Elastic Security detection content for Endpoint

A list of Mitre Caldera compatible emulation-plans

Simple (relatively) things allowing you to dig a bit deeper than usual.

State-of-the-art native debugging tool

Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode

Sysmon shenanigans

DetectionLabELK is a fork from DetectionLab with ELK stack instead of Splunk.

A codebase aimed to make interaction with Windows and native execution easier

A post exploitation framework designed to operate covertly on heavily monitored environments

Threat Hunting tool about Sysmon and graphs

Suite of tools to facilitate attacks against the Jamf macOS management platform.

NetRipper - Smart traffic sniffing for penetration testers

The runtime DXE driver monitoring access to the UEFI variables by hooking the runtime service table.

UEFI Reference Specification Protocol Constants and Definitions

PowerShell Obfuscation Detection Framework

Hook system calls, context switches, page faults and more.

Evade sysmon and windows event logging

PoC to demonstrate how CLR ETW events can be tampered.

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://twitter.com/itsreallynick/status/1120410950430089224

signed-loaders documents Windows executables that can be used for side-loading DLLs.

Virtual Machine Introspection, Tracing & Debugging

⭐⭐Join us at sambaXP 2024 (Apr 17 - Apr 18)

Event metadata collected across all manifest-based ETW providers on Window 10 1903

Bare template for a Kernel Mode Driver

PeaceMaker Threat Detection is a Windows kernel-based application that detects advanced techniques used by malware.

VBS Reversed TCP Meterpreter Stager

Elevation of privilege detector based on HyperPlatform