SAMDump - Stealthy SAM Dumping Using VSS and NTAPIs
SAMDump extracts Windows SAM and SYSTEM files using Volume Shadow Copy Service (VSS) with multiple exfiltration options and XOR obfuscation.
Getting RCE in an AWS service (Amazon MWAA)
Amazon Managed Workflows for Apache Airflow (MWAA) is a managed service to run Apache Airflow on AWS without managing infrastructure. However, most installations are affected by CVE-2024-39877, an SSTI vulnerability which allows remote code execution.
DoubleTeam - Python listener based on tmux and socat
Using socat, tmux and Python threading, DoubleTeam launches a new tmux window for each incoming reverse shell. It supports simultaneous listening on many ports and automatically resumes listening on the port after spawning the tmux window.
MemorySnitcher and the power of NtReadVirtualMemory
Creating vulnerable (on purpose) programs to leak the NtReadVirtualMemory address for stealthier API resolution (no GetProcAddress, GetModuleHandle or LoadLibrary in the IAT).
NimDump - Stealthy LSASS Dumping Using Only NTAPIs in Nim
NimDump is a port of NativeDump written in Nim, designed to dump the LSASS process using only NTAPI functions.
Playing with malicious Network Provider DLLs
NPPSpy and NPPSPy2 are great tools to retrieve user credentials. In this repository, I will add some extra functionality to them, such as encryption and different exfiltration techniques.
NativeTokenImpersonate - Token Impersonation using only NTAPIs
Tool to impersonate users by stealing their tokens using only NTAPI functions. It supports two types of impersonation, one similar to CreateProcessWithToken and the other to ImpersonateLoggedOnUser.
NativeNtdllRemap - Stealthy ntdll.dll Remapping
Use only NTAPI functions to stealthily remap ntdll.dll from a clean .text section of a suspended process. This technique bypasses user-mode API monitoring and enhances evasion against security solutions.