A tool employs direct registry manipulation to create scheduled tasks without triggering the usual event logs.

Collection of UAC Bypass Techniques Weaponized as BOFs

Information released publicly by NCC Group's Full Spectrum Attack Simulation (FSAS) team.

Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging

BOF for Kerberos abuse (an implementation of some important features of the Rubeus).

Encrypted PE Loader Generator

Collection of remote authentication triggers in C#

An alternative screenshot capability for Cobalt Strike that uses WinAPI and does not perform a fork & run. Screenshot downloaded in memory.

The world's fastest apk (android)/java open source decompiler

Cobalt Strike User-Defined Reflective Loader with AV/EDR Evasion in mind

A socksv5 proxy tool Written by CLang. 一款纯C实现的轻量内网穿透工具，支持正向，反向socks5代理隧道的搭建，支持跨平台使用。

A small x64 library to load dll's into memory.

Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!

For when DLLMain is the only way

Evasion kit for Cobalt Strike

Encrypted shellcode Injection to avoid Kernel triggered memory scans

BOF implementation of @_EthicalChaos_'s ThreadlessInject project. A novel process injection technique with no thread creation, released at BSides Cymru 2023.

Recovering NTLM hashes from Credential Guard

.NET assembly loader with patchless AMSI and ETW bypass

A TCP packet diverter for Windows platform

Technical notes, AD pentest methodology, list of tools, scripts and Windows commands that are useful for internal penetration tests and assumed breach exercises (red teaming).

CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

Reaping treasures from strings in remote processes memory

Waiting Thread Hijacking - injection by overwriting the return address of a waiting thread

Hide processes as a normal user in Linux.

Dont Call Me Back - Dynamic kernel callback resolver. Scan kernel callbacks in your system in a matter of seconds!

Positional Independent Code to extract clear text password from mstsc.exe using API Hooking via HWBP.