This is your work, valued
LexiCrypt. Shellcode encryptor using a substitution cipher with a randomly generated key.
★ 142tryharder. C++ Staged Shellcode Loader with Evasion capabilities.
★ 96RustyKeys. UAC Bypass using CMSTP in Rust
★ 38cmstp_uac_bypass_bof. C
★ 17RustyDumper. Process dumper wrote in rust.
★ 13Sublime-Nmap-Syntax. A Sublime Text plugin that allows for Nmap syntax highlighting
★ 13sabozero. Staged Rust DLL EarlyBird Loader
★ 8compare. python script to parse the output of the hashcat potfile and the dump of the ntds.dit file to match usernames and hashes to the cracked password.
★ 7e-keh. Go Shellcode Loader
★ 6notes_cheatsheet.
★ 6RustHarder. Rust
★ 5OSEPAutoEnum. A c# version of jayesther's OSEP enumeration script with a few additions and tweaks.
★ 5updatecme. Shell
★ 3garts. evasive c++ shellcode loader
★ 3Base64. Base64 encoder/decoder in C#
★ 2breadloader. C++
★ 2recycle. Convert shellcode bytes of any format to a .bin
★ 2maldev. C#
★ 1tehstoni.
★ 1sliver-gui. A desktop operator console for Sliver C2, built with Wails. Provides a native, lightweight GUI interface for Sliver by directly interfacing with its gRPC service no proxies or protocol reimplementations required.
★ 50KslDump. KslDump — Why bring your own knife when Defender already left one in the kitchen?
★ 390tickey. Tool to extract Kerberos tickets from Linux kernel keys.
★ 258entropia. A compiled language for Windows position-independent x86-64 shellcode and Beacon Object Files.
★ 160EtwSuite. Windows native ETW inspection suite for browsing providers, reading metadata, consuming live events, recording ETL traces, filtering results, and inspecting ETL/JSON/CSV recordings from one desktop tool.
★ 85CrystalSliver. Crystal Palace Evasion kit for Sliver
★ 96quincy. Post-quantum QUIC-based VPN
★ 318GreatXML. GreatXML bitlocker bypass vulnerability
★ 593RoguePlanet. RoguePlanet Windows Defender Vulnerability
★ 1.5kneo-ConfuserEx. Updated ConfuserEX, an open-source, free obfuscator for .NET applications
★ 852KernelResearchKit. Windows 11 kernel research framework demonstrating DSE bypass on Windows 11 25H2 through boot-time execution. Loads unsigned drivers by surgically patching SeCiCallbacks via native subsystem. Includes anti-loop protection and dual-path architecture. Windows 11 25H2 driver signature enforcement bypass
★ 245rusty-bof-pe. A template for Rust based BOF-PEs
★ 22CLR-Stomp. .NET CLR-Stomping
★ 145OSED. Containing my notes, practice binaries + solutions, blog posts, etc. for the Offensive Security Exploit Developer (OSED/EXP-301)
★ 828OpenPsPipeJack. Open Source implementation of PsPipeJack
★ 24ForzaRoadFinder. HTML-based tool for finding undiscovered roads in Forza Horizon games via screen capture
★ 215CrabLoader. A PoC Cobalt Strike UDRL written in Rust
★ 30SilentHarvest_BOF. A Cobalt Strike BOF implementation of the SilentHarvest registry dumping technique
★ 181InfraGuard. InfraGuard is a Command & Control Redirection Proxy and Manager which protects your Red Team Infrastructure against threat attribution
★ 160NtExt. An advanced C++ framework for WoW64 Heaven’s Gate + Indirect Syscall, X64 Hell's Gate, and EDR evasion. Seamlessly load 64-bit kernel32 and bypass user-land hooks.
★ 26Fritter. Fritter is a heavily modified fork of TheWover and Odzhan's Donut shellcode generator.
★ 241four0three. A 403 bypass fuzzer built based on BypassFuzzer.py, but written in rust. A faster implementation with more features.
★ 2SysWhispers4. AV/EDR evasion via direct and indirect system calls Windows NT 3.1 through Windows 11 24H2 · x64 · x86 · WoW64 · ARM64
★ 535bof-vs. A Beacon Object File (BOF) template for Visual Studio
★ 285SCShell. Fileless lateral movement tool that relies on ChangeServiceConfigA to run command
★ 1.6kchisel-ng. Chisel new generation, written in rust. SSH under WSS with some customization.
★ 131Black-Angel-Rootkit. Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.
★ 681SheetStrike. ⚡ SheetStrike - Weaponize Excel files for red team operations. Inject stealthy tracking pixels and NTLMv2 hash capture payloads into XLSX files. Supports HTTP callbacks, SMB, and WebDAV for credential harvesting.
★ 22DbgNexum. Shellcode injection using the Windows Debugging API
★ 182pwndbg. Exploit Development and Reverse Engineering with GDB & LLDB Made Easy
★ 11kPCredz. This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.
★ 2.5kosed-scripts. bespoke tooling for offensive security's Windows Usermode Exploit Dev course (OSED)
★ 9RemoteApp. I have created these custom servers for preparing EXP-301 course (aka WUMED) exam and hope it will help to take OSED certification. Feel free to DM me in discord, if you have any questions about solving this tasks :) (P.S The fourth expliot will be later on)
★ 49ShellcodeFluctuation. An advanced in-memory evasion technique fluctuating shellcode's memory protection between RW/NoAccess & RX and then encrypting/decrypting its contents
★ 1.1ksigdream. sigreturn-oriented(SROP) based sleep obfuscation poc for Linux
★ 68shellcode-mutator. shellcode transformation tool for YARA evasion
★ 61SharpSCOM. A C# utility for interacting with SCOM
★ 99Moonwalk--. Moonwalk++: Simple POC Combining StackMoonwalking and Memory Encryption
★ 227pentest-reporter. A simple pentest report generator using Python, Pandoc and Angular
★ 4SessionHop. Windows Session Hijacking via COM
★ 348TestAgentEnvironment. C
★ 11librepods. AirPods liberated from Apple's ecosystem.
★ 29kBOF_RunPe. BOF to run PE in Cobalt Strike Beacon without console creation
★ 198SILVERPICK. Windows User-Mode Shellcode Development Framework (WUMSDF)
★ 142epic. PIC shellcode (C/C++) development toolkit designed for malware developers.
★ 128Sliver-Stealth-Enhancer. A Sliver C2 modification utility that enhances operational stealth by renaming protobuf definitions, regenerating protocol buffers, updating Go references, and resolving method call collisions. Designed to reduce signature overlap and improve evasion against static analysis and detection tools.
★ 25EDR-Redir. EDR-Redir : a tool used to redirect the EDR's folder to another location.
★ 235ClickForClickOnce. ClickForClickOnce - Generate configurable clickonce payloads
★ 97Crystal-Kit. Evasion kit for Cobalt Strike
★ 473CobaltBus. Cobalt Strike External C2 Integration With Azure Servicebus, C2 traffic via Azure Servicebus
★ 248ptrguard. A pointer encryption library intended for Red Team implant design in Rust.
★ 68sekken-enum. adws enumeration bof
★ 173MaldevAcademyLdr.2. RunPE implementation with multiple evasive techniques (2)
★ 282Titanis. Windows protocol library, including SMB and RPC implementations, among others.
★ 798WMI_Proc_Dump. Dump processes over WMI with MSFT_MTProcess
★ 86EDR-Freeze. EDR-Freeze is a tool that puts a process of EDR, AntiMalware into a coma state.
★ 855Rust-Cobalt-Strike-Artifact-Kit. Rust Artifact Kit is a sophisticated research framework demonstrating advanced evasion techniques through Rust-based artifact loaders.
★ 13EarlyExceptionHandling. Implementing an early exception handler for hooking and threadless process injection without relying on VEH or SEH
★ 139fustercluck. POC tool to abuse windows server failover clusters
★ 56WSL_Payload_Builder. A powerful shell script for creating custom WSL (Windows Subsystem for Linux) distributions with embedded payloads.
★ 71PoolPartyBof. A beacon object file implementation of PoolParty Process Injection Technique.
★ 454diffrays. DiffRays is a research-oriented tool for binary patch diffing, designed to aid in vulnerability research, exploit development, and reverse engineering.
★ 330Akira-obfuscator. Another LLVM-obfuscator based on LLVM-17. A fork of Arkari
★ 117Crunchwrap-ldr. Evasive shellcode runner inspired by Taco Bell
★ 2hoontr. A hoontr must hoont
★ 105cobaltstrike-beacon-rust. CobaltStrike beacon in rust
★ 209dumping_lsass. The different ways to dump lsass
★ 288ATEAM. Python
★ 146kurasagi. Windows 11 24H2-25H2 Runtime PatchGuard Bypass
★ 261dende-rs. Monitoring tool to detect patterns or IOCs (strings, regex, VirusTotal) and alert you and your team via console, Telegram or SMS written in Rust. 🦀
★ 17defcon33_silence_kill_edr. C++
★ 344CobaltStrike-Toolset. Aggressor Script, Kits, Malleable C2 Profiles, External C2 and so on
★ 591TicketsDump. Minimal Rubeus implementation, supporting tgtdeleg with impersonation
★ 7exe_path. A cross-platform way to get your executable's directory
★ 6beacondbg. Beacon Debugger
★ 56C4. Cross Compatible Command and Control
★ 48Dispatch. General Purpose OpSec Server
★ 113turnt. A tool designed for smuggling interactive command and control traffic through legitimate TURN servers hosted by reputable providers such as Zoom.
★ 427BOF.NET. A .NET Runtime for Cobalt Strike's Beacon Object Files
★ 93RingReaper. Linux post-exploitation agent that uses io_uring to stealthily bypass EDR detection by avoiding traditional syscalls.
★ 382MSSQLHound. Go (formerly PowerShell) collector for adding MSSQL attack paths to BloodHound with OpenGraph
★ 337theHandler-BOF. Dump protected process memory by using BYOVD to tamper with handle objects in the kernel.
★ 41Crystal-Loaders. A small collection of Crystal Palace PIC loaders designed for use with Cobalt Strike
★ 233socks5. SOCKS Protocol Version 5 Library in Go. Full TCP/UDP and IPv4/IPv6 support
★ 783CoercedPotatoRDLL. Reflective DLL to privesc from NT Service to SYSTEM using SeImpersonateToken privilege
★ 227WSL-Payloads. A small How-To on creating your own weaponized WSL file
★ 127lordran.polymorphic.shellcode. Things i do because i saw it on twitter on a weekend
★ 55injectEtwBypass. CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)
★ 300CARTX. Collection of powershell scripts I used to complete my CARTP and CARTE courses.
★ 49IMSI-catcher. This program show you IMSI numbers of cellphones around you.
★ 4.4krust-cpuid. cpuid library in rust.
★ 180BurpSidian. Java
★ 13awesome-rust. A curated list of Rust code and resources.
★ 58kLdrShuffle. Code execution/injection technique using DLL PEB module structure manipulation
★ 284delphiprocesshollowing. DelphiProcessHollowing
★ 11pear-desktop. Pear 🍐 is extension for music player
★ 33kSublime-CNA-Syntax. .cna syntax highlighting for sublime
★ 3SockTail. Lightweight binary that joins a device to a Tailscale network and exposes a local SOCKS5 proxy. Designed for red team operations and ephemeral access into restricted environments using Tailscale’s embedded client (tsnet). Zero config, no daemon, no persistence - just a fast way in.
★ 568Emperor-Public. Payload Generation Workflow
★ 41codex. Lightweight coding agent that runs in your terminal
★ 97kNullGate. Library that eases the use of indirect syscalls. Quite interesting AV/EDR bypass as PoC.
★ 168community_kit. Cobalt Strike is a post-exploitation framework designed to be extended and customized by the user community. Several excellent tools and scripts have been written and published, but they can be challenging to locate. Community Kit is a central repository of extensions written by the user community to extend the capabilities of Cobalt Strike. The Cobalt Strike team acts as the curator and provides this kit to showcase this fantastic work.
★ 422RIFT. Rust Library Recognition Project for Rust Malware by the MSTIC-MIRAGE Team
★ 373Lodestar-Forge. Easy to use, open-source infrastructure management platform, crafted specifically for red team engagements.
★ 109DCOMRunAs. Lateral movement with DCOM DLL hijacking
★ 179BitlockMove. Lateral Movement via Bitlocker DCOM interfaces & COM Hijacking
★ 442hypnus. Sleep Obfuscation in Rust
★ 283phantom_persist_rs. Rust implementation of phantom persistence technique documented in https://blog.phantomsec.tools/phantom-persistence
★ 65Aspasia. Research framework for reverse engineering and cheat prototyping in Counter-Strike 2
★ 74aad_prt_bof. C++
★ 167IPRotate_Burp_Extension. Extension for Burp Suite which uses AWS API Gateway to rotate your IP on every request.
★ 894CVE-2025-33073. PoC Exploit for the NTLM reflection SMB flaw.
★ 707byor. Go
★ 165SignatureKid. C++
★ 402sccmsqlclient. Python
★ 30shellcode-template. A cmkr based win32 shellcode template for a unified build platform and more production friendly structure/testing.
★ 6nanorobeus. COFF file (BOF) for managing Kerberos tickets.
★ 328corrosion. Marrying Rust and CMake - Easy Rust and C/C++ Integration!
★ 1.5kRiscyWorkshop. Payload Obfuscation for Red Teams workshop materials
★ 83hello-rs. Implementation of hello world in windows, focusing on binary size and malleability of windows binaries
★ 18Black-Hat-Zig. This project provides some code examples of Zig for malwares, hacking, and red teaming. ⚡
★ 218Fatpack. A Windows PE packer for executables (x64) with LZMA compression and with full TLS (Thread Local Storage) support.
★ 100injectorppforrust. Injectorpp is a powerful tool designed to facilitate the writing of unit tests without the need to introduce traits solely for testing purposes. It streamlines the testing process by providing a seamless and efficient way to abstract dependencies, ensuring that your code remains clean and maintainable.
★ 398Intel.AES-NI. Intel.AES-NI: Leveraging Intel AES-NI for AES-128 & AES-256 Encryption Modes
★ 26evil-winrm-py. Execute commands interactively on remote Windows machines using the WinRM protocol (just faster)
★ 381Pentest-Windows. ⚔️Windows11 Penetration Suite Toolkit 🔰 The First Windows Penetration Testing Environment on Mac M Chips
★ 3.5kObfusk8. Obfusk8: lightweight Obfuscation library based on C++17 / Header Only for windows binaries
★ 774Delegations. A tool to work with all types of Kerberos delegations (unconstrained, constrained, and resource-based constrained delegations) in Active Directory
★ 222rssh-rs. Rust
★ 53boflink. Linker for Beacon Object Files
★ 191brc4_profile_maker. An interactive TUI tool to create Brute Ratel C4 profiles based on BURP browsing data.
★ 32OST-C2-Spec. Open Source C&C Specification
★ 281scepter-rs. A hacky way of getting cross-arch/platform support in Cobalt Strike
★ 38SharpSuccessor. SharpSuccessor is a .NET Proof of Concept (POC) for fully weaponizing Yuval Gordon’s (@YuG0rd) BadSuccessor attack from Akamai.
★ 415BadSuccessor. PowerShell
★ 268CallStack-Spoofer. This tool will allow you to spoof the return addresses of your functions as well as system functions.
★ 575WSL2-Linux-Kernel. The source for the Linux kernel used in Windows Subsystem for Linux 2 (WSL2)
★ 10kWindowsAdvancedSettings. C#
★ 388WSL. Windows Subsystem for Linux
★ 33krust_syscalls. Single stub direct and indirect syscalling with runtime SSN resolving for windows.
★ 237atexec-pro. Fileless atexec, no more need for port 445
★ 413rdll-rs. A reflective DLL development template for the Rust programming language
★ 121Stardust. A modern 32/64-bit position independent implant template
★ 1.4kBolthole. Dig your way out of networks like a Meerkat using SSH tunnels via ClickOnce.
★ 300M365SAT. Microsoft 365 Security Assessment Tool - A Easy-To-Use Microsoft 365 Security Assessment Tool
★ 194Ghosting-AMSI. Ghosting-AMSI
★ 246ForsHops. ForsHops
★ 154sccmhunter. SCCMHunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain.
★ 928ClrAmsiScanPatcher. Patches the AmsiScan function in clr.dll allowing for unrestricted assembly loading in .NET
★ 54squarephish2. OAuth Device Code Phishing Toolkit
★ 133Misconfiguration-Manager. Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance.
★ 1.2kSoaPy. SoaPy is a Proof of Concept (PoC) tool for conducting offensive interaction with Active Directory Web Services (ADWS) from Linux hosts.
★ 267DataInject-BOF. Hijacks code execution via overwriting Control Flow Guard pointers in combase.dll
★ 155awesome-injection. Centralized resource for listing and organizing known injection techniques and POCs
★ 707Hunter. Охотник (Hunter) is a simple Adversary Simulation tool developed for achieves stealth through API unhooking, direct and indirect syscalls, Event Tracing for Windows (ETW) suppression, process hollowing, stack spoofing, polymorphic encryption, and comprehensive anti-analysis mechanisms.
★ 94awesome-bof. 🧠 The ultimate resource for finding Beacon Object Files (BOFs).
★ 148waiting_thread_hijacking. Waiting Thread Hijacking - injection by overwriting the return address of a waiting thread
★ 264SuperMega. Stealthily inject shellcode into an executable
★ 474Red-Team-Infrastructure-Wiki. Wiki to collect Red Team infrastructure hardening resources
★ 4.5kExecuteAssembly. Load/Inject .NET assemblies by; reusing the host (spawnto) process loaded CLR AppDomainManager, Stomping Loader/.NET assembly PE DOS headers, Unlinking .NET related modules, bypassing ETW+AMSI, avoiding EDR hooks via NT static syscalls (x64) and hiding imports by dynamically resolving APIs (hash).
★ 598libs. Single-file public domain libraries for C/C++
★ 2.3kshadow. Windows Kernel Rootkit in Rust
★ 696InlineWhispers3. Tool for working with Indirect System Calls in Cobalt Strike's Beacon Object Files (BOF) using SysWhispers3 for EDR evasion
★ 104Cable. .NET post-exploitation toolkit for Active Directory reconnaissance and exploitation
★ 401pack. PACK (Password Analysis and Cracking Kit)
★ 884KrbRelay. Framework for Kerberos relaying
★ 952sogen. 🪅 Windows & Linux userspace emulator
★ 3.3kRemoteMonologue. Weaponizing DCOM for NTLM Authentication Coercions
★ 215Early-Cryo-Bird-Injections. Early Bird Cryo Injections – APC-based DLL & Shellcode Injection via Pre-Frozen Job Objects
★ 145coffeeldr. A COFF Loader written in Rust
★ 139HuffLoader. Huffman Coding in Shellcode Obfuscation & Dynamic Indirect Syscalls Loader.
★ 288BloodHound-MCP. Python
★ 160Loki. 🧙♂️ Node.js Command & Control for Script-Jacking Vulnerable Electron Applications
★ 1.4kobfuscator-llvm. LLVM obfuscation plugin pass
★ 394rust-obfuscator. Automatic Rust Obfuscator and Macro Library
★ 343NOPe. NOPe - Testing some alternate NOP opcodes
★ 9SlackSpoofing. Spoof visual user identity to send message in Slack
★ 2ForsHops. ForsHops
★ 60pyMalleableProfileParser. Parses Cobalt Strike malleable C2 profiles.
★ 61windows-drivers-rs. Platform that enables Windows driver development in Rust
★ 1.9kkong-loader. Using Just In Time (JIT) instruction decryption, this shellcode loader ensures that only the currently executing instruction is visible in memory.
★ 65myAwesome.
★ 250Viper. Adversary simulation and Red teaming platform with AI
★ 5.1kldap_shell. AD ACL abuse
★ 405OpsLoader. A Cobalt Strike payload generator and lateral movement aggressor script which places Beacon shellcode into a custom shellcode loader
★ 46ida-pro-mcp. AI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.
★ 10kInline-EA. Cobalt Strike BOF for evasive .NET assembly execution
★ 321dpapi-ng. Python DPAPI NG Decryptor for non-Windows Platforms
★ 70Get-NetNTLM. Internal Monologue BOF
★ 79CloudPEASS. Python
★ 649windres-rs. Compiles Windows resource files (.rc) into a Rust program.
★ 31x86-JTAG-Information.
★ 201IronEye. A mullti-purpose LDAP/Kerberos tool written in Rust.
★ 14ThreadlessStompingKann. Combining 3 techniques (Threadless Injection + DLL Stomping + Caro-Kann) together to evade MDE.
★ 80PyObscura. A python script that automates a C2 Profile build
★ 48BOF.NET. A .NET Runtime for Cobalt Strike's Beacon Object Files
★ 784xorstr. heavily vectorized c++17 compile time string encryption.
★ 1.4kconvoC2. C2 infrastructure over Microsoft Teams.
★ 755Rusty-Stardust. A modern Rust implementation of the original Stardust project, providing a sophisticated 32/64-bit shellcode template that features position-independent code development, compile-time string hashing, and raw string embedding capabilities, all while leveraging Rust's safety guarantees and modern tooling for both educational and practical purposes.
★ 65letItGo. Enumerate and check domains for Azure tenants
★ 58