Windows SSH Misconfiguration Discovery Tool - Map lateral movement paths through misconfigured SSH services in Active Directory environments

A cross platform library to write offensive and defensive security tools in Go

A python tool to parse and describe the contents of a raw ntSecurityDescriptor structure.

Go (formerly PowerShell) collector for adding MSSQL attack paths to BloodHound with OpenGraph

Export CyberArk PVWA data (users, groups, safes, accounts and permissions) into a BloodHound-compatible OpenGraph JSON file for security analysis and attack path visualization.

A python tool to map the access rights of network shares into a BloodHound OpenGraphs easily

Windows绕过EDR实现DumpHash

Store sensitive files in the cloud, or on shared media without trusting the host. LUKSbox is a Rust-based encrypted-container tool with passphrase, FIDO2 (YubiKey, Titan, Nitrokey, Windows Hello), …

SharePointScavenger is an automated SharePoint scraper used to find credentials and secrets.

A credential extraction BOF for Veeam Backup and Replication and Veeam One

Dominate the domain. Relay to royalty.

Evasive loader for .NET Framework assemblies

This repo contains the results of an internal re-write of impacket I undertook at my current company. It contains some of the IoCs found within the library

Modify machine code in binaries with alternative x64 assembly opcodes for AV evasion

Automated DLL Hijacking Discovery, Validation, and Confirmation. Turning local misconfigurations into weaponized, confirmed attack paths.

Windows rootkit for Intel x64 with 25+ features, demonstrating rootkit techniques compatible with all Windows 10 and Windows 11 versions.

Extract Windows credentials directly from VM memory snapshots and virtual disks

BYOVD: Use 360 ​​WFP driver to block EDR/XDR network connection.

Disconnected RSAT - A method of running Group Policy Manager, Certificate Authority and Certificate Templates MMC snap-ins from non-domain joined machies

An alternative to the builtin clipboard feature in Cobalt Strike that adds the capability to enable/disable and dump the clipboard history.

Cobalt Strike BOF used to perform privilege escalation by exploiting the SeImpersonate privilege. Based on the original GodPotato PoC by BeichenDream.

Havoc C2 BOF port of the KslD.sys BYOVD technique. Credential extraction from lsass via physical memory — no OpenProcess, no auditable API calls.

BOF for Havoc that copies locked Windows files (SAM, SYSTEM, NTDS.dit) via raw MFT parsing — no VSS, no Registry APIs, no PowerShell

Demonstrating 3 persistence layers from a single EXE, that converts itself into proxy DLLs at runtime

A Cobalt Strike RL built with Crystal Palace — module overloading, NtContinue entry transfer, call stack spoofing, sleep masking, and static signature removal.

InfraGuard is a Command & Control Redirection Proxy and Manager which protects your Red Team Infrastructure against threat attribution

BPFDoor Source Code. Originally found from Chinese Threat Actor Red Menshen

Combining KslDump and GhostKatz to dump LSASS using no-fix KslD.sys memory read to bypass PPL. Extracts MSV1_0 NT hashes and WDigest cleartext passwords (if enabled) from LSASS using a Microsoft-si…