DSCourier is a proof-of-concept that uses the WinGet Configuration COM API to apply DSC configurations through Microsoft-signed binaries.

A CI/CD Red Team Framework for demonstrating Build Pipeline security risks.

AWSDoor is a red team automation tool designed to simulate advanced attacker behavior in AWS environments

Threat hunting command system for agentic IDEs

PowerShell SharePoint extraction + auditing tool for red/blue/purple teams. Enumerates all SharePoint sites/drives a user can access via Microsoft Graph, recursively downloads files, and logs every…

BOF to impersonate TrustedInstaller via DISM API trigger and thread impersonation

Security tools for purple team, AI security, and M365/GWS. Authorized use only.

Monitor the Windows Event Log with grep-like features or filtering for specific Event IDs

how to strangle threats

Bof of RegPwn by MDSec

Malware, tooling, logs, IOCs and intelligence

SOCKS5 proxy tool that uses Azure Storage services as a means of communication.

THR Tooling

A collection of independent CTI reports covering active threat campaigns and attacker TTPs.

Filesystem interaction via firebeam virtual machine execution

Gain insights into COM/DCOM implementations that may be vulnerable using an automated approach and make it easy to visualize the data. By following this approach, a security researcher will hopeful…

C2-agnostic BOF collection, categorized by attack chain phase. Designed to be small and modular, allowing for quick execution and automation.

Attack Graph Visualizer and Explorer (Active Directory) ...Who's *really* Domain Admin?

Quietly and anonymously bruteforce Active Directory usernames at insane speeds from Domain Controllers by (ab)using LDAP Ping requests (cLDAP)

kerberos in rust for fun and profit

KslDump — Why bring your own knife when Defender already left one in the kitchen?

Tools for interacting with authentication packages using their individual message protocols

The different ways to dump lsass

Extract Windows credentials directly from VM memory snapshots and virtual disks

Slides and resources from MCTTP 2025 Talk

A PoC of the ContainYourself research presented in DEFCON 31, which abuses the Windows containers framework to bypass EDRs.

Datasets from the Sophos Active Adversary Report