Tag: post-exploitation
-
BAADTokenBroker Abuses Microsoft Entra ID Device-Bound Keys for PRT Hijacking
BAADTokenBroker BAADTokenBroker is a post-exploitation tool designed to interact with Microsoft Entra ID device-bound keys. It can: Request the logged-on user’s PRT cookie Create a PRT cookie using supplied credentials Acquire a TGT and NT hash by abusing Entra Kerberos mechanisms Usage BAADTokenBroker provides the following commands: info: Retrieve Entra ID information get_token_blob: Dump cached…
-
Beyond the Active Session: Hunting Offline Secrets with ProfileHound’s New Graph Edge
ProfileHound is a post-escalation tool to help find and achieve red-teaming objectives by locating domain user profiles on machines. It uses the BloodHound OpenGraph format to build a new edge called HasUserProfile which determines if a user profile exists on a computer. This edge allows operators to make informed decisions about which computers to target for looting…
-
Ghost in the Beacon: Mastering In-Memory PE Execution with BOF RunPE
BOF RunPE is a Beacon Object File for Cobalt Strike that executes PE files entirely in-memory within the beacon process. Unlike traditional fork&run, no child process is spawned, no console is created, and no pipe is used – all output is captured via IAT hooking and redirected to the beacon console. Key Features No Process Creation: PE…
-
Stealing the Keys to the Cloud: SpecterBroker Unveils the Secrets of Windows Token Broker
SpecterBroker Advanced Windows authentication token extraction and decryption tool for red team operations and security research. SpecterBroker is a comprehensive post-exploitation tool designed for extracting and decrypting Windows authentication tokens from multiple sources. It targets the Windows Authentication Manager (WAM), Token Broker cache (TBRes), and related authentication subsystems to retrieve Access Tokens, Refresh Tokens, ID Tokens,…
-
The Nim Shadow: Conquest C2 Redefines Stealth for 2026 Red Teams
Conquest is a feature-rich, extensible and malleable command & control/post-exploitation framework developed for penetration testing and adversary simulation. Conquest’s team server, operator client and agent have all been developed from scratch using the Nim programming language and are designed with modularity and flexibility in mind. It features custom C2 communication via binary packets over HTTP, a…
-
The Ghost in the Machine: Master Stealth with the Orsted C2 Framework
Orsted C2 is a command an control framework. It consists of many orsted-beacons that communicates with each other and to the main orsted-server. An operator can interact with the orsted-beacon using the orsted-client. Features By design Automatic Sandbox deception If the Operator don’t interact with the beacon, no malicious DLL/SO will be send to the…
-
The Admin’s Shadow: How Hackers Turned the Nezha Monitoring Tool into a Stealth RAT
Threat actors have begun repurposing a legitimate server monitoring tool as a ready-made platform for remotely controlling systems that have already been compromised. According to the Ontinue Cyber Defense Center, recent incidents involve Nezha, a popular open-source monitoring and administration solution capable of operating on both Windows and Linux. In this campaign, Nezha is not…
-
Silent Pivot: Exploiting SpeechRuntimeMove for Stealthy Lateral Movement via DCOM
SpeechRuntimeMove Lateral Movement via SpeechRuntime DCOM trigger & COM Hijacking. This Proof of Concept (PoC) for Lateral Movement abuses the fact, that some COM Classes configured as INTERACTIVE USER will spawn a process in the context of the currently logged on users session. If those processes are also vulnerable to COM Hijacking, we can configure a COM…
-
Unmasking Mythic: Kaspersky Reveals How to Detect the Stealthy Open-Source Post-Exploitation Framework
Researchers at Kaspersky Lab have published an in-depth study on how to detect the presence of Mythic within corporate networks—one of the most widely used tools employed by attackers to manage compromised systems. Mythic belongs to the class of so-called post-exploitation frameworks. These platforms allow adversaries to retain control over breached machines and gradually expand…
-
Sauron: Fast Active Directory Tool Maps Credential Privileges and Nested Groups in Seconds
Sauron Fast context enumeration for newly obtained Active Directory credentials. Why Sauron? When you obtain fresh credentials (password spraying, phishing, hash replay, etc.), the first thing you need is context: Who is this account really? What groups (direct and nested) does it belong to? Which OUs does it live in? What descriptions reveal its function…
-
ChromeAlone: Stealthy Browser Implant Steals Sessions and Phishes for YubiKeys
ChromeAlone is a browser implant that can be used in place of conventional implants like Cobalt Strike or Meterpreter. This repo provides a simple build process that will generate a management console, deploy infrastructure, and create a powershell sideloader script to run on targets. After installation, each ChromeAlone implant will provide mechanisms for: Providing a…
-
DCOMRunAs: Covert Technique for Remote Code Execution in a Logged-on Session
DCOMRunAs instantiates COM objects in the session of a logged-on user on a remote machine. By targeting a COM object subject to DLL hijacking and dropping a custom DLL at that path, the payload DLL will be loaded in the context of the logged-on remote user. Context & theory Initially an internal PoC developped last…
-
RedExt: New Red Team Tool Uses Chrome Extension for Covert Browser Data Exfiltration
RedExt is a sophisticated browser data analysis framework designed for authorized red team operations. It combines a Manifest V3 Chrome extension with a Flask-based C2 server to provide comprehensive browser data collection and analysis capabilities through a modern dark-themed dashboard. Features Cookie Extraction Domain-specific filtering Automatic cookie organization by domain Captures all cookie attributes Supports…
-
RingReaper: Stealthy Linux Agent Abuses io_uring to Bypass EDR System Call Monitoring
RingReaper is a simple post-exploitation agent for Linux designed for those who need to operate stealthily, minimizing the chances of being detected by EDR solutions. The idea behind this project was to leverage io_uring, the new asynchronous I/O interface in the Linux kernel, specifically to avoid traditional system calls that most EDRs tend to monitor or even…
-
PowerDodder: The Stealthy New Tool That Hides Malware in Your Script Files
PowerDodder is a post-exploitation persistence utility designed to stealthily embed execution commands into existing script files on the host. By leveraging files that are frequently accessed but rarely modified, it targets high-likelihood execution vectors with minimal detection risk. Background Traditional persistence methods (e.g., Registry Run keys, scheduled tasks) are often monitored or flagged by EDRs and blue teams.…
-
PsMapExec: Active Directory post-exploitation tool
What is PsMapExec A PowerShell tool heavily inspired by the popular tool CrackMapExec. Far too often I find myself on engagements without access to Linux in order to make use of CrackMapExec. PsMapExec is used as a post-exploitation tool to assess and compromise an Active Directory environment. What methods does it support? Currently supported methods…