Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters

Simple (relatively) things allowing you to dig a bit deeper than usual.

An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.

Open-Source Shellcode & PE Packer

A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.

A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.

Connect like there is no firewall. Securely.

Situational Awareness commands implemented using Beacon Object Files

Fileless lateral movement tool that relies on ChangeServiceConfigA to run command

Dump cookies and credentials directly from Chrome/Edge process memory

A collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques.

TrevorC2 is a legitimate website (browsable) that tunnels client/server communications for covert command execution.

HVNC for Cobalt Strike

A modern 32/64-bit position independent implant template

A memory-based evasion technique which makes shellcode invisible from process start to end.

LoadLibrary for offensive operations

Fully decrypt App-Bound Encrypted (ABE) cookies, passwords & payment methods from Chromium-based browsers (Chrome, Brave, Edge) - all in user mode, no admin rights required.

Cobalt Strike UDRL for memory scanner evasion.

A .NET Runtime for Cobalt Strike's Beacon Object Files

Execute unmanaged Windows executables in CobaltStrike Beacons

Various Cobalt Strike BOFs

This repository contains sample programs that mimick behavior found in real-world malware. The goal is to provide source code that can be compiled and used for learning purposes, without having to …

A POC for the new injection technique, abusing windows fork API to evade EDRs. https://www.blackhat.com/eu-22/briefings/schedule/index.html#dirty-vanity-a-new-approach-to-code-injection--edr-bypass…

A BOF that runs unmanaged PEs inline

Collection of Beacon Object Files (BOF) for Cobalt Strike

Evade sysmon and windows event logging

A tool employs direct registry manipulation to create scheduled tasks without triggering the usual event logs.