InvokeThreatGuy's repositories
DefenderSwitch
Stop Windows Defender using the Win32 API
AmsiHooker
Hookers are cooler than patches.
beacon-fronting
A simple command line program to help defender test their detections for network beacon patterns and domain fronting
CSOps
Utility to manipulate codesigned application in Mac OS X. Demonstrate the use of csops system call.
CVE-2022-21882
win32k LPE
d3-flame-graph
A D3.js plugin that produces flame graphs from hierarchical data.
DefenderStop
Stop Defender Service using C# via Token Impersonation
ese-analyst
This is a set of tools for doing forensics analysis on Microsoft ESE databases.
Fennec
Artifact collection tool for *nix systems
Fido
A PowerShell script to download Windows ISOs or the UEFI Shell
FunctionStomping
A new shellcode injection technique. Given as C++ header or standalone Rust program.
m0yv
infector
manual-syscall-detect
A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.
mitnal
Twitter client for UEFI
NimGetSyscallStub
Get fresh Syscalls from a fresh ntdll.dll copy
PackMyPayload
A PoC that packages payloads into output containers to evade Mark-of-the-Web flag & demonstrate risks associated with container file formats. Supports: ZIP, 7zip, PDF, ISO, IMG, CAB, VHD, VHDX
pharos
Automated static analysis tools for binary programs
PoisonApple
macOS persistence tool
process_overwriting
Yet another variant of Process Hollowing
RefleXXion
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks, it first collects the syscall numbers of the NtOpenFile, NtCreateSection, NtOpenSection and NtMapViewOfSection found in the LdrpThunkSignature array.
SnD_AMSI
Start new PowerShell without etw and amsi in pure nim
SpoolFool
Exploit for CVE-2022-21999 - Windows Print Spooler Elevation of Privilege Vulnerability (LPE)
srum-dump
A forensics tool to convert the data in the Windows srum (System Resource Usage Monitor) database to an xlsx spreadsheet.
Super-UEFIinSecureBoot-Disk
Super UEFIinSecureBoot Disk: Boot any OS or .efi file without disabling UEFI Secure Boot
TokenStomp
C# implementation of the token privilege removal flaw discovered by @GabrielLandau/Elastic
windows-itpro-docs
This is used for contributions to the Windows 10 content for IT professionals on docs.microsoft.com.