diff --git a/Offensive.md b/Offensive.md
index 959ec80..55d41fb 100644
--- a/Offensive.md
+++ b/Offensive.md
@@ -361,6 +361,10 @@ Some tools can be categorized in more than one category. But because the current
knight0x07/ImpulsiveDLLHijack |
C# based tool which automates the process of discovering and exploiting DLL Hijacks in target binaries. The Hijacked paths discovered can later be weaponized during Red Team Operations to evade EDR's. |
+
+ knownsec/shellcodeloader |
+ ShellcodeLoader of windows can bypass AV. |
+
mai1zhi2/SharpBeacon |
CobaltStrike Beacon written in .Net 4 用.net重写了stager及Beacon,其中包括正常上线、文件管理、进程管理、令牌管理、结合SysCall进行注入、原生端口转发、关ETW等一系列功能 |
@@ -552,6 +556,10 @@ Some tools can be categorized in more than one category. But because the current
GetRektBoy724/JALSI |
JALSI - Just Another Lame Shellcode Injector |
+
+ GetRektBoy724/TripleS |
+ Syscall Stub Stealer - Freshly steal Syscall stub straight from the disk |
+
GoodstudyChina/APC-injection-x86-x64
|
@@ -606,6 +614,10 @@ Some tools can be categorized in more than one category. But because the current
Moriarty2016/NimRDI |
RDI implementation in Nim |
+
+ ORCA666/EVA3 |
+ using hellsgate in EVA to get the syscalls |
+
passthehashbrowns/DInvokeProcessHollowing |
This repository is an implementation of process hollowing shellcode injection using DInvoke from SharpSploit. DInvoke allows operators to use unmanaged code while avoiding suspicious imports or API hooking. |
@@ -1025,6 +1037,10 @@ Some tools can be categorized in more than one category. But because the current
TsukiCTF/Lovely-Potato |
Automating juicy potato local privilege escalation exploit for penetration testers. |
+
+ thehappydinoa/rootOS |
+ macOS Privilege Escalation Helper |
+
## Defense Evasion
@@ -1117,6 +1133,10 @@ Some tools can be categorized in more than one category. But because the current
boku7/injectAmsiBypass |
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection. |
+
+ boku7/injectEtwBypass |
+ CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) |
+
br-sn/CheekyBlinder |
Enumerating and removing kernel callbacks using signed vulnerable drivers |
@@ -1178,6 +1198,10 @@ Some tools can be categorized in more than one category. But because the current
DarthTon/Polychaos |
PE permutation library |
+
+ dndx/phantun |
+ Transforms UDP stream into (fake) TCP streams that can go through Layer 3 & Layer 4 (NAPT) firewalls/NATs. |
+
dsnezhkov/zombieant |
Zombie Ant Farm: Primitives and Offensive Tooling for Linux EDR evasion. |
@@ -1239,6 +1263,10 @@ Some tools can be categorized in more than one category. But because the current
jfmaes/LazySign |
Create fake certs for binaries using windows binaries and the power of bat files |
+
+ jfmaes/sharpbysentinel |
+ Kill telemetry to sentinel |
+
jfmaes/SharpNukeEventLog |
nuke that event log using some epic dinvoke fu |
@@ -1267,6 +1295,10 @@ Some tools can be categorized in more than one category. But because the current
klezVirus/chameleon |
Chameleon is yet another PowerShell obfuscation tool designed to bypass AMSI and commercial antivirus solutions. |
+
+ klezVirus/inceptor |
+ Template-Driven AV/EDR Evasion Framework |
+
last-byte/unDefender |
Killing your preferred antimalware by abusing native symbolic links and NT paths. |
@@ -1522,6 +1554,10 @@ Some tools can be categorized in more than one category. But because the current
eladshamir/Internal-Monologue |
Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS |
+
+ EspressoCake/PPLDump_BOF |
+ A faithful transposition of the key features/functionality of @itm4n's PPLDump project as a BOF. |
+
fireeye/ADFSpoof |
A python tool to forge AD FS security tokens. |
diff --git a/README.md b/README.md
index 5a42408..fe95f07 100644
--- a/README.md
+++ b/README.md
@@ -1197,6 +1197,10 @@ This repository is created as an online bookmark for useful links, resources and
3CORESec/Automata |
Automatic detection engineering technical state compliance |
+
+ Accenture/docker-plaso |
+ Docker container for plaso supertimlining tool |
+
activecm/BeaKer |
Beacon Kibana Executable Report. Aggregates Sysmon Network Events With Elasticsearch and Kibana |
@@ -1289,6 +1293,10 @@ This repository is created as an online bookmark for useful links, resources and
CrowdStrike/Forensics |
Scripts and code referenced in CrowdStrike blog posts |
+
+ CrowdStrike/SuperMem |
+ A python script developed to process Windows memory images based on triage type. |
+
cryps1s/DARKSURGEON |
DARKSURGEON is a Windows packer project to empower incident response, digital forensics, malware analysis, and network defense. |
@@ -1537,6 +1545,10 @@ This repository is created as an online bookmark for useful links, resources and
OSSEC |
Open Source HIDS SECurity |
+
+ ovotech/gitoops |
+ GitOops is a tool to help attackers and defenders identify lateral movement and privilege escalation paths in GitHub organizations by abusing CI/CD pipelines and GitHub access controls. |
+
philhagen/sof-elk |
Configuration files for the SOF-ELK VM, used in SANS FOR572 |
@@ -3003,6 +3015,10 @@ This repository is created as an online bookmark for useful links, resources and
optiv/Microsoft365_devicePhish |
A proof-of-concept script to conduct a phishing attack abusing Microsoft 365 OAuth Authorization Flow |
+
+ PoFish |
+ A new docker for phishing (PoFish) |
+
Pretext Project |
Open-Source Collection of Social Engineering Pretexts |