A memory-based evasion technique which makes shellcode invisible from process start to end.

A BOF that runs unmanaged PEs inline

Collection of Beacon Object Files (BOF) for Cobalt Strike

The Definitive Guide To Process Cloning on Windows

A CobaltStrike toolkit to write files produced by Beacon to memory instead of disk

Encrypted shellcode Injection to avoid Kernel triggered memory scans

AdaptixFramework Extension Kit

A BOF to automate common persistence tasks for red teamers

Reaping treasures from strings in remote processes memory

Fully functional, from-scratch alternative to the Cobalt Strike Beacon (red teaming tool), offering transparency and flexibility for security professionals and enthusiasts.

Positional Independent Code to extract clear text password from mstsc.exe using API Hooking via HWBP.

Waiting Thread Hijacking - injection by overwriting the return address of a waiting thread

Take a screenshot without injection for Cobalt Strike

An x64 position-independent shellcode stager that verifies the stage it retrieves prior to execution

A small collection of Crystal Palace PIC loaders designed for use with Cobalt Strike

The ADSyncDump BOF is a port of Dirk-Jan Mollema's adconnectdump.py / ADSyncDecrypt into a Beacon Object File (BOF) with zero dependencies.

Local SYSTEM auth trigger for relaying - X

Webcam capture capability for Cobalt Strike as a BOF, with in-memory download options

Hijacks code execution via overwriting Control Flow Guard pointers in combase.dll

AzureAD beacon object files

A BOF to enumerate system process, their protection levels, and more.

Boilerplate to develop raw and truly Position Independent Code (PIC).

An ICMP channel for Beacons, implemented using Cobalt Strike’s External C2 framework.

Updated version of a long known self deletion technique to work with 24H2.

PrimitiveInjection by using Read, Write and Allocation Primitives.

Enable EFS service as low priv user (PE & BOF)