killswitch-gui / cobaltstrike-toolkit Goto Github PK

Over the years I have worked on various projects ranging from small research projects to team based projects in support of OSS. The following work spans over 10 years of OSS development, training, and research. Most of the code is research for other operational projects for red teaming, pentesting and IR.

• RAT - Repurposing Adversarial Tradecraft - Video
• Malvertizing Like a Pro - Video
• THE {PHISHING} {PATH} TO {INFO} WE MISSED
• External to DA, the OS X Way
• Building an EmPyre with Python - Video

• SimplyEmail - OSINT collection tool with various modules to extract emails for targeted phishing
• SimplyTemplate - Phishing Template Generation for large scale phishing
• simplydomain - SimplyDomain uses a framework approach to build and deploy modules within. This allows for fast, easy and, concise output to feed into larger OSINT feeds of subdomain collection.

• DeepFreeze-Agent - Custom C++ agent to learn various Windows C APIs and WMI process, service, driver monitoring supporting dynamic rule creation. See confrence talk https://www.slideshare.net/AlexanderRymdekoHarv/rat-repurposing-adversarial-tradecraft
• EmPyre - Core contributor on a team to develop EmPyre, a pure Python post-exploitation agent for OSX that was used on various Red Team engagements as limited OSS agents existed.
• Empire - Core contributor on a team to support and develop on Empire after the python agent was merged into the Empire branch for cross platform operations.

• Rapid Attack Infrastructure (RAI) - Team project to automate C2 redirector setup for Red Team OP's
• flask_heroku_redirector - Python Flask example application that demonstrates using Heroku as a C2 redirector
• flask_pythonanywhere_redirector - Python Flask example application that demonstrates using python-anywhere as a C2 redirector
• flask_appengine_redirector - Python Flask example application that demonstrates using Google App engine as a C2 redirector
• CobaltStrike-ToolKit - Various collection of tools and scripts built over the years for CS

• SetWindowsHookEx-Keylogger - Example implementation of a Windows C++ Native Keylogger using SetWindowsHookEx
• HastySeries - C# toolset for offensive operators to triage, asses and make intelligent able decisions.
• minidump-lib - C++ MiniDumpWriteDump static lib example, with CLI
• Invoke-EncryptedZip.ps1 - Utility to make a encrypted and compressed Zip file from a provided folder. This allows users to stage files in a designated folder for exfil, or protection from final storage location.
• Invoke-RPCArchitectureCheck%20.ps1 - A simple utility to use a crafted RPC packet to check a remote host's arch. Returns x86 or x64. It is based off research into remote service kernel exploitation and loaders.

• Winsock-PCAP - Demonstrates a POC of how an older, yet still safe, method of native PCAP can take place using the Winsock2 library on Windows. This uses a reflective DLL injection to deploy and name pipes using a PowerShell POC communicator.
• NIX-Sniffer-Examples - Linux Python 2.7 Socket sniffer (Layer 3 and up), OSX Libpcap monitor mode test and sniffer research
• osx-libpcap-fullcap.py - OSX PCAP using python 2.7, libpcap, libc, and ctypes implemented in pure Python

• InfoPhish - InfoPath C# embded .NET DLL with remote Process Hollowing
• HotLoad-Driver - Loading Windows Drivers using Service Control Manager (SC) & Native Windows API's while embedding WinPCAP into RDI with Windows Pipes for control
• PeFixUp - Windows PE Tainting pre-flight op checks for delivering PE's to disk. Provides operator ability to capture metadata, ensure opsec and taint/check key characteristics to prevent AV/Analysis.

• Persistence-Survivability - Research based on Duqu style persistence as a TTP to locate high uptime hosts within a network and calculate a Persistence Survivability Rating (PSR).
• Invoke-InstallPsGPOPersistence - Provides the install of PS or Scripts persistence using reg keys and the proper .ini file to insert into GPO startup

• Fuzz-FFmpeg - Docker container to support AFL (afl-multicore) to Fuzz FFmpeg in a contained environment

• IsDebuggerPresent - Comparing three excellent debugger check TTPs for necessary sandbox and anti-reversing techniques and their detection ratios. With interest in the ability to alert on IR actions and potentially beacon out with maybe a magic packet or some other TTP to ID that we have been burnt.
• C-OSX-Shellcode - Used to learn X86_x64 shellcode generation using ASM and compiled C code on OSX
• Domain-WIFILocate