BAADTokenBroker BAADTokenBroker is a post-exploitation tool designed to interact with Microsoft Entra ID device-bound keys. It can: Request the logged-on user’s PRT cookie Create a PRT cookie using supplied credentials Acquire a TGT and...
ProfileHound is a post-escalation tool to help find and achieve red-teaming objectives by locating domain user profiles on machines. It uses the BloodHound OpenGraph format to build a new edge called HasUserProfile which determines if a...
BOF RunPE is a Beacon Object File for Cobalt Strike that executes PE files entirely in-memory within the beacon process. Unlike traditional fork&run, no child process is spawned, no console is created, and no pipe...
SpecterBroker Advanced Windows authentication token extraction and decryption tool for red team operations and security research. SpecterBroker is a comprehensive post-exploitation tool designed for extracting and decrypting Windows authentication tokens from multiple sources. It targets...
Conquest is a feature-rich, extensible and malleable command & control/post-exploitation framework developed for penetration testing and adversary simulation. Conquest’s team server, operator client and agent have all been developed from scratch using the Nim programming...
Orsted C2 is a command an control framework. It consists of many orsted-beacons that communicates with each other and to the main orsted-server. An operator can interact with the orsted-beacon using the orsted-client. Features...
Threat actors have begun repurposing a legitimate server monitoring tool as a ready-made platform for remotely controlling systems that have already been compromised. According to the Ontinue Cyber Defense Center, recent incidents involve Nezha,...
SpeechRuntimeMove Lateral Movement via SpeechRuntime DCOM trigger & COM Hijacking. This Proof of Concept (PoC) for Lateral Movement abuses the fact, that some COM Classes configured as INTERACTIVE USER will spawn a process in the context...
Researchers at Kaspersky Lab have published an in-depth study on how to detect the presence of Mythic within corporate networks—one of the most widely used tools employed by attackers to manage compromised systems. Mythic...
Sauron Fast context enumeration for newly obtained Active Directory credentials. Why Sauron? When you obtain fresh credentials (password spraying, phishing, hash replay, etc.), the first thing you need is context: Who is this account...
ChromeAlone is a browser implant that can be used in place of conventional implants like Cobalt Strike or Meterpreter. This repo provides a simple build process that will generate a management console, deploy infrastructure,...
DCOMRunAs instantiates COM objects in the session of a logged-on user on a remote machine. By targeting a COM object subject to DLL hijacking and dropping a custom DLL at that path, the payload...
