PoC for a Havoc agent/handler setup with all C2 traffic routed through GitHub. No direct connections: all commands and responses are relayed through Issues and Comments for maximum stealth.

Obfuscate the bytes of your payload with an association dictionary

Yet another C++ Cobalt Strike beacon dropper with Compile-Time API hashing and custom indirect syscalls execution

Aspyco is a python script that permits to upload a local binary through SMB on a remote host. Then it remotely connects to svcctl named pipe through DCERPC to create and start the binary as a service.

A simple PE Loader tool that loads a PE from memory, decrypt it, resolve its imports, relocate its sections, and redefine its entry point to execute seamlessly from memory

Bruteforce DPAPI encrypted MasterKey File from Windows Credentials Manager

Another example of Azure AD Authentication Passthrough exploitation to intercept LogonUserW API calls

Automate your C2 creation with Azure Frontdoor and randomly generated options

RemClip is a C# project which permits to steal user clipboard data and send it to a remote web server under attacker control

Hekatomb is a python script that connects to LDAP directory to retrieve all computers and users informations. Then it will download all DPAPI blob of all users from all computers and uses Domain ba…

CSharp reimplementation of Venoma, another C++ Cobalt Strike beacon dropper with custom indirect syscalls execution

Autonomous red team implementation allowing sound capture and broadcast through an untraceable front-end server to the attacker's station

This script is used to unload PsSetCreateProcessNotifyRoutineEx, PsSetCreateProcessNotifyRoutine, PsSetLoadImageNotifyRoutine and PsSetCreateThreadNotifyRoutine from ESET Security to bypass the dri…

This script is used to bypass DLL Hooking using a fresh mapped copy of ntdll file, patch the ETW and trigger a shellcode with process hollowing

Tool to enumerate ESET hooked functions by parsing the ebehmoni.dll module

A custom reimplementation of indirect syscalls without the use of GetModuleHandleA and GetProcAddress

Enumerate SSN (System Service Numbers or Syscall ID) and syscall instruction address in ntdll module by parsing the PEB of the current process

Tous les trucs utilisés dans les Tutos, les shellcodes, les templates, les notes...

Script python permettant d'envoyer en masse des invitations sur LinkedIn

ESEDHOUND is a python script that extract datatable from the ntds.dit file to retrieve users, computers and groups. The goal is to send all the infos into Bloodhound to help incident responders for…

Je sais pas trop encore, on verra

Test d'injection de shellcode dans un fichier PE 64bits

Enumerate all users and their SID from LDAP