paranoidninja / Cobaltstrike-Detection

Related projects: ⓘ

• iamagarre / BadExclusionsNWBO
  BadExclusionsNWBO is an evolution from BadExclusions to identify folder custom or undocumented exclusions on AV/EDR
  ☆69Updated 7 months ago
• BC-SECURITY / ScriptBlock-Smuggling
  Example code samples from our ScriptBlock Smuggling Blog post
  ☆80Updated 3 months ago
• mertdas / SharpLateral
  Lateral Movement
  ☆117Updated 10 months ago
• ewby / Mockingjay_BOF
  Cobalt Strike + Brute Ratel C4 Beacon Object File (BOF) Conversion of the Mockingjay Process Injection Technique
  ☆147Updated 10 months ago
• securityandstuff / DynamicFinder
  ☆65Updated this week
• xalicex / LOLDrivers_finder
  ☆70Updated last year
• xforcered / BOFMask
  ☆116Updated last year
• tccontre / Reg-Restore-Persistence-Mole
  a short C code POC to gain persistence and evade sysmon event code registry (creation, update and deletion) REG_NOTIFY_CLASS Registry Cal…
  ☆49Updated last year
• wh0amitz / SharpRODC
  To audit the security of read-only domain controllers
  ☆112Updated 9 months ago
• naksyn / ProcessStomping
  A variation of ProcessOverwriting to execute shellcode on an executable's section
  ☆147Updated 9 months ago
• MayerDaniel / profiler-lateral-movement
  Lateral Movement via the .NET Profiler
  ☆74Updated 3 months ago
• MaorSabag / SideLoadingDLL
  Do some DLL SideLoading magic
  ☆72Updated 11 months ago
• EvilBytecode / Lifetime-Amsi-EtwPatch
  Two in one, patch lifetime powershell console, no more etw and amsi!
  ☆79Updated 2 months ago
• rasta-mouse / SpawnWith
  ☆90Updated 6 months ago
• reveng007 / AMSI-patches-learned-till-now
  I have documented all of the AMSI patches that I learned till now
  ☆66Updated last year
• X-C3LL / SharpNTLMRawUnHide
  C# version of NTLMRawUnHide
  ☆71Updated last year
• TierZeroSecurity / edr_blocker
  Blocks EDR Telemetry by performing Person-in-the-Middle attack where network filtering is applied using iptables. The blocked destination…
  ☆136Updated last month
• mlcsec / ASRenum-BOF
  Cobalt Strike BOF that identifies Attack Surface Reduction (ASR) rules, actions, and exclusion locations
  ☆136Updated 6 months ago
• waawaa / AMSI_Rubeus_bypass
  ☆61Updated 2 years ago
• VirtualAlllocEx / Taskschedule-Persistence-Download-Cradles
  Depending on the AV/EPP/EDR creating a Taskschedule Job with a default cradle is often flagged
  ☆86Updated 2 years ago
• pwnsauc3 / RWXfinder
  The program uses the Windows API functions to traverse through directories and locate DLL files with RWX section
  ☆95Updated last year
• Cipher7 / ApexLdr
  ApexLdr is a DLL Payload Loader written in C
  ☆98Updated 2 months ago
• lkarlslund / hashmuncher
  Grab NetNTLMv2 hashes using ETW with administrative rights on Windows 8.1 / Windows Server 2016 and later
  ☆88Updated last year
• rasta-mouse / PPEnum
  Simple BOF to read the protection level of a process
  ☆101Updated last year
• Idov31 / NidhoggScript
  NidhoggScript is a tool to generate "script" file that allows execution of multiple commands for Nidhogg
  ☆46Updated 6 months ago
• kymb0 / Stealth_shellcode_runners
  ☆53Updated 5 months ago
• OtterHacker / SetProcessInjection
  ☆142Updated 11 months ago
• joe-desimone / rep-research
  ☆62Updated last month
• ChoiSG / OneDriveUpdaterSideloading
  Payload for DLL sideloading of the OneDriveUpdater.exe, based on the PaloAltoNetwork Unit42's blog post
  ☆84Updated last year
• OmriBaso / WTSImpersonator
  WTSImpersonator utilizes WTSQueryUserToken to steal user tokens by abusing the RPC Named Pipe "\\pipe\LSM_API_service"
  ☆114Updated 2 months ago