a simple poc showcasing the ability of an admin to suspend EDR's protected processes , making it useless☆38Updated 9 months ago
- Duplicate not owned Token from Running Process☆72Updated last year
- Encode shellcode into dictionary words for evasion and entropy reduction☆25Updated 5 months ago
- C# havoc implant☆99Updated 2 years ago
- Modified versions of the Cobalt Strike Process Injection Kit☆94Updated last year
- ProcExp Driver (Ab)use☆21Updated 2 years ago
- "D3MPSEC" is a memory dumping tool designed to extract memory dump from Lsass process using various techniques, including direct system c…☆24Updated 7 months ago
- Run Cobalt Strike BOFs in Brute Ratel C4!☆65Updated last week
- Socks4a proxy leveraging PIC, Websockets and static obfuscation on assembly level☆26Updated 2 years ago
- A method to execute shellcode using RegisterWaitForInputIdle API.☆52Updated 2 years ago
- A third-party Gopher Assassin for the Havoc Framework.☆44Updated last year
- Experimental PoC for unhooking API functions using in-memory patching, without VirtualProtect, for one specific EDR.☆39Updated last year
- SharpExShell automates the DCOM lateral movment technique which abuses ActivateMicrosoftApp method of Excel application.☆70Updated 11 months ago