This is your work, valued
Chisel-Strike. A .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities.
★ 460IRvana. Slaying multi-language LLVM IR with obfuscation passes to achieve JIT execution
★ 135m3rcer.github.io. HTML
★ 1BusPwn. BusPwn V1.0 is a powerful Modbus hacking framework designed for testing and exploiting vulnerabilities in Modbus-based systems commonly found in Industrial Control Systems (ICS) and Operational Technology (OT).
★ 30CyberStrike. AI-powered offensive security agent with 7,300+ actionable security skills. Autonomous pentesting powered by MITRE ATT&CK (2,000+ Atomic tests), CIS Benchmarks (1,500+ controls), OWASP, NIST. Lazy-loading, zero context pollution. Your AI red team.
★ 1.2kOSWE-Notes. My OSWE notes (mostly on exploit writing and my helper scripts)
★ 8p4wned. Perforce security research and tools - CVE-2026-6043
★ 2shinysocks. A small, ultrafast SOCKS proxy server.
★ 236llvm-obfus. out-of-tree LLVM 21+ pass plugin for policy-driven IR obfuscation.
★ 91Outpacket. This cheatsheet maps common impacket workflows to their modern alternatives
★ 297optimizerNXT. The finest Windows Optimizer CLI
★ 380KSLDBYOVDARK. Abusing Some Defects in KSLD Ark driver
★ 39DrvEye. Static analysis & exploitation-triage toolkit for Windows kernel drivers. Discover IOCTLs, Symbolic Links, and check cert , and Downlaods BYOVD
★ 189KsDumper-11. A revival of the classic and legendary KsDumper
★ 578Maverick. Adaptix C2 agent using Crystal Palace PIC linker and PICO module system
★ 97kvc. KVC enables unsigned driver loading via DSE bypass (g_CiOptions patch, skci.dll hijack, SeCiCallbacks redirection) and PP/PPL manipulation for LSASS memory dumping on modern Windows with HVCI/VBS.
★ 294DumpGuard. Proof-of-Concept tool for extracting credential material from protected sessions on modern Windows systems.
★ 702KvcForensic. Windows/Linux LSA credential extractor for lsass.dmp minidumps. Targets Windows 11 24H2/25H2/26H1 and Windows Server 2025. Pure Win32, no DbgHelp, no dependencies. Extracts MSV, WDigest, Kerberos, CredMan, DPAPI. AES-CFB128 and 3DES-CBC decryption via BCrypt
★ 30Interceptor. Agent-driven Chrome extension for full browser control via CLI
★ 300graphthulhu. MCP server that gives AI full access to your Logseq or Obsidian knowledge graph. 39 tools for navigation, search, analysis, writing, decisions, journals, flashcards, and whiteboards.
★ 170awesome-claude-code. A hand-picked collection of the finest of resources for the most awesome of agents, Claude Code, the undisputed champion of coding companions, from the unstoppable team at Anthropic PBC. A delectable showcase of top tier skills, ambidextrous agents, scintillating status lines, top notch developer tooling, and also we have plugins
★ 50kwmiexec2. wmiexec2.0 is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines. It also has a handful of additional built in modules to help automate some common tasks on Red team engagements.
★ 65KslDump. KslDump — Why bring your own knife when Defender already left one in the kitchen?
★ 390claude-bug-bounty. AI-powered bug bounty hunting from your terminal - recon, 20 vuln classes, autonomous hunting, and report generation. All inside Claude Code.
★ 3.9kburp-ai-agent. Burp Suite extension that adds built-in MCP tooling, AI-assisted analysis, privacy controls, passive and active scanning and more
★ 1.3kSockTail. Lightweight binary that joins a device to a Tailscale network and exposes a local SOCKS5 proxy. Designed for red team operations and ephemeral access into restricted environments using Tailscale’s embedded client (tsnet). Zero config, no daemon, no persistence - just a fast way in.
★ 568win-x86-shellcoder. A tool for developing bad character-free shellcode to bypass DEP with WriteProcessMemory (32-bit only)
★ 75ropcatalog. Finding and classifying ROP gadgets from rp++ output file with some regex and a CLI.
★ 32claude-auto-resume. A shell script utility that automatically resumes Claude CLI tasks when usage limits are lifted.
★ 790Bloodhound-CustomQueries. Custom Queries - Brought Up to BH4.1 syntax
★ 283keycred. Generate and Manage KeyCredentialLinks
★ 255BloodHoundQueries. Python
★ 778scfw. A cross-platform C++ framework for building Windows shellcode
★ 178AzureADEnumeration. Microsoft Entra ID (Azure AD) Unauthenticated Enumeration
★ 78Huginn. C++
★ 85digler. Digler is a tool for forensic disk analysis and file recovery. It's designed to help you unearth lost or deleted data from various disk images and raw devices.
★ 1.2kBusterCall. "Bypassing" HVCI via donor PFN swaps to modify read-only code pages. Call chained kernel functions (kCET and SLAT support), and more.
★ 129Invoke-SocksProxy. Socks proxy, and reverse socks server using powershell.
★ 809RelayKing-Depth. Dominate the domain. Relay to royalty.
★ 337Invoke-TheHash. PowerShell Pass The Hash Utils
★ 1.8kalive2. Automatic verification of LLVM optimizations
★ 1.1kIRvana. Slaying multi-language LLVM IR with obfuscation passes to achieve JIT execution
★ 135Extension-Kit. AdaptixFramework Extension Kit
★ 522fort. Fort Firewall for Windows
★ 3.2komni. A modern, mostly zero-allocation C++23 library for working with low-level Windows within user-space. Iteration over loaded modules via PEB, EAT iteration, lazy imports, syscalls, and more.
★ 258BetterGetProcAddress. POC of a better implementation of GetProcAddress for ntdll using binary search
★ 116BOF_ExecuteAssembly. Beacon Object File for Cobalt Strike that executes .NET assemblies in beacon with evasion techniques.
★ 194Moonwalk--. Moonwalk++: Simple POC Combining StackMoonwalking and Memory Encryption
★ 227SessionHop. Windows Session Hijacking via COM
★ 348PrivKit. PrivKit is a simple beacon object file that detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS.
★ 606Kharon-Mtc. C2 Agent fully PIC for Mythic with advanced evasion capabilities, dotnet/powershell/shellcode/bof memory executions, lateral moviments, pivot and more.
★ 211anvill. anvill forges beautiful LLVM bitcode out of raw machine code
★ 374pliron. An Extensible Compiler IR Framework
★ 422NotDec-llvm2c. Structures LLVM IR into C/C++.
★ 9rellic. Rellic produces goto-free C output from LLVM bitcode
★ 605EntraMFACheck. Identify Azure AD resources that issue tokens without MFA enforcement using the ROPC grant flow.
★ 85WSASS. This is the tool to dump the LSASS process on modern Windows 11
★ 588ntoskrnl. The Windows Research Kernel (WRK)
★ 231basekernel. A simple OS kernel for research, teaching, and fun.
★ 931NoPrompt. Python
★ 105EntraFalcon. A lightweight PowerShell tool for assessing the security posture of Microsoft Entra ID environments. It helps identify privileged objects, risky assignments, and potential misconfigurations.
★ 451ECUtilities. Powershell and python utilties for Entra Connect
★ 29MDExclusionParser. PowerShell script to quickly scan Event Log ID 5007 and 1121 for published Windows Defender Exclusions and Attack Surface Reduction (ASR) rule configuration.
★ 9CVE-2024-6387_Check. CVE-2024-6387_Check is a lightweight, efficient tool designed to identify servers running vulnerable versions of OpenSSH
★ 523regreSSHion. CVE-2024-6387 (regreSSHion) Exploit (PoC), a vulnerability in OpenSSH's server (sshd) on glibc-based Linux systems.
★ 66debugir. DebugIR: Debugging LLVM-IR Files
★ 145mssql-spider. Automated exploitation of MSSQL servers at scale
★ 125IRvana. IRvana is a Windows-focused LLVM IR exploration project for code execution, reverse engineering, and JIT testing. It streamlines IR for C, C++, Rust, Nim 🐙
★ 8go-recon. External recon toolkit
★ 57dittobytes. Metamorphic cross-compilation of C++ & C-code to PIC, BOF & EXE.
★ 637MasterHide. A x64 Windows Rootkit using SSDT or Hypervisor hook
★ 566WinVisor. WinVisor - A hypervisor-based emulator for Windows x64 user-mode executables using Windows Hypervisor Platform API
★ 663awesome-flipperzero. 🐬 A collection of awesome resources for the Flipper Zero device.
★ 24kLudus-MDE-MDI-Roles. Ludus roles to deploy ASR rules and MDI auditing settings
★ 25elfspirit. ELF static analysis and injection framework that parse, manipulate, patch and camouflage ELF files.
★ 146CVE-2025-33073. PoC Exploit for the NTLM reflection SMB flaw.
★ 706ioctlance. A tool that is used to hunt vulnerabilities in x64 WDM drivers
★ 468Hells-Hollow. Hells Hollow Windows 11 Rootkit technique to Hook the SSDT via Alt Syscalls
★ 237obfus.h. Macro-header for compile-time C obfuscation (tcc, win x86/x64)
★ 1.7kCrystal-Loaders. A small collection of Crystal Palace PIC loaders designed for use with Cobalt Strike
★ 233LitterBox. A self-hosted sandbox for red teams to test payloads against modern detection before deployment. MCP integration lets an LLM agent drive analysis end to end.
★ 1.5kMemLoader. Run native PE or .NET executables entirely in-memory. Build the loader as an .exe or .dll—DllMain is Cobalt Strike UDRL-compatible
★ 271Ghidra-to-LLVM. A binary-to-LLVM IR lifter that leverages Ghidra's IR and analysis
★ 13llvm-ei. extensible interpreter for LLVM dynamic analyses
★ 45LLVMDynamicTools. An LLVM interpreter that aims to compute points-to sets dynamically
★ 33llvmlite. A lightweight LLVM python binding for writing JIT compilers
★ 2.3kllvm-ir. LLVM IR in natural Rust data structures
★ 697CVE-2025-25257. FortiWeb CVE-2025-25257 exploit
★ 64SpeechRuntimeMove. Lateral Movement as loggedon User via Speech Named Pipe COM & ISpeechNamedPipe + COM Hijacking
★ 148AssemblyHunter. Find .net assemblies locally
★ 133ROP_ROCKET. ROP ROCKET is an advanced code-reuse attack framework, with extensive ROP chain generation capabilities, including for novel Windows Syscalls attack, a novel Heaven's Gate, and "shellcodeless" ROP. The framework utilizes emulation and obfuscation to help expand the attack surface.
★ 169NauthNRPC. Enumerate Domain Users Without Authentication
★ 290LdrShuffle. Code execution/injection technique using DLL PEB module structure manipulation
★ 284DLHell. Local & remote Windows DLL Proxying
★ 173GuidedHacking-Injector. The BEST DLL Injector Library.
★ 1.4kDll-Shellcode-Loader. Dll Shellcode Loader POC
★ 8evilrdp. Python
★ 308DonPAPI. Dumping DPAPI credz remotely
★ 1.4kDCOMRunAs. Lateral movement with DCOM DLL hijacking
★ 179GPOZaurr. Group Policy Eater is a PowerShell module that aims to gather information about Group Policies but also allows fixing issues that you may find in them.
★ 1.2kBitlockMove. Lateral Movement via Bitlocker DCOM interfaces & COM Hijacking
★ 441SignToolGUI. This tool is a user-friendly Graphical User Interface (GUI) tool that simplifies and streamlines the process of digitally signing files using Microsoft's signtool.exe. This tool is designed to provide a straightforward interface, enabling users to apply digital signatures to software executables, drivers, DLLs, and other file types effortlessly.
★ 106Generate_Linux_Kernel_Bitcode. Go
★ 37golem. Golem automates C/C++ vulnerability discovery with SemGrep+LLVM+LLM
★ 101VMwhere. LLVM based obfuscation engine
★ 119PipeViewer. A tool that shows detailed information about named pipes in Windows
★ 748PastDSE. DSE bypass using a leaked cert and adjusting the current clock.
★ 164SignatureKid. C++
★ 402ShadowHound. PowerShell scripts for alternative SharpHound enumeration, including users, groups, computers, and certificates, using the ActiveDirectory module (ADWS) or System.DirectoryServices class (LDAP).
★ 407SOAPHound. SOAPHound is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.
★ 889byor. Go
★ 165GPOwned. Buggy script to play with GPOs
★ 132GPOddity. The GPOddity project, aiming at automating GPO attack vectors through NTLM relaying (and more).
★ 369OUned. The OUned project automating Active Directory Organizational Units ACL exploitation through gPLink poisoning
★ 160SharpSuccessor. SharpSuccessor is a .NET Proof of Concept (POC) for fully weaponizing Yuval Gordon’s (@YuG0rd) BadSuccessor attack from Akamai.
★ 413exploits. A handy collection of my public exploits, all in one place.
★ 676PowerPUG. A tiny tool built to help AD Admins tame the Protected Users group.
★ 142WSL. Windows Subsystem for Linux
★ 33kEvilentCoerce. Python
★ 164binaryen. Optimizer and compiler/toolchain library for WebAssembly
★ 8.5kdefendnot. An even funnier way to disable windows defender. (through WSC api)
★ 3.5kRandomTSScripts. Collection of random RedTeam scripts.
★ 213ForsHops. ForsHops
★ 154SoaPy. SoaPy is a Proof of Concept (PoC) tool for conducting offensive interaction with Active Directory Web Services (ADWS) from Linux hosts.
★ 266AdaptixC2. AdaptixC2 is a highly modular advanced redteam toolkit
★ 3.3kredteam-collab. Red Team Collaboration Infrastructure
★ 97Nimhawk. A powerful, modular, lightweight and efficient command & control framework written in Nim.
★ 222eavesarp-ng. Go
★ 49RemoteMonologue. Weaponizing DCOM for NTLM Authentication Coercions
★ 214Stifle. .NET Post-Exploitation Utility for Abusing Strong Explicit Certificate Mappings in ADCS
★ 152LLVM-On-iOS. Script to build LLVM and Clang projects for use in iOS app and example iOS app using LLVM to interpret C++ programs
★ 82BloodHound-MCP. Python
★ 160Loki. 🧙♂️ Node.js Command & Control for Script-Jacking Vulnerable Electron Applications
★ 1.4kwindows. Windows inside a Docker container.
★ 52keyeballer. Convolutional neural network for analyzing pentest screenshots
★ 1.3kmcp-job-security. LLVM Pass to save Reverse Engineers from Automation
★ 125Mergen. Deobfuscation via optimization with usage of LLVM IR and parsing assembly.
★ 6ida-pro-mcp. AI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.
★ 10kRamiGPT. Autonomous Privilege Escalation using AI
★ 859Ultimate-RAT-Collection. For educational purposes only, exhaustive samples of 500+ classic/modern trojan builders including screenshots.
★ 4.1kimpacket. Impacket is a collection of Python classes for working with network protocols.
★ 3TGSThief. My implementation of the GIUDA project in C++
★ 190SharpSpray. 域内密码喷射工具
★ 137kernel-callback-removal. kernel callback removal (Bypassing EDR Detections)
★ 222conpass. Continuous password spraying tool
★ 211cargo-xwin. Cross compile Cargo project to Windows MSVC target with ease
★ 604openai-agents-python. A lightweight, powerful framework for multi-agent workflows
★ 28kBootExecuteEDR. C
★ 417ACLViewer. ACL Viewer for Windows
★ 133emscripten. Emscripten: An LLVM-to-WebAssembly Compiler
★ 27kPowerChell. A PowerShell console in C/C++ with all the security features disabled
★ 394SQLRecon. A C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation.
★ 810WID_LoadLibrary. Reverse engineering winapi function loadlibrary.
★ 244msftrecon. Python
★ 789RagingRotator. A tool for carrying out brute force attacks against Office 365, with built in IP rotation use AWS gateways.
★ 80TargetedTimeroast. Tamper Active Directory user attributes to collect their hashes with MS-SNTP
★ 64lemon. eBPF Memory Dump Tool
★ 113Invoke-ArgFuscator. Invoke-ArgFuscator is an open-source, cross-platform PowerShell module that helps generate obfuscated command-lines for common system-native executables.
★ 279sprayhound. Password spraying tool and Bloodhound integration
★ 259LLVM-Obfuscation-Experiments. C
★ 19earlycascade-injection. early cascade injection PoC based on Outflanks blog post
★ 241SharpADWS. Active Directory reconnaissance and exploitation for Red Teams via the Active Directory Web Services (ADWS).
★ 598GPOHunter. A security assessment tool for analyzing Active Directory Group Policy Objects (GPOs) to identify misconfigurations and vulnerabilities
★ 328trust-validator. Validates priv escalation of AD trusts
★ 47godap. A complete terminal user interface (TUI) for LDAP.
★ 959APEX. Azure Post Exploitation Framework
★ 250Spyndicapped. COM ViewLogger — new malware keylogging technique
★ 408ldapx. Flexible LDAP proxy that can be used to inspect & transform all LDAP packets generated by other tools on the fly.
★ 219EagleVM. Native code virtualizer for x64 binaries
★ 534msldap. LDAP library for auditing MS AD
★ 497flyphish. Deploy a phishing infrastructure on the fly.
★ 80PIC-Library. A collection of position independent coding resources
★ 122retdec. RetDec is a retargetable machine-code decompiler based on LLVM.
★ 8.6kgllvm. Whole Program LLVM: wllvm ported to go
★ 341whole-program-llvm. A wrapper script to build whole-program LLVM bitcode files
★ 734mcsema. Framework for lifting x86, amd64, aarch64, sparc32, and sparc64 program binaries to LLVM bitcode
★ 2.8kPSXecute. MIPS VM to execute payloads without allocating executable memory. Based on a PlayStation 1 (PSX) Emulator.
★ 126KrakenMask. Sleep obfuscation
★ 275TokenCert. TokenCert
★ 105KernelCallbackTable-Injection-PoC. Proof of Concept for manipulating the Kernel Callback Table in the Process Environment Block (PEB) to perform process injection and hijack execution flow.
★ 274Exploit-Street. Complete list of LPE exploits for Windows (starting from 2023)
★ 954Carseat. Python implementation of GhostPack's Seatbelt situational awareness tool
★ 274ollvm-rust. out-of-tree llvm obfuscation pass plugin (dynamically loadable by rustc). || rust toolchain with obfuscation llvm pass.
★ 198ADCSKiller. An ADCS Exploitation Automation Tool Weaponizing Certipy and Coercer
★ 749UwuRatel. Pink BRC4 skin/theme.
★ 15Cable. .NET post-exploitation toolkit for Active Directory reconnaissance and exploitation
★ 400ollvm17. Obfuscation LLVM 17
★ 658osintbuddy. Node graphs, OSINT data mining, and plugins. Connect unstructured and public data for transformative insights. The rewrite can be found @ osintbuddy/osintbuddy
★ 840vac-bypass-kernel. Fully working kernel-mode VAC bypass
★ 102adconnectdump. Dump Azure AD Connect credentials for Azure AD and Active Directory
★ 800awesome-password-spraying. Everything and anything related to password spraying
★ 153Misconfiguration-Manager. Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance.
★ 1.2kselene. Kernel-mode Paravirtualization in Ring 2, LLVM based linker, and some other things!
★ 446lsassdump. lsassdump via RtlCreateProcessReflection and NanoDump
★ 87NameSpi. An OSINT employee/username enumeration tool
★ 67Invoke-SessionHunter. Retrieve and display information about active user sessions on remote computers. No admin privileges required.
★ 210scylla. scylla.sh db dumps and more
★ 138pwned. A command-line tool for querying the 'Have I been pwned?' service.
★ 244cred1py. A Python POC for CRED1 over SOCKS5
★ 172Voidmaw. A new technique that can be used to bypass memory scanners. This can be useful in hiding problematic code (such as reflective loaders implemented by C2 beacons) or other problematic executables that will be flagged by the antimalware programs(such as mimikatz).
★ 359EDRenum-BOF. Identify common EDR processes, directories, and services. Simple BOF of Invoke-EDRChecker.
★ 135TelemetrySource.
★ 264GPUSleep. Move CS beacon to GPU memory when sleeping
★ 249