Load a dynamic library from memory by modifying the native Windows loader

Tools for interacting with authentication packages using their individual message protocols

InfraGuard is a Command & Control Redirection Proxy and Manager which protects your Red Team Infrastructure against threat attribution

PolyEngine is an evasive PE packer designed for CTF challenges and low-level Windows security education. It focuses on bypassing EDR and AV heuristics through a layered stack of in-memory execution…

Public Repo for Atomic Test Harness

Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the [atomics folder](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics) of Red Canary's Atomic Red Team p…

Small and highly portable detection tests based on MITRE's ATT&CK.

A Crystal Palace shared library to resolve & perform syscalls

Easy peasy file uploads

Dump protected process memory by using BYOVD to tamper with handle objects in the kernel.

Some notes and examples for cobalt strike's functionality

AdaptixC2 Templates

Monitor the Windows Event Log with grep-like features or filtering for specific Event IDs

Adaptix C2 agent using Crystal Palace PIC linker and PICO module system

Language extension for Crystal Palace Specification files

PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage and…

A small collection of Crystal Palace PIC loaders designed for use with Cobalt Strike

Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process.

A secure sandbox environment for malware developers and red teamers to test payloads against detection mechanisms before deployment. Integrates with LLM agents via MCP for enhanced analysis capabil…

A cross-platform tool to parse and describe the contents of a raw ntSecurityDescriptor structure

A cross-platform tool to find and decrypt Group Policy Preferences passwords from the SYSVOL share using low-privileged domain accounts

Yet another shellcode runner consists of different techniques for evaluating detection capabilities of endpoint security solutions

D/Invoke standalone shellcode runners

Active Directory Vulnerability Scanner

Find jmp gadgets for call stack spoofing.

EDR-Enum-BOF AdaptixC2

A Beacon Object File (BOF) that talks directly to Windows authentication packages through the LSA untrusted/trusted client interface, without touching LSASS process memory.

Dll Shellcode Loader POC

A Bloodhound alternative. BloodBash will ingest the same files bloodhound does but no server is required to use this tool. It's great for quick AD enumeration.