boku7

BokuLoader

A proof-of-concept Cobalt Strike Reflective Loader which aims to recreate, integrate, and enhance Cobalt Strike's evasion features!

azureOutlookC2

Azure Outlook Command & Control (C2) - Remotely control a compromised Windows Device from your Outlook mailbox. Threat Emulation Tool for North Korean APT InkySquid / ScarCruft / APT37. TTP: Use Microsoft Graph API for C2 Operations.

Ninja_UUID_Runner

Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!

spawn

Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.

injectAmsiBypass

Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

HOLLOW

EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

AsmHalosGate

x64 Assembly HalosGate direct System Caller to evade EDR UserLand hooks

whereami

Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

winx64-InjectAllProcessesMeterpreter-Shellcode

64bit Windows 10 shellcode that injects all processes with Meterpreter reverse shells.

Nobelium-PdfDLRunAesShellcode

A recreation of the "Nobelium" malware based on Microsofts Malware analysis - Part 1: PDF2Pwn

HellsGatePPID

Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process

halosgate-ps

Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes

xPipe

Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions

x64win-DynamicNoNull-WinExec-PopCalc-Shellcode

64bit WIndows 10 shellcode dat pops dat calc - Dynamic & Null Free

gsSMTP-Csrf2Xss2RCE

gsCMS-CustomJS-Csrf2Xss2Rce

GetSimple CMS Custom JS Plugin Exploit RCE Chain

boku7.github.io

Blog

slae64

Repo for SLAE64 Exam

DarkWidow

Indirect Dynamic Syscall, SSN + Syscall address sorting via Modified TartarusGate approach + Remote Process Injection via APC Early Bird + Spawns a sacrificial Process as target process + (ACG+BlockDll) mitigation policy on spawned process + PPID spoofing + Api resolving from TIB + API hashing

GetSimple-SmtpPlugin-CSRF2RCE

GetSimple CMS My SMTP Contact Plugin <= v1.1.1 - CSRF to RCE

LoudSunRun

My shitty attempt at tampering with the callstack based on the work of namazso, SilentMoonWalk, and VulcanRaven

Apollo

A .NET Framework 4.0 Windows Agent

ADOKit

Azure DevOps Services Attack Toolkit

Windows_LPE_AFD_CVE-2023-21768

LPE exploit for CVE-2023-21768

BOFMask

DayBird

Extension functionality for the NightHawk operator client

GraphRunner

A Post-exploitation Toolset for Interacting with the Microsoft Graph API

StandIn

StandIn is a small .NET35/45 AD post-exploitation toolkit

Havoc

The Havoc Framework

LOLBAS

Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)