From a0817e406a3dce126fdb5621862b8c2c845949fc Mon Sep 17 00:00:00 2001 From: pe3zx Date: Sun, 26 Sep 2021 12:41:08 +0700 Subject: [PATCH 01/13] Add: CrowdStrike/SuperMem to DFIR section --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 5a42408..8459f11 100644 --- a/README.md +++ b/README.md @@ -1289,6 +1289,10 @@ This repository is created as an online bookmark for useful links, resources and CrowdStrike/Forensics Scripts and code referenced in CrowdStrike blog posts + + CrowdStrike/SuperMem + A python script developed to process Windows memory images based on triage type. + cryps1s/DARKSURGEON DARKSURGEON is a Windows packer project to empower incident response, digital forensics, malware analysis, and network defense. From a79cf700ebdd5aeb85c586bf04703e2441484431 Mon Sep 17 00:00:00 2001 From: pe3zx Date: Sun, 26 Sep 2021 13:00:08 +0700 Subject: [PATCH 02/13] Add: thehappydinoa/rootOS to Privilege Escalation section --- Offensive.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Offensive.md b/Offensive.md index bce1c76..0dc3650 100644 --- a/Offensive.md +++ b/Offensive.md @@ -1021,6 +1021,10 @@ Some tools can be categorized in more than one category. But because the current TsukiCTF/Lovely-Potato Automating juicy potato local privilege escalation exploit for penetration testers. + + thehappydinoa/rootOS + macOS Privilege Escalation Helper + ## Defense Evasion From 1a70fd0cc8bf091d5513ec313fd54d8a9ad1c51e Mon Sep 17 00:00:00 2001 From: pe3zx Date: Sun, 26 Sep 2021 13:01:16 +0700 Subject: [PATCH 03/13] Add: ORCA666/EVA3 to Execution section --- Offensive.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Offensive.md b/Offensive.md index 0dc3650..9b6cb63 100644 --- a/Offensive.md +++ b/Offensive.md @@ -602,6 +602,10 @@ Some tools can be categorized in more than one category. But because the current Moriarty2016/NimRDI RDI implementation in Nim + + ORCA666/EVA3 + using hellsgate in EVA to get the syscalls + passthehashbrowns/DInvokeProcessHollowing This repository is an implementation of process hollowing shellcode injection using DInvoke from SharpSploit. DInvoke allows operators to use unmanaged code while avoiding suspicious imports or API hooking. From 399ebea43060d2abc7965af8679cf8fd8dc1decb Mon Sep 17 00:00:00 2001 From: pe3zx Date: Sun, 26 Sep 2021 13:03:55 +0700 Subject: [PATCH 04/13] Add: dndx/phantun to Defense Evasion section --- Offensive.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Offensive.md b/Offensive.md index 9b6cb63..d89d5b2 100644 --- a/Offensive.md +++ b/Offensive.md @@ -1182,6 +1182,10 @@ Some tools can be categorized in more than one category. But because the current DarthTon/Polychaos PE permutation library + + dndx/phantun + Transforms UDP stream into (fake) TCP streams that can go through Layer 3 & Layer 4 (NAPT) firewalls/NATs. + dsnezhkov/zombieant Zombie Ant Farm: Primitives and Offensive Tooling for Linux EDR evasion. From 8fd67849b2ca2cb6b5d150ab7b61b1f8eafc821e Mon Sep 17 00:00:00 2001 From: pe3zx Date: Sun, 26 Sep 2021 13:07:43 +0700 Subject: [PATCH 05/13] Add: Accenture/docker-plaso to DFIR section --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 8459f11..03ebd90 100644 --- a/README.md +++ b/README.md @@ -1197,6 +1197,10 @@ This repository is created as an online bookmark for useful links, resources and 3CORESec/Automata Automatic detection engineering technical state compliance + + Accenture/docker-plaso + Docker container for plaso supertimlining tool + activecm/BeaKer Beacon Kibana Executable Report. Aggregates Sysmon Network Events With Elasticsearch and Kibana From f978e4c0beab88617135f76c05605e3710502454 Mon Sep 17 00:00:00 2001 From: pe3zx Date: Sun, 26 Sep 2021 13:14:10 +0700 Subject: [PATCH 06/13] Add: PPLDump_BOF to Credential Access section --- Offensive.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Offensive.md b/Offensive.md index d89d5b2..df19ad6 100644 --- a/Offensive.md +++ b/Offensive.md @@ -1530,6 +1530,10 @@ Some tools can be categorized in more than one category. But because the current eladshamir/Internal-Monologue Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS + + EspressoCake/PPLDump_BOF + A faithful transposition of the key features/functionality of @itm4n's PPLDump project as a BOF. + fireeye/ADFSpoof A python tool to forge AD FS security tokens. From 2903eeb23f054787cc035d0db099d7a3306d9891 Mon Sep 17 00:00:00 2001 From: pe3zx Date: Sun, 26 Sep 2021 14:54:47 +0700 Subject: [PATCH 07/13] Add: GetRektBoy724/TripleS to Execution section --- Offensive.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Offensive.md b/Offensive.md index df19ad6..89b123b 100644 --- a/Offensive.md +++ b/Offensive.md @@ -548,6 +548,10 @@ Some tools can be categorized in more than one category. But because the current GetRektBoy724/JALSI JALSI - Just Another Lame Shellcode Injector + + GetRektBoy724/TripleS + Syscall Stub Stealer - Freshly steal Syscall stub straight from the disk + GoodstudyChina/APC-injection-x86-x64 From dfb85a51ecdf793346284f4240a6154dbb7aeb33 Mon Sep 17 00:00:00 2001 From: pe3zx Date: Sun, 26 Sep 2021 14:56:24 +0700 Subject: [PATCH 08/13] Add: jfmaes/sharpbysentinel to Defense Evasion section --- Offensive.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Offensive.md b/Offensive.md index 89b123b..f2de3b2 100644 --- a/Offensive.md +++ b/Offensive.md @@ -1251,6 +1251,10 @@ Some tools can be categorized in more than one category. But because the current jfmaes/LazySign Create fake certs for binaries using windows binaries and the power of bat files + + jfmaes/sharpbysentinel + Kill telemetry to sentinel + jfmaes/SharpNukeEventLog nuke that event log using some epic dinvoke fu From e561e389154d161bff2bb8fe2cc8b24047e83ea0 Mon Sep 17 00:00:00 2001 From: pe3zx Date: Sun, 26 Sep 2021 14:57:37 +0700 Subject: [PATCH 09/13] Add: knownsec/shellcodeloader to Execution section --- Offensive.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Offensive.md b/Offensive.md index f2de3b2..d187593 100644 --- a/Offensive.md +++ b/Offensive.md @@ -357,6 +357,10 @@ Some tools can be categorized in more than one category. But because the current knight0x07/ImpulsiveDLLHijack C# based tool which automates the process of discovering and exploiting DLL Hijacks in target binaries. The Hijacked paths discovered can later be weaponized during Red Team Operations to evade EDR's. + + knownsec/shellcodeloader + ShellcodeLoader of windows can bypass AV. + mai1zhi2/SharpBeacon CobaltStrike Beacon written in .Net 4 用.net重写了stager及Beacon,其中包括正常上线、文件管理、进程管理、令牌管理、结合SysCall进行注入、原生端口转发、关ETW等一系列功能 From fac6bea46d2ab9a5825b4a909399c948bf7464b2 Mon Sep 17 00:00:00 2001 From: pe3zx Date: Sun, 26 Sep 2021 15:10:45 +0700 Subject: [PATCH 10/13] Add: boku7/injectEtwBypass to Defense Evasion section --- Offensive.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Offensive.md b/Offensive.md index d187593..09e0c44 100644 --- a/Offensive.md +++ b/Offensive.md @@ -1129,6 +1129,10 @@ Some tools can be categorized in more than one category. But because the current boku7/injectAmsiBypass Cobalt Strike BOF - Bypass AMSI in a remote process with code injection. + + boku7/injectEtwBypass + CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) + br-sn/CheekyBlinder Enumerating and removing kernel callbacks using signed vulnerable drivers From 99073c8567d1f9354b763dd442962528710223bb Mon Sep 17 00:00:00 2001 From: pe3zx Date: Sun, 26 Sep 2021 15:17:26 +0700 Subject: [PATCH 11/13] Add: klezVirus/inceptor to Defense Evasion section --- Offensive.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Offensive.md b/Offensive.md index 09e0c44..131f47c 100644 --- a/Offensive.md +++ b/Offensive.md @@ -1291,6 +1291,10 @@ Some tools can be categorized in more than one category. But because the current klezVirus/chameleon Chameleon is yet another PowerShell obfuscation tool designed to bypass AMSI and commercial antivirus solutions. + + klezVirus/inceptor + Template-Driven AV/EDR Evasion Framework + last-byte/unDefender Killing your preferred antimalware by abusing native symbolic links and NT paths. From 22ec75047d43d6dc8aaa97bf8f5fd01b29315592 Mon Sep 17 00:00:00 2001 From: pe3zx Date: Sun, 26 Sep 2021 15:33:19 +0700 Subject: [PATCH 12/13] Add: ovotech/gitoops to DFIR section --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 03ebd90..357ab9b 100644 --- a/README.md +++ b/README.md @@ -1545,6 +1545,10 @@ This repository is created as an online bookmark for useful links, resources and OSSEC Open Source HIDS SECurity + + ovotech/gitoops + GitOops is a tool to help attackers and defenders identify lateral movement and privilege escalation paths in GitHub organizations by abusing CI/CD pipelines and GitHub access controls. + philhagen/sof-elk Configuration files for the SOF-ELK VM, used in SANS FOR572 From f1c7f8d6a30c8c05612c6bce58794471a35a25ab Mon Sep 17 00:00:00 2001 From: pe3zx Date: Sun, 26 Sep 2021 15:34:24 +0700 Subject: [PATCH 13/13] Add: PoFish to Social Engineering section --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 357ab9b..fe95f07 100644 --- a/README.md +++ b/README.md @@ -3015,6 +3015,10 @@ This repository is created as an online bookmark for useful links, resources and optiv/Microsoft365_devicePhish A proof-of-concept script to conduct a phishing attack abusing Microsoft 365 OAuth Authorization Flow + + PoFish + A new docker for phishing (PoFish) + Pretext Project Open-Source Collection of Social Engineering Pretexts