This is your work, valued

127.0.0.1

Mohamed El Azaar

Elite
@med0x2e

RedTeamer & Security Researcher, used to be a Software Engineer/Developer, Manga/Anime Otaku

SigFlip. SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature.

1.3k

GadgetToJScript. A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts.

1.1k

ExecuteAssembly. Load/Inject .NET assemblies by; reusing the host (spawnto) process loaded CLR AppDomainManager, Stomping Loader/.NET assembly PE DOS headers, Unlinking .NET related modules, bypassing ETW+AMSI, avoiding EDR hooks via NT static syscalls (x64) and hiding imports by dynamically resolving APIs (hash).

598

NTLMRelay2Self. An other No-Fix LPE, NTLMRelay2Self over HTTP (Webdav).

418

NoAmci. Using DInvoke to patch AMSI.dll in order to bypass AMSI detections triggered when loading .NET tradecraft via Assembly.Load().

217

vba2clr. Running .NET from VBA

147

NET-Assembly-Inject-Remote. .NET assembly local/remote loading/injection into memory.

136

genxlm. A simple script to generate JScript code for calling Win32 API functions using XLM/Excel 4.0 macros via Excel.Application "ExecuteExcel4Macro"

91

RT-EWS. A Powershell module including a couple of cmdlets for EWS Enum/Exploitation.

19

CSharpScripts. Collection of C# scripts

6

ProcessHider. Post-exploitation tool for hiding processes from monitoring applications

2

Scrncat. A script using OCR (pytesseract) and PIL to rename/order/group Screenshots into PR/RT phases based on which RT/PT stage executed commands correspond to & Redact passwords based on common password patterns (Regex) or a passwords/hashes list of choice.

2

elk-detection-lab. An ELK environment containing interesting security datasets.

1