Tag: Red Team
-
Beyond the Secure Desktop: How “RegPwn” Turned Windows Accessibility Into a SYSTEM-Level Backdoor
For over a year, a critical vulnerability lurking within the Windows accessibility mechanisms empowered malefactors to usurp absolute dominion over the operating system. This insidious flaw lay concealed within the ubiquitous On-Screen Keyboard, casting its shadow across virtually all supported iterations of the Windows architecture. The cybersecurity vanguard at MDSec recently unveiled this privilege escalation…
-
M365Pwned: Red Team tooling for Microsoft 365 exploitation via Microsoft Graph API
M365Pwned Red Team tooling for Microsoft 365 exploitation via Microsoft Graph API. Two WinForms GUI tools for enumerating, searching, and exfiltrating data from M365 environments using application-level OAuth tokens — no user interaction required. Tool Target What it does MailPwned-GUI.ps1 Exchange Online / Outlook Browse mailboxes, search mail, download attachments, send impersonation emails SharePwned-GUI.ps1 SharePoint…
-
SilentButDeadly: New Tool Blinds EDR Without Killing Processes
SilentButDeadly is a network communication blocker specifically designed to neutralize EDR/AV software by preventing their cloud connectivity using Windows Filtering Platform (WFP). This version focuses solely on network isolation without process termination. Key Technical Details WFP Filter Specifications Layer: Application Layer Enforcement (ALE) Weight: 0x7FFF (high priority) Action: FWP_ACTION_BLOCK Condition: FWPM_CONDITION_ALE_APP_ID (process-specific) Flags: FWPM_FILTER_FLAG_CLEAR_ACTION_RIGHT Supported EDR Targets SentinelOne (all…
-
SpearSpray: The Stealthy Tool That Bypasses Lockout Policies in Active Directory
SpearSpray is an advanced password spraying tool designed specifically for Active Directory environments. It combines user enumeration via LDAP with intelligent pattern-based password generation to perform controlled and stealthy password spraying attacks over Kerberos. Features Core Capabilities LDAP Integration: Direct enumeration of Active Directory users through LDAP queries Custom LDAP Queries: Define specific queries to target…
-
FusterCluck PoC: Script Exploits RPC to Achieve Lateral Movement in Failover Clusters
FusterCluck is a POC script for attacking failover clusters via the cluster API over RPC. The tool allows enumeration of cluster nodes and the state of cluster roles. If an attacker has control of a cluster admin or a cluster virtual account, they can migrate cluster groups to every node of the cluster and target…
-
BamboozlEDR: New Tool Generates Realistic ETW Events to Test EDR Detection
BamboozlEDR A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. BamboozlEDR features a TUI interface and can generate realistic security events across multiple Windows ETW providers to test EDR detection capabilities, log analysis systems, and security monitoring solutions. Note: This tool is built as a Proof-of-Concept. It is…
-
EntraGoat: Deliberately Vulnerable Microsoft Entra ID Lab for Privilege Escalation Training
EntraGoat is a deliberately vulnerable Microsoft Entra ID infrastructure designed to simulate real-world identity security misconfigurations and attack vectors. EntraGoat introduces intentional vulnerabilities in your environment to provide a realistic learning platform for security professionals. It features multiple privilege escalation paths and focuses on black-box attack methodologies. EntraGoat uses PowerShell scripts and Microsoft Graph APIs to…
-
RedExt: New Red Team Tool Uses Chrome Extension for Covert Browser Data Exfiltration
RedExt is a sophisticated browser data analysis framework designed for authorized red team operations. It combines a Manifest V3 Chrome extension with a Flask-based C2 server to provide comprehensive browser data collection and analysis capabilities through a modern dark-themed dashboard. Features Cookie Extraction Domain-specific filtering Automatic cookie organization by domain Captures all cookie attributes Supports…
-
RingReaper: Stealthy Linux Agent Abuses io_uring to Bypass EDR System Call Monitoring
RingReaper is a simple post-exploitation agent for Linux designed for those who need to operate stealthily, minimizing the chances of being detected by EDR solutions. The idea behind this project was to leverage io_uring, the new asynchronous I/O interface in the Linux kernel, specifically to avoid traditional system calls that most EDRs tend to monitor or even…
-
LdrShuffle: Stealthy Code Execution via DLL EntryPoint Overwriting
LdrShuffle Stealthy code execution via modification of the EntryPoint of loaded modules at runtime. Summary Windows processses have various modules loaded at runtime. Each of theses modules has a DllMain() function defined, which will be invoked on process or thread creation/destruction (four possible scenarios). In order to properly call those functions during the lifetime of the process, the Windows…
-
BitlockMove: New PoC for Covert Lateral Movement via BitLocker DCOM Hijacking
BitlockMove Lateral Movement via Bitlocker DCOM & COM Hijacking. This Proof of Concept (PoC) for Lateral Movement abuses the fact, that some COM Classes configured as INTERACTIVE USER will spawn a process in the context of the currently logged on users session. If those processes are also vulnerable to COM Hijacking, we can configure a COM Hijack…
-
Cyber Deception: BUDA Framework Automates Realistic User Behavior to Trap Attackers
Behavioral User-driven Deceptive Activities Framework (BUDA) is a cutting-edge solution designed to enhance deception operations in cybersecurity by automating the simulation of realistic user behaviors within decoy environments. By integrating strategic narratives, dynamic user profiles, and automated activity simulation, BUDA aims to model credible decoys that mislead attackers and strengthen defense mechanisms. Key Objectives Automate…
-
DNSForge: The Pentesting Tool That Automates Internal DNS Poisoning and Hash Capture
DNSForge is a network pentesting tool for responding to name resolution requests made to the authoritative DNS server in an internal network landscape, achieving interception and reuse of system credentials without user interaction. This tool is intended to be used alongside Responder. The original blog post for DNSForge can be found here Attack Customization One of 2…
-
Red Team Arsenal: AzDevRecon Tool Automates Azure DevOps Recon and Secret Hunting
AzDevRecon is a web-based enumeration tool designed for offensive security professionals, red teamers, and penetration testers targeting Azure DevOps. It helps identify misconfigurations, exposed secrets, and security gaps by leveraging token-based authentication for reconnaissance and data extraction. Features Token-Based Enumeration – Supports enumeration using Azure DevOps Personal Access Tokens (PATs) and Access Tokens from Managed Identity authentication. Project & Repository Discovery –…
-
The MFA Killer: How One Programmer’s Tool Became a $100M Cybercrime Weapon
Kuba Gretzky originally sought to make the internet a safer place — yet his creation achieved the opposite. In 2017, the Polish programmer developed Evilginx, a tool designed to help Red Team professionals study phishing techniques and understand how attackers steal credentials. The idea was simple: to demonstrate how easily even multi-factor authentication could be…
-
SmuggleShield: A Browser Extension to Detect and Block HTML Smuggling Attacks
SmuggleShield is a browser extension that aims to prevent HTML smuggling attacks by detecting common patterns. While this is not a comprehensive or bulletproof solution, it is an attempt to provide an additional layer of security during browsing or during your red/puprle team exercise. The extension is compatible both on Chrome and Edge for Mac…