Category: Post Exploitation
VectorKernel PoCs for Kernelmode rootkit techniques research or education. Currently focusing on Windows OS. All modules support 64-bit OS only. NOTE Some modules use ExAllocatePool2 API to allocate kernel pool memory. ExAllocatePool2 API is not...
Invoke-ADEnum Active Directory Enumeration Invoke-ADEnum is an Active Directory enumeration tool designed to automate the process of gathering information from an Active Directory environment, leveraging the capabilities of PowerView. With Invoke-ADEnum, you can quickly...
PichichiH0ll0wer Process hollowing loader written in Nim for PEs only PichichiH0ll0wer has some features to protect your payload. Features Configurable builder Payload encrypted and compressed (and optionally splitted) in the hollow loader Supports splitted...
EVILRDP – More control over RDP The evil twin of aardwolfgui using the aardwolf RDP client library that gives you extended control over the target and additional scripting capabilities from the command line. Features Control the mouse...
DarkWidow This is a Dropper/Post Exploitation Tool (or can be used in both situations) targeting Windows. Capabilities: Indirect Dynamic Syscall SSN + Syscall address sorting via Modified TartarusGate approach Remote Process Injection via APC...
MultiDump MultiDump is a post-exploitation tool written in C for dumping and extracting LSASS memory discreetly, without triggering Defender alerts, with a handler written in Python. MultiDump supports LSASS dump via ProcDump.exe or comsvc.dll, it offers...
UAC-BOF-Bonanza This repository serves as a collection of public UAC bypass techniques that have been weaponized as BOFs. A single module that integrates all techniques has been provided to use the BOFs via the...
InflativeLoading Background Converting an exe to shellcode is one of my goals, in this way, some security tools like Mimikatz can be used with more flexibility. Though some tools like Donut already achieved it, I still...
Disable Windows Defender Privilege tokens are permissions given by the system to a process. For example, if a process has a “SeShutdownPrivilege” token, then it has the right to turn off your computer.If your...
SOAPHound SOAPHound is a .NET data collector tool, which collects Active Directory data via the Active Directory Web Services (ADWS) protocol. SOAPHound is an alternative to several open-source security tools that are commonly used...
Cookie-Monster Steal browser cookies for Edge, Chrome, and Firefox through a BOF or exe! Cookie-Monster will extract the WebKit master key, locate a browser process with a handle to the Cookies and Login Data...
LOLSpoof LOLSpoof is an interactive shell program that automatically spoofs the command line arguments of the spawned process. Just call your incriminate-looking command line LOLBin (e.g. powershell -w hidden -enc ZwBlAHQALQBwAHIAbwBjAGUA….) and LOLSpoof will...
Maldev Academy – RemoteTLSCallbackInjection This method utilizes TLS callbacks to execute a payload without spawning any threads in a remote process. This method is inspired by Threadless Injection as RemoteTLSCallbackInjection does not invoke any API calls...
LinikatzV2 LinikatzV2 is a bash script based on the Linikatz tool developed by a time machine. It allows post-exploitation tasks on UNIX computers joined to Active Directory, using various methods for credential mining. This...
Pandora This is a red team tool that assists in gathering credentials from different password managers. They are separated into three categories, Windows 10 desktop applications, browsers, and browser plugins. This may work on...