Hagrid29

PELoader

PE loader with various shellcode injection techniques

DuplicateDump

Dumping LSASS with a duplicated handle from custom LSA plugin

RemotePatcher

Patch AMSI and ETW in remote process via direct syscall

BYOVDKit

bring your own vulnerable driver

CVE-2024-2432-PaloAlto-GlobalProtect-EoP

AbuseAzureAPIPermissions

Abuse Azure API permissions for red teaming

BOF-SprayAD

Cobalt Strike Beacon Object File (BOF) that uses LogonUserSSPI API to perform kerberos-based password spray

herpaderply_hollowing

Herpaderply Hollowing - a PE injection technique, hybrid between Process Hollowing and Process Herpaderping

BOF-DCOMPotato-PrintNotify

Cobalt Strike Beacon Object File (BOF) that obtain SYSTEM privilege with SeImpersonate privilege by passing a malicious IUnknwon object to DCOM call of PrintNotify.

DumpAADSyncCreds

C# implementation of Get-AADIntSyncCredentials from AADInternals, which extracts Azure AD Connect credentials to AD and Azure AD from AAD connect database.

CertifyKit

Active Directory certificate abuse

BOF-CredUI

Cobalt Strike Beacon Object File (BOF) that uses CredUIPromptForWindowsCredentials API to invoke credential prompt

BOF-RemoteRegSave

Cobalt Strike Beacon Object File (BOF) that uses RegConnectRegistryA + RegOpenKeyExA API to dump registry hives on remote computer

DumpAADUserRPT

DumpAADUserRPT is C# implementation of Get-AADIntUserPRTToken from AADInternals which obtain Primary Refresh Token

ForeScout-SecureConnector-EoP

Arbitrary File Delete in Forescout SecureConnector before 11.3.06.0063

ReadWrite-DCOM

Perform directory listing, read and write file on remote computer via DCOM methods