NovaLdr NovaLdr is a Threadless Module Stomping written in Rust, designed as a learning project while exploring the world of malware development. It uses advanced techniques like indirect syscalls and string encryption to achieve...
What is PurpleLab? This solution will allow you to easily deploy an entire lab to create/test your detection rules, simulate logs, play tests, download and run malware and mitre attack techniques, restore the sandbox,...
Pytune Pytune is a post-exploitation tool for enrolling a fake device into Intune with mulitple platform support. Microsoft Intune is a cloud-based endpoint management solution designed to manage a variety of devices, including PCs...
defender2yara defender2yara is a Python tool that converts Microsoft Defender Antivirus Signatures (VDM) into YARA rules. This tool facilitates the creation of custom YARA rules from the latest signature databases or manually provided .vdm...
SkyScalpel SkyScalpel is an open-source framework for JSON policy parsing, obfuscation, deobfuscation, and detection in cloud environments. It provides flexible and highly configurable mechanisms to handle JSON-level obfuscation, IAM policy transformations, and the detection...
Obfuscar Obfuscar is a basic obfuscator for .NET assemblies. It uses massive overloading to rename metadata in .NET assemblies (including the names of methods, properties, events, fields, types, and namespaces) to a minimal set,...
Ghost Ghost is a shellcode loader project designed to bypass multiple detection capabilities that are usually implemented by an EDR Detection 1 – kernel callbacks kernel callbacks are implemented by an EDR to harness...
VOIDMAW This is a new bypass technique for memory scanners. It is useful in hiding problematic code that will be flagged by the antivirus vendors. This is basically an improved version of Voidgate, but without...
SharpExclusionFinder This C# program finds Windows Defender folder exclusions using Windows Defender through its command-line tool (MpCmdRun.exe). The program processes directories recursively, with configurable depth and thread usage, and outputs information about exclusions and scan progress....
capa capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the...
ronin Ronin is a free and Open Source Ruby toolkit for security research and development. Ronin contains many different CLI commands and Ruby libraries for a variety of security tasks, such as encoding/decoding data, filter IPs/hosts/URLs, querying ASNs, querying DNS, HTTP, scanning...
DriverJack DriverJack is a tool designed to load a vulnerable driver by abusing lesser-known NTFS techniques. These method bypass the registration of a Driver Service on the system by hijacking an existing service, and also...
IconJector This is a Windows Explorer DLL injection technique that uses the change icon dialog on Windows. How does it work? Firstly, a folder is created in the temp directory, and the properties of...
Immoral Fiber This repository contains two new offensive techniques using Windows Fibers: PoisonFiber (The first remote enumeration & Fiber injection capability POC tool) PhantomThread (An evolved callstack-masking implementation) It also contains an example test...
GoDefender This Go package provides functionality to detect and defend against various forms of debugging tools and virtualization environments Anti-Virtualization Triage Detection: Detects if the system is running in a triage or analysis environment....
MagicDot A set of rootkit-like abilities for unprivileged users, and vulnerabilities based on the DOT-to-NT path conversion known issue. MagicDot Python Package Implements MagicDot’s rootkit-like techniques: Files/Directories named with dots only Bonus – Such...
