ignacioj / WhacAMole
Live memory analysis detecting malware IOCs in processes, modules, handles, tokens, threads, .NET assemblies, memory address space and environment variables. Dumps, detects and dissasemble hooks, shellcode, memory regions, modules and processes.
☆38Updated 4 months ago
Alternatives and similar repositories for WhacAMole:
Users that are interested in WhacAMole are comparing it to the libraries listed below
- ☆45Updated last year
- Scan your computer for known vulnerable and known malicious Windows drivers using loldrivers.io☆81Updated last year
- a tiny program to consume from ETW providers for research☆46Updated last month
- SharpShareFinder is a minimalistic network share discovery POC designed to enumerate shares in Windows Active Directory networks leveragi…☆26Updated 7 months ago
- Small tool to play with IOCs caused by Imageload events☆42Updated last year
- Simple PowerShell script to enable process scanning with Yara.☆91Updated 2 years ago
- Create a cool process tree like https://twitter.com/ACEResponder.☆35Updated last year
- RDLL for Cobalt Strike beacon to silence sysmon process☆87Updated 2 years ago
- A tool for interacting with the Anti-Malware Scan Interface API for pen testing purposes.☆58Updated last year
- ☆71Updated 2 years ago
- MITRE TTPs derived from Conti's leaked playbooks from XSS.IS☆36Updated 3 years ago
- This repository is meant to catalog network and host artifacts associated with various EDR products "shell" and response functionalities.☆76Updated 5 months ago
- ☆68Updated 6 months ago
- a short C code POC to gain persistence and evade sysmon event code registry (creation, update and deletion) REG_NOTIFY_CLASS Registry Cal…☆51Updated last year
- Get-PDInvokeImports is tool (PowerShell module) which is able to perform automatic detection of P/Invoke, Dynamic P/Invoke and D/Invoke u…☆53Updated 2 years ago
- Default Detections for EDR☆97Updated last year
- a simple poc showcasing the ability of an admin to suspend EDR's protected processes , making it useless☆38Updated 7 months ago
- Detect WFP filters blocking EDR communications☆85Updated last year
- Dumping LSASS by Unhooking MiniDumpWriteDump by getting a fresh DbgHelp.dll copy from the disk , plus functions and strings obfuscation☆30Updated 2 years ago
- Small Python tool to do DLL Sideloading (and consequently, other DLL attacks).☆54Updated 2 years ago
- Repo containing my public talks☆23Updated last year
- malleable profile generator GUI for Havoc☆56Updated last year
- Yara Rules for Modern Malware☆73Updated 11 months ago
- Info related to the Outflank training: Microsoft Office Offensive Tradecraft☆51Updated 9 months ago
- ☆103Updated 3 months ago
- Experimental PoC for unhooking API functions using in-memory patching, without VirtualProtect, for one specific EDR.☆39Updated last year
- Depending on the AV/EPP/EDR creating a Taskschedule Job with a default cradle is often flagged☆86Updated 2 years ago
- ☆69Updated last year
- ☆80Updated 2 months ago