30 open-source projects similar to mdsecactivebreach/firewalker, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Firewalker alternative.
LOLBAS is a curated database and knowledge base of signed Windows binaries that can be misused to bypass security restrictions and execute unauthorized code. It serves as a technical registry that maps trusted system files to their functional capabilities and the offensive tactics they enable. The project distinguishes itself by providing a capability-driven indexing system and a tactics registry that relates legitimate binary functionality to known security evasion techniques. It includes an association layer that links specific system binaries to attack patterns and tactical objectives, pro
The goal of this repository is to document the most common techniques to bypass AppLocker.
unDefender is the C++ implementation of a technique originally described by @jonasLyk in this Twitter thread. At its core, this technique revolves around changing the \Device\BootDevice symbolic link in the Windows Object Manager so that when Defender's WdFilter driver is unloaded and loaded…
LoadLibrary for offensive operations
This is a tool that allows you to offensively use YARA to apply a filter to the events being reported by windows event logging.
KillDefenderBOF is a Beacon Object File PoC implementation of pwn1sher/KillDefender which is based on research by Gabriel Landau. The article can be found here.
Loads any C# binary from filepath or url, patching AMSI and unhooks ETW
Also known by Microsoft as Knifecoat :hot_pepper:
C# Based Universal API Unhooker - Automatically Unhook API Hives (ntdll.dll, kernel32.dll, advapi32.dll, and kernelbase.dll). SharpUnhooker helps you to evades user-land monitoring done by AVs and/or EDRs by cleansing/refreshing API DLLs that loaded on the process (Offensive Side) or remove API…
Svchost is essential in the implementation of so-called shared service processes, where a number of services can share a process in order to reduce resource consumption. Grouping multiple services into a single process conserves computing resources, and this consideration was of particular…
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks, it first collects the syscall numbers of the NtOpenFile, NtCreateSection, NtOpenSection and NtMapViewOfSection found in the LdrpThunkSignature array. After…
Example code for EDR bypassing, please use this for testing blue team detection capabilities against this type of malware that will bypass EDR's userland hooks. Code is a bit spaghetti-like at the moment and serves only as a PoC. Not for malicious use. Note that this particular code was tested…
A position-independent reflective loader for Cobalt Strike. Zero results from Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, or MalMemDetect.
A memory-based evasion technique which makes shellcode invisible from process start to end.
SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature.
This repository exists to demonstrate methods of sneaking malicious code into Github pull requests.
Cover your tracks during Linux Exploitation/Penetration Testing by leaving zero traces on system logs and filesystem timestamps.
Inspired by the closed source FireBlock tool FireBlock from MdSec NightHawk, I decided to create my own version and this tool was created with the aim of blocking the outbound traffic of running EDR processes using Windows Filtering Platform (WFP) APIs.
Inline-Execute-PE is a suite of Beacon Object Files (BOF's) and an accompanying Aggressor script for CobaltStrike that enables Operators to load unmanaged Windows executables into Beacon memory and execute them, retrieving the output and rendering it in the Beacon console.
Hide your Powershell script in plain sight. Bypass all Powershell security features
To view the latest version of Mangle or to submit an issue, reference https://github.com/Tylous/Mangle.
To view the latest version of ScareCrow or to submit an issue, reference https://github.com/Tylous/ScareCrow.
This repository has been moved to our C2-Tool-Collection repository.