Tools

ReverseSocks5

Single executable reverse SOCKS5 proxy written in Golang.

PPLKiller

PPLKiller leverages a trusted MSI driver to disable LSA Protection; allowing credentials to be dumped from memory. The tool supports removing the Protected Process Light (PPL) attributes from any process and manipulating process tokens.

GhostWrite64

Process injection technique that uses only Get/SetThreadContext.

CoughLoader

CoughLoader is a COFF loader, allowing malware to load and execute their COFFs in memory for educational purposes.

CLRHost

Host the .NET CLR in native code.

GoPastAV

Generate tailored MSBuild compatible project files for executing shellcode on endpoints with application whitelisting solutions. The tool employs a number of antivirus and EDR evasion techniques, including encryption of the shellcode, sandbox detection, environment keying and multiple shellcode injection methods.

NTFSCopy

An execute-assembly compatible tool that can copy in-use files such as ntds.dit using NTFS structure parsing. The tool simply a wrapper for NtfsLib.

LSASecretsTool

An execute-assembly compatible tool for manipulating LSA secrets using the undocumented but official LSASS API calls. This includes reading, writing, creating and deleting LSA secrets.

CVE-2020-0668

Implementation of CVE-2020-0668 which leverages symbolic links to perform a privileged file move operation that can lead to privilege escalation on all versions of Windows from Vista to 10, including server editions.

SharpHashSpray

An execute-assembly compatible tool for spraying local admin hashes (NTLM). By default the tool will automatically fetch a list of all domain joined hosts to check. Alternatively a target range can be provided.

GetAdDecodedPassword

This tool queries Active Directory for users with the UnixUserPassword, UserPassword, unicodePwd, or msSFU30Password properties populated. It then decodes those password fields and displays them to the user.