Topotam's repositories
SysWhisper3
SysWhispers on Steroids - AV/EDR evasion via direct system calls.
BofAllTheThings
Creating a repository with all public Beacon Object Files (BoFs)
LdapRelayScan
Check for LDAP protections regarding the relay of NTLM authentication
TokenStomp
C# implementation of the token privilege removal flaw discovered by @GabrielLandau/Elastic
Ares
Project Ares is a Proof of Concept (PoC) loader written in C/C++ based on the Transacted Hollowing technique
BackupOperatorToDA
From an account member of the group Backup Operators to Domain Admin without RDP or WinRM on the Domain Controller
blankspace
Proof of Concept for EFSRPC Arbitrary File Upload (CVE-2021-43893)
BokuLoader
Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. By: @0xBoku & @s4ntiago_p
GoldenGMSA
GolenGMSA tool for working with GMSA passwords
Ivy
Ivy is a payload creation framework for the execution of arbitrary VBA (macro) source code directly in memory. Ivy’s loader does this by utilizing programmatical access in the VBA object environment to load, decrypt and execute shellcode.
KillDefender
A small POC to make defender useless by removing its token privileges and lowering the token integrity
KrbRelay
Framework for Kerberos relaying
MalMemDetect
Detect strange memory regions and DLLs
manual-syscall-detect
A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.
Nimcrypt2
.NET, PE, & Raw Shellcode Packer/Loader Written in Nim
OffensiveNim
My experiments in weaponizing Nim (https://nim-lang.org/)
PackMyPayload
A PoC that packages payloads into output containersb to evade Mark-of-the-Web flag & demonstrate risks associated with container file formats. Supports: ZIP, 7zip, PDF, ISO, IMG, CAB, VHD, VHDX
RecycledGate
Hellsgate + Halosgate/Tartarosgate. Ensures that all systemcalls go through ntdll.dll
RefleXXion
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks, it first collects the syscall numbers of the NtOpenFile, NtCreateSection, NtOpenSection and NtMapViewOfSection found in the LdrpThunkSignature array.
revsocks
Reverse SOCKS5 implementation in Go
SnD_AMSI
Start new PowerShell without etw and amsi in pure nim
SpoolFool
Exploit for CVE-2022–22718 - Windows Print Spooler Elevation of Privilege Vulnerability (LPE)
T.D.P
Using Thread Description To Hide Shellcode
TymSpecial
SysWhispers integrated shellcode loader w/ ETW patching, anti-sandboxing, & spoofed code signing certificates