This is your work, valued
EDRSilencer. A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.
★ 1.9kGhostTask. A tool employs direct registry manipulation to create scheduled tasks without triggering the usual event logs.
★ 627ScheduleRunner. A C# tool with more flexibility to customize scheduled task for both persistence and lateral movement in red team operation
★ 347RDPHijack-BOF. Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking.
★ 318ServiceMove-BOF. New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.
★ 303TrustedPath-UACBypass-BOF. Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.
★ 144SCCMVNC. A tool to modify SCCM remote control settings on the client machine, enabling remote control without permission prompts or notifications. This can be done without requiring access to SCCM server.
★ 121Quser-BOF. Cobalt Strike BOF for quser.exe implementation using Windows API
★ 88ClipboardHistoryThief. POC tool to extract all persistent clipboard history data from clipboard service process memory
★ 60OffensiveCommvault. Red team tool for abusing Commvault to achieve lateral movement, persistence, and file collection.
★ 9SysWhispers3. SysWhispers on Steroids - AV/EDR evasion via direct system calls.
★ 3Suspended-Thread-Injection. Another meterpreter injection technique using C# that attempts to bypass Defender
★ 3Vulnerability-Disclosure.
★ 2WindowsDllsExport. A list of all the DLLs export in C:\windows\system32\
★ 1CloakBrowser. Stealth Chromium that passes every bot detection test. Drop-in Playwright replacement with source-level fingerprint patches. 30/30 tests passed.
★ 28kFortilogDecoder. Script to decode Fortinet binary firewall logs.
★ 13browser. Lightpanda: the headless browser designed for AI and automation
★ 32kScrapling. 🕷️ An adaptive Web Scraping framework that handles everything from a single request to a full-scale crawl!
★ 69kBYOVD. BYOVD research use cases featuring vulnerable driver discovery and reverse engineering methodology. (CVE-2025-52915, CVE-2025-1055, CVE-2026-3609, CVE-2026-8501).
★ 846ClipboardStealBOF. An alternative to the builtin clipboard feature in Cobalt Strike that adds the capability to enable/disable and dump the clipboard history.
★ 114Ransomware_Official_Domains. List Of Ransomware Groups Official WebSites
★ 175EDR-GhostLocker. AppLocker-Based EDR Neutralization
★ 338krakenhashes. Go
★ 394robin. AI-Powered Dark Web OSINT Tool
★ 5.9kexecute-assembly-pico. A PICO for Crystal Palace that implements CLR hosting to execute a .NET assembly in memory.
★ 138Titanis. Windows protocol library, including SMB and RPC implementations, among others.
★ 798turnt. A tool designed for smuggling interactive command and control traffic through legitimate TURN servers hosted by reputable providers such as Zoom.
★ 427SprayingToolkit. Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient
★ 1.6kWSPCoerce. PoC to coerce authentication from Windows hosts using MS-WSP
★ 304pytune. Python
★ 293OmniProx. IP Rotation from different providers - Like FireProx but for GCP, Azure, Alibaba and CloudFlare
★ 287EvilWorker. A new AiTM attack framework — based on leveraging service workers — designed to conduct credential phishing campaigns. Thanks to its minimalist, robust, and highly adaptable architecture, this solution can be easily deployed on PaaS.
★ 162EDR-Freeze. EDR-Freeze is a tool that puts a process of EDR, AntiMalware into a coma state.
★ 854oauthseeker. A malicious OAuth application that can be leveraged for both internal and external phishing attacks targeting Microsoft Azure and Office365 users.
★ 172PIClin. From C, Rust or Zig to binary shellcode compiler based on Mingw gcc. It allows using Win32 APIs and standard libraries without any changes to the source code.
★ 55onedrive_user_enum. onedrive user enumeration - pentest tool to enumerate valid o365 users
★ 757COMouflage. COM-based DLL Surrogate Injection
★ 173TrapFlagForSyscalling. Bypass user-land hooks by syscall tampering via the Trap Flag
★ 139BYOVD_read_write_primitive. Proof of Concepts code for Bring Your Own Vulnerable Driver techniques
★ 229ChromeAlone. A tool to transform Chromium browsers into a C2 Implant
★ 586specula. Python
★ 236saas_enum. Command-line tool for discovering SaaS platforms a company uses via DNS enumeration
★ 39Being-A-Good-CLR-Host. C
★ 141ExfilServer. Client-side Encrypted Upload Server Python Script
★ 67EDRSilencer-BOF. Port of the EDRSilencer tool (https://github.com/netero1010/EDRSilencer) to BOF format
★ 36company-research-agent. An agentic company research tool powered by LangGraph and Tavily that conducts deep diligence on companies using a multi-agent framework. It leverages Google's Gemini 2.5 Flash and OpenAI's GPT-5.1 on the backend for inference.
★ 2kvxlang-page. protector & obfuscator & code virtualizer
★ 749PrimitiveInjection. PrimitiveInjection by using Read, Write and Allocation Primitives.
★ 53SignatureKid. C++
★ 402kernel-callback-removal. kernel callback removal (Bypassing EDR Detections)
★ 222msi-search. C
★ 291certdump. Beacon Object File (BOF) for dumping certificates (and, when possible, private keys) on Windows
★ 13TrickDump. Dump lsass using only NTAPI functions creating 3 JSON and 1 ZIP file... and generate the MiniDump file later!
★ 560DeviceCodePhishing. This is a novel technique that leverages the well-known Device Code phishing approach. It dynamically initiates the flow when the victim opens the phishing link and instantly redirects them to the authentication page. No authentication method, not even FIDO, is able to protect against this type of attack.
★ 201PatchedCLRLoader. .NET assembly loader with patching AMSI and ETW bypass
★ 33Secure_Stager. An x64 position-independent shellcode stager that verifies the stage it retrieves prior to execution
★ 195CredKing. Password spraying using AWS Lambda for IP rotation
★ 666raccoon. C#
★ 53IPFilter. IP address filter by City
★ 12LitterBox. A self-hosted sandbox for red teams to test payloads against modern detection before deployment. MCP integration lets an LLM agent drive analysis end to end.
★ 1.5kTokenSmith. TokenSmith generates Entra ID access & refresh tokens on offensive engagements. It is suitable for both covert adversary simulations and penetration tests with the tokens generated working out of the box with many popular Azure post exploitation tools.
★ 408DLLHound. Find potential DLL Sideloads on your windows computer
★ 221SharpRedirect. Simple C# Redirector
★ 95Cable. .NET post-exploitation toolkit for Active Directory reconnaissance and exploitation
★ 400ScheduleRunner. A C# tool with more flexibility to customize scheduled task for both persistence and lateral movement in red team operation
★ 18NativeBypassCredGuard. Bypass Credential Guard by patching WDigest.dll using only NTAPI functions
★ 270NachoVPN. A delicious, but malicious SSL-VPN server 🌮
★ 267MFade. A python port of @dafthack's MFAsweep with some added OPSEC functionality. MFAde can be used to find single-factor authentication failure points in Mircrosoft Services.
★ 53Rocabella. Sniffing files generator
★ 62TokenCert. TokenCert
★ 105ROADtools. A collection of Azure AD/Entra tools for offensive and defensive security purposes
★ 2.7kpwndrop. Self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV.
★ 2.3kgodap. A complete terminal user interface (TUI) for LDAP.
★ 959reg_snake. Python tool to interact with WMI StdRegProv
★ 60OperatorsKit. Collection of Beacon Object Files (BOF) for Cobalt Strike
★ 703docker-easyconnect. 使深信服(Sangfor)开发的非自由的 VPN 软件 EasyConnect 和 aTrust 运行在 docker 或 podman 中,并作为网关和/或提供 socks5、http 代理服务
★ 5.3kbrowser-identity-attacks-matrix. Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face. #nolockdown
★ 1.4kFaceDancer. FaceDancer is an exploitation tool aimed at creating hijackable, proxy-based DLLs by taking advantage of COM-based system DLL image loading
★ 442Drop-Pi. This is a collection of tools that make up what we call a "Drop-Pi", primarily used as a quick placement device during a physical/social engineering penetration test.
★ 37EDRPrison. Leverage a legitimate WFP callout driver to prevent EDR agents from sending telemetry
★ 477smbtakeover. BOF and Python3 implementation of technique to unbind 445/tcp on Windows via SCM interactions
★ 362Certify. Active Directory certificate abuse.
★ 2kMoriarty. Moriarty is designed to enumerate missing KBs, detect various vulnerabilities, and suggest potential exploits for Privilege Escalation in Windows environments.
★ 515ADExplorerSnapshot. ADExplorerSnapshot.py is an AD Explorer snapshot parser. It is made as an ingestor for BloodHound via BOFHound, and also supports full-object dumping to NDJSON.
★ 1.1kMicrosoft-Activation-Scripts. Open-source Windows and Office activator featuring HWID, Ohook, TSforge, and Online KMS activation methods, along with advanced troubleshooting.
★ 183kDavRelayUp. DavRelayUp - a universal no-fix local privilege escalation in domain-joined windows workstations where LDAP signing is not enforced (the default settings).
★ 572llm-zoomcamp. LLM Zoomcamp - a free online course about real-life applications of LLMs. In 10 weeks you will learn how to build an AI system that answers questions about your knowledge base.
★ 6.8kSnaffPoint. A tool for pointesters to find candies in SharePoint
★ 287JS-Tap. JavaScript beacons and C2 to be used for XSS payload or post exploitation implants on webapp servers or desktop software to monitor users and maintain persistence. Browser extension, electron app, and node/bun app implants are included.
★ 469SharpGraphView. Microsoft Graph API post-exploitation toolkit
★ 95BYOVDKit. bring your own vulnerable driver
★ 124AbuseAzureAPIPermissions. Abuse Azure API permissions for red teaming
★ 72ld_library. Load dll library to process during process creation utilizing Early Bird APC Queue Code Injection on Windows
★ 4WhoAmISlack. Simple Command Line Tool to Enumerate Slack Workspace Names from Slack Webhook URLs.
★ 41Spoofy. Spoofy is a program that checks if a list of domains can be spoofed based on SPF and DMARC records.
★ 768SharpADWS. Active Directory reconnaissance and exploitation for Red Teams via the Active Directory Web Services (ADWS).
★ 598ChromeKatz. Dump cookies and credentials directly from Chrome/Edge process memory
★ 1.5kROADtools. A collection of Azure AD tools for offensive and defensive security purposes
★ 2RDP-keepalive. Sending simulated mouse moving event to virtual workspace to keep session alive
★ 3Stardust. A modern 32/64-bit position independent implant template
★ 1.4kSOAPHound. SOAPHound is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.
★ 889RealBlindingEDR. Remove AV/EDR Kernel ObRegisterCallbacks、CmRegisterCallback、MiniFilter Callback、PsSetCreateProcessNotifyRoutine Callback、PsSetCreateThreadNotifyRoutine Callback、PsSetLoadImageNotifyRoutine Callback...
★ 1.3kScrapedIn. A tool to scrape LinkedIn without API restrictions for data reconnaissance
★ 1.2kevilginx2. Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
★ 15kHWSyscalls. HWSyscalls is a new method to execute indirect syscalls using HWBP, HalosGate and a synthetic trampoline on kernel32 with HWBP.
★ 735BRC4-Seminar-Stage-I. These are the slide decks and source code for Brute Ratel Seminar conducted on 24th August 2023. The youtube video for the seminar can be found here:
★ 23sccmhunter. SCCMHunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain.
★ 927cs2br-bof. Run Cobalt Strike BOFs in Brute Ratel C4!
★ 89CVE-2023-20887. VMWare vRealize Network Insight Pre-Authenticated RCE (CVE-2023-20887)
★ 229subzy. Subdomain takeover vulnerability checker
★ 1.6kETWHash. C# POC to extract NetNTLMv1/v2 hashes from ETW provider
★ 262PrivKit. PrivKit is a simple beacon object file that detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS.
★ 606TheTimeMachine. Weaponizing WaybackUrls for Recon, BugBounties , OSINT, Sensitive Endpoints and what not
★ 547PatchlessCLRLoader. .NET assembly loader with patchless AMSI and ETW bypass
★ 386ImHex. 🔍 A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM.
★ 54kCrucibleC2. A C# Command & Control framework
★ 1kofficedump. Dump document encryption password from Office process memory
★ 40yt-dlp. A feature-rich command-line audio/video downloader
★ 177kQRExfil. This tool is a command line utility that allows you to convert any binary file into a QRcode movie. The data can then be reassembled visually allowing exfiltration of data in air gapped systems
★ 279Suborner. C#
★ 471EvilnoVNC. Ready to go Phishing Platform
★ 1.2kntlmv1-multi. NTLMv1 Multitool
★ 667TamperingSyscalls. C++
★ 5110day. 各种CMS、各种平台、各种系统、各种软件漏洞的EXP、POC ,该项目将持续更新
★ 2.4kacltoolkit. ACL abuse swiss-knife
★ 129RedGuard. RedGuard is a C2 front flow control tool,Can avoid Blue Teams,AVs,EDRs check.
★ 1.6kBOF-klist. A simple BOF implementation of klist using Windows API
★ 32SocksOverRDP. Socks5/4/4a Proxy support for Remote Desktop Protocol / Terminal Services / Citrix / XenApp / XenDesktop
★ 1.3kWebView2-Cookie-Stealer. C++
★ 266chlonium. Chromium Cookie import / export tool
★ 314DFSCoerce. Python
★ 841Screenshooter. C# program to take a full size screenshot or a recording of the user's desktop. Takes in 0-3 flags
★ 82SharpSpray. SharpSpray a simple code set to perform a password spraying attack against all users of a domain using LDAP and is compatible with Cobalt Strike.
★ 195Shelltropy. A technique of hiding malicious shellcode via Shannon encoding.
★ 269SysmonSimulator. Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.
★ 867Malware-analysis-and-Reverse-engineering. Some of my publicly available Malware analysis and Reverse engineering.
★ 953XLL_Phishing. XLL Phishing Tradecraft
★ 441big-list-of-naughty-strings. The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input data.
★ 48knanodump. The swiss army knife of LSASS dumping
★ 2.1khiding-your-syscalls. Some source code to demonstrate avoiding certain direct syscall detections by locating and JMPing to a legitimate syscall instruction within NTDLL.
★ 218CS-Remote-OPs-BOF. Remote operations commands implemented using Beacon Object Files
★ 1.2kKrbRelayUp. KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).
★ 1.7kC2-Tool-Collection. A collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques.
★ 1.4kfrostbyte. FrostByte is a POC project that combines different defense evasion techniques to build better redteam payloads
★ 383Mystikal. macOS Initial Access Payload Generator
★ 326bloodyAD. BloodyAD is an Active Directory Privilege Escalation Framework
★ 2.2kBackstab. A tool to kill antimalware protected processes
★ 1.5kBOFs. Collection of Beacon Object Files
★ 640JustC2file. Burp插件,Malleable C2 Profiles生成器;可以通过Burp代理选中请求,生成Cobalt Strike的profile文件(CSprofile)
★ 293PoshC2. A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement.
★ 2.1ksliver. Adversary Emulation Framework
★ 11ksysmon-dfir. Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.
★ 942BeaconEye. Hunts out CobaltStrike beacons and logs operator command output
★ 962LoGiC.NET. A free and open-source .NET obfuscator using dnlib.
★ 516FalconFriday. Hunting queries and detections
★ 915PrivescCheck. Privilege Escalation Enumeration Script for Windows
★ 3.9kGetWebDAVStatus. Determine if the WebClient Service (WebDAV) is running on a remote system
★ 147CobaltBus. Cobalt Strike External C2 Integration With Azure Servicebus, C2 traffic via Azure Servicebus
★ 248Bloodhound-CustomQueries. Custom Queries - Brought Up to BH4.1 syntax
★ 283InvisibilityCloak. Proof-of-concept obfuscation toolkit for C# post-exploitation tools
★ 626InvisibilityCloak. Proof-of-concept obfuscation toolkit for C# post-exploitation tools
★ 428SysWhispers2. AV/EDR evasion via direct system calls.
★ 1.8kKrbRelay. Framework for Kerberos relaying
★ 952Ivy. Ivy is a payload creation framework for the execution of arbitrary VBA (macro) source code directly in memory. Ivy’s loader does this by utilizing programmatical access in the VBA object environment to load, decrypt and execute shellcode.
★ 743logins-generator. Generate users list using certain format
★ 23inject-assembly. Inject .NET assemblies into an existing process
★ 506o365spray. Username enumeration and password spraying tool aimed at Microsoft O365.
★ 1knoPac. CVE-2021-42287/CVE-2021-42278 Scanner & Exploiter.
★ 1.4kGetWebDAVStatus. Determine if the WebClient Service (WebDAV) is running on a remote system
★ 28WebclientServiceScanner. Python tool to Check running WebClient services on multiple targets based on @leechristensen
★ 293ForkPlayground. An implementation and proof-of-concept of Process Forking.
★ 231Oh365UserFinder. Python3 o365 User Enumeration Tool
★ 575decode-spam-headers. A script that helps you understand why your E-Mail ended up in Spam
★ 697Phishious. An open-source Secure Email Gateway (SEG) evaluation toolkit designed for red-teamers.
★ 517SharpSystemTriggers. Collection of remote authentication triggers in C#
★ 534C-To-Shellcode-Examples. C
★ 210PortBender. TCP Port Redirection Utility
★ 785Self_Deletion_BOF. BOF implementation of the research by @jonasLyk and the drafted PoC from @LloydLabs
★ 187SourcePoint. SourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion.
★ 1.2kinceptor. Template-Driven AV/EDR Evasion Framework
★ 1.8kBokuLoader. A proof-of-concept Cobalt Strike Reflective Loader which aims to recreate, integrate, and enhance Cobalt Strike's evasion features!
★ 1.4kspawn. Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.
★ 467Seatbelt. Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
★ 4.6kRubeus. Trying to tame the three-headed dog.
★ 5.1kDomainFrontingLists. A list of Domain Frontable Domains by CDN
★ 578RedTips. Red Team Tips as posted by @vysecurity on Twitter
★ 1.1k