Stealthy In-Memory Local Password Harvester (SILPH) tool: dump LSA, SAM and DCC2 with indirect syscall

proper ntdll .text section unhooking via native api. unlike other unhookers this doesnt leave 2 ntdlls loaded. x86/x64/wow64 supported.

Raptor turns Claude Code into a general-purpose AI offensive/defensive security agent. By using Claude.md and creating rules, sub-agents, and skills, and orchestrating security tool usage, we confi…

AI / LLM Red Team Field Manual & Consultant’s Handbook

Windows Session Hijacking via COM

poc for cve-2025-53772

Moonwalk++: Simple POC Combining StackMoonwalking and Memory Encryption

Fairy Law - Compromise or disable EDR security solutions

Generate backdoored RSA keys using SETUP

A simple Sleepmask BOF example

Python and BOF utilites to the determine EPA enforcement levels of popular NTLM relay targets from the offensive perspective

⚡ SheetStrike - Weaponize Excel files for red team operations. Inject stealthy tracking pixels and NTLMv2 hash capture payloads into XLSX files. Supports HTTP callbacks, SMB, and WebDAV for credent…

AppLocker-Based EDR Neutralization

Driver Buddy Revolutions for Ghidra

Serverless AITM Simulation Framework for Entra ID and M365

Run compilers interactively from your web browser and interact with the assembly

A tool for exploiting Kerberos tickets against system with Credential Guard enabled.

CornerFix is a lightweight macOS menu bar app that restores sharp display edges by overlaying customizable “caps” on the screen corners. Safe, SIP-friendly, and easy to use, it lets you toggle, res…

A Windows Named Pipe Multi-tool / Proxy

An extension to automate using DOM Invader from within Burp

KustoHawk is a lightweight incident triage and response tool designed for effective incident response in Microsoft Defender XDR and Microsoft Sentinel environments.

SpicyAD is a C# Active Directory penetration testing tool designed for authorized security assessments. It combines multiple AD attack techniques into a single, easy-to-use tool with both interacti…

Course Repository for University of Cincinnati Malware Analysis Class (CS[567]038)

A PICO for Crystal Palace that implements CLR hosting to execute a .NET assembly in memory.

Windows 11 kernel research framework demonstrating DSE bypass on Windows 11 25H2 through boot-time execution. Loads unsigned drivers by surgically patching SeCiCallbacks via native subsystem. Inclu…

Using Chromium-based browsers as a proxy for C2 traffic.

Modern security products (CrowdStrike, Bitdefender, SentinelOne, etc.) hook the nLoadImage function inside clr.dll to intercept and scan in-memory .NET assembly loads. This tool unhooks that functi…