netbiosX
@netbiosx.bsky.social
📤 1815
đź“Ą 68
đź“ť 301
Purple Team
loading . . .
GitHub - jakobfriedl/tgt-monitor-bof: Async BOF implementation of 'Rubeus monitor' to detect and automatically extract Kerberos TGTs as they appear on a target system.
Async BOF implementation of 'Rubeus monitor' to detect and automatically extract Kerberos TGTs as they appear on a target system. - jakobfriedl/tgt-monitor-bof
https://github.com/jakobfriedl/tgt-monitor-bof
7 days ago
0
0
0
loading . . .
GitHub - raskolnikov90/Beatrice.py: Modify machine code in binaries with alternative x64 assembly opcodes for AV evasion
Modify machine code in binaries with alternative x64 assembly opcodes for AV evasion - raskolnikov90/Beatrice.py
https://github.com/raskolnikov90/Beatrice.py
9 days ago
0
1
0
Phantom-Evasion-Loader - a standalone, pure x64 Assembly injection engine engineered to minimize the detection surface of modern EDR/XDR solutions and Kernel-level monitors like Falco (eBPF)
loading . . .
GitHub - JM00NJ/Phantom-Evasion-Loader: Phantom-Evasion-Loader is a standalone, pure x64 Assembly injection engine engineered to minimize the detection surface of modern EDR/XDR solutions and Kernel-l...
Phantom-Evasion-Loader is a standalone, pure x64 Assembly injection engine engineered to minimize the detection surface of modern EDR/XDR solutions and Kernel-level monitors like Falco (eBPF). It l...
https://github.com/JM00NJ/Phantom-Evasion-Loader
14 days ago
0
1
1
📝 Missed the write‑up on abusing SpeechRuntime for lateral movement? This diagram summarizes the chain.⤵️ ✒️
ipurple.team/2026/04/07/m...
add a skeleton here at some point
20 days ago
0
0
0
loading . . .
Microsoft Speech
SpeechRuntime is a legitimate Windows component that supports Microsoft’s speech-related capabilities, including voice input and speech recognition features used across modern Windows experie…
https://ipurple.team/2026/04/07/microsoft-speech/
21 days ago
0
0
1
loading . . .
Toast Notifications
The Application User Model ID (AUMID) is a unique identifier that Windows assigns to modern applications. It enables Windows to identify which applications should receive notifications, how start m…
https://ipurple.team/2026/03/25/toast-notifications/
about 1 month ago
0
0
0
loading . . .
GitHub - S1lkys/KslKatz: Combining KslDump and GhostKatz to dump LSASS using no-vulnerability KslD.sys memory read to bypass PPL. Extracts MSV1_0 NT hashes and WDigest cleartext passwords (if enabled)...
Combining KslDump and GhostKatz to dump LSASS using no-vulnerability KslD.sys memory read to bypass PPL. Extracts MSV1_0 NT hashes and WDigest cleartext passwords (if enabled) from LSASS using a Mi...
https://github.com/S1lkys/KslKatz
about 1 month ago
0
6
2
Offensive Cases about Credential Guard & Detection Strategies
#purpleteam
loading . . .
Credential Guard
Microsoft introduced Credential Guard in Windows 10 (2015) and Windows Server 2016 to prevent credential harvesting from the LSASS process that was abused for years by threat actors. Microsoft used…
https://ipurple.team/2026/03/17/credential-guard/
about 1 month ago
0
0
0
loading . . .
Implementing Early Cascade Injection in Rust
A deep dive into building Early Cascade Injection in Rust using NTDLL shim engine internals, position-independent stubs, pointer encoding, and APC-based payload execution.
https://fluxsec.red/implementing-early-cascade-injection-rust
about 1 month ago
0
2
0
loading . . .
Total Recall - Retracing Your Steps Back to NT AUTHORITY\SYSTEM - MDSec
The MDSec red team are regularly performing research to identify privilege escalation vectors in Windows and macOS for use during red team engagements. Where the indicators in exploiting the EoP...
https://www.mdsec.co.uk/2026/02/total-recall-retracing-your-steps-back-to-nt-authoritysystem/
2 months ago
0
1
0
Generate DLL proxy/sideload projects. Automatically parses PE export tables and generates ready-to-compile project for red team engagements
github.com/Whitecat18/L...
loading . . .
GitHub - Whitecat18/LazyDLLSideload: Generate DLL proxy/sideload projects. Automatically parses PE export tables and generates ready-to-compile project for red team engagements.
Generate DLL proxy/sideload projects. Automatically parses PE export tables and generates ready-to-compile project for red team engagements. - Whitecat18/LazyDLLSideload
https://github.com/Whitecat18/LazyDLLSideload
2 months ago
0
5
0
Proof of Concept (PoC) implant for creating custom Cobalt Strike Beacons
github.com/EricEsquivel...
#redteam
loading . . .
GitHub - EricEsquivel/CobaltStrike-Linux-Beacon: Proof of Concept (PoC) implant for creating custom Cobalt Strike Beacons
Proof of Concept (PoC) implant for creating custom Cobalt Strike Beacons - EricEsquivel/CobaltStrike-Linux-Beacon
https://github.com/EricEsquivel/CobaltStrike-Linux-Beacon
3 months ago
0
1
1
Automated Pass-the-Ticket (PtT) attack. Standalone alternative to Rubeus and Mimikatz for this attack, implemented in C++ and Python
github.com/ricardojoser...
#redteam
loading . . .
GitHub - ricardojoserf/AutoPtT: Automated Pass-the-Ticket (PtT) attack. Standalone alternative to Rubeus and Mimikatz for this attack, implemented in C++ and Python.
Automated Pass-the-Ticket (PtT) attack. Standalone alternative to Rubeus and Mimikatz for this attack, implemented in C++ and Python. - ricardojoserf/AutoPtT
https://github.com/ricardojoserf/AutoPtT
3 months ago
0
0
0
Creation of multiple Malware tools consisting of evasion, enumeration and exploitation
github.com/CaptMag/MalDev
loading . . .
GitHub - CaptMag/MalDev: Creation of multiple Malware tools consisting of evasion, enumeration and exploitation
Creation of multiple Malware tools consisting of evasion, enumeration and exploitation - CaptMag/MalDev
https://github.com/CaptMag/MalDev
3 months ago
0
2
0
📢 New article about GAC Hijacking to perform Code Execution and Persistence 📖 1x Playbook - A structured breakdown of the full approach 💡 3x Detection Opportunities 🏹 2x Threat Hunting Queries - Defender & Splunk
ipurple.team/2026/02/10/g...
loading . . .
GAC Hijacking
The Global Assembly Cache is a system-wide repository in the .NET framework that stores strong named (name + version + culture + public key token identity) assemblies so multiple applications can u…
https://ipurple.team/2026/02/10/gac-hijacking/
3 months ago
0
0
0
CustomDpapi: Calling the undocumented DPAPI RPC interface directly, no more calling public CryptUnprotectData!
github.com/EvilBytecode...
loading . . .
GitHub - EvilBytecode/CustomDpapi: Calling the undocumented DPAPI RPC interface directly, no more calling public CryptUnprotectData!
Calling the undocumented DPAPI RPC interface directly, no more calling public CryptUnprotectData! - EvilBytecode/CustomDpapi
https://github.com/EvilBytecode/CustomDpapi
3 months ago
0
4
0
An open-source port/reimplementation of the Cobalt Strike BOF Loader
loading . . .
GitHub - CodeXTF2/Cobaltstrike_BOFLoader: open source port/reimplementation of the Cobalt Strike BOF Loader as is
open source port/reimplementation of the Cobalt Strike BOF Loader as is - CodeXTF2/Cobaltstrike_BOFLoader
https://github.com/CodeXTF2/Cobaltstrike_BOFLoader
3 months ago
0
2
0
loading . . .
AppLocker Rules Abuse
AppLocker was introduced by Microsoft in Windows 7 to enable organizations to define which executables, scripts or installers are allowed to run in their environments. AppLocker can reduce the atta…
https://ipurple.team/2026/02/02/applocker-rules-abuse/
3 months ago
0
0
0
loading . . .
Wait, Why is my WebClient Started?: SCCM Hierarchy Takeover via NTLM Relay to LDAP - SpecterOps
During automatic client push installation, an SCCM site server automatically attempts to map WebDav shares on clients, starting WebClient when installed.
https://specterops.io/blog/2026/01/14/wait-why-is-my-webclient-started-sccm-hierarchy-takeover-via-ntlm-relay-to-ldap/
3 months ago
0
1
0
loading . . .
EDR Silencing
Modern Endpoint Detection and Response systems depend on persistent, bidirectional communication with their cloud management console, enabling them to continuously report suspicious activity and re…
https://ipurple.team/2026/01/12/edr-silencing/
4 months ago
0
2
0
Extracts browser-stored data such as refresh tokens, cookies, saved credentials, credit cards, autofill entries, browsing history, and bookmarks from modern Chromium-based and Gecko-based browsers (Chrome, Microsoft Edge, Firefox, Opera, Opera GX, and Vivaldi)
loading . . .
GitHub - Maldev-Academy/DumpBrowserSecrets: Extracts browser-stored data such as refresh tokens, cookies, saved credentials, credit cards, autofill entries, browsing history, and bookmarks from modern...
Extracts browser-stored data such as refresh tokens, cookies, saved credentials, credit cards, autofill entries, browsing history, and bookmarks from modern Chromium-based and Gecko-based browsers ...
https://github.com/Maldev-Academy/DumpBrowserSecrets
4 months ago
0
0
0
DbgNexum - a Proof-of-Concept for injecting shellcode using the Windows Debugging API and Shared Memory (File Mapping).
loading . . .
GitHub - dis0rder0x00/DbgNexum: Shellcode injection using the Windows Debugging API
Shellcode injection using the Windows Debugging API - dis0rder0x00/DbgNexum
https://github.com/dis0rder0x00/DbgNexum
4 months ago
0
2
1
Aether C2 - Aether project operates on a Full Duplex, End-to-End Encrypted channel, utilizing direct WinAPI syscalls for evasion and a modular architecture for scalability
github.com/256AndreiAES...
loading . . .
GitHub - 256AndreiAES/Aether-C2-Framework: Advanced Red Team C2 Framework written in Rust & Python.
Advanced Red Team C2 Framework written in Rust & Python. - 256AndreiAES/Aether-C2-Framework
https://github.com/256AndreiAES/Aether-C2-Framework
4 months ago
0
1
1
loading . . .
GitHub - pard0p/Remote-BOF-Runner: Remote BOF Runner is a Havoc extension framework for remote execution of Beacon Object Files (BOFs) using a PIC loader made with Crystal Palace.
Remote BOF Runner is a Havoc extension framework for remote execution of Beacon Object Files (BOFs) using a PIC loader made with Crystal Palace. - pard0p/Remote-BOF-Runner
https://github.com/pard0p/Remote-BOF-Runner
4 months ago
0
2
0
Ghostly Hollowing Via Tampered Syscalls
github.com/Maldev-Acade...
loading . . .
GitHub - Maldev-Academy/GhostlyHollowingViaTamperedSyscalls2
Contribute to Maldev-Academy/GhostlyHollowingViaTamperedSyscalls2 development by creating an account on GitHub.
https://github.com/Maldev-Academy/GhostlyHollowingViaTamperedSyscalls2
4 months ago
0
5
0
loading . . .
Bind Link – EDR Tampering
The Bind Link API enables Administrators to create transparent mappings from a virtual path to a backing path (local or remote). The Bind Link feature was introduced in Windows 11 and according to …
https://ipurple.team/2025/12/01/bind-link-edr-tampering/
5 months ago
0
0
0
loading . . .
LSASS Dump – Windows Error Reporting
The Windows Error Reporting is a feature that is responsible for the collection of information about system and application crashes and reporting this information to Microsoft. Windows are shipped …
https://ipurple.team/2025/11/18/lsass-dump-windows-error-reporting/
5 months ago
0
1
0
loading . . .
GitHub - EvilBytecode/ExitPatcher: Prevent in-process process termination by patching exit APIs
Prevent in-process process termination by patching exit APIs - EvilBytecode/ExitPatcher
https://github.com/EvilBytecode/ExitPatcher
6 months ago
0
0
0
loading . . .
GitHub - MorDavid/DonPwner: Advanced Domain Controller attack and credential analysis tool leveraging DonPAPI database
Advanced Domain Controller attack and credential analysis tool leveraging DonPAPI database - MorDavid/DonPwner
https://github.com/MorDavid/DonPwner
6 months ago
0
2
1
loading . . .
Golden dMSA
Delegated Managed Service Account (dMSA) was introduced by Microsoft in Windows Server 2025 to prevent Kerberos related attacks such as Kerberoasting by binding authentication of service accounts t…
https://ipurple.team/2025/09/02/golden-dmsa/
8 months ago
0
1
0
loading . . .
Active Directory Enumeration – ADWS
Microsoft introduced Active Directory Web Services (ADWS) in Windows Server 2008 R2 as a method to provide an interface to instances for querying and managing Active Directory over a network. The s…
https://ipurple.team/2025/08/12/active-directory-enumeration-adws/
9 months ago
0
0
0
loading . . .
Lateral Movement – BitLocker
BitLocker is a full disk encryption feature which was designed to protect data by providing encryption to entire volumes. In Windows endpoints (workstations, laptop devices etc.), BitLocker is typi…
https://ipurple.team/2025/08/04/lateral-movement-bitlocker/
9 months ago
0
1
0
loading . . .
BadSuccessor
Microsoft has introduced a feature in Windows Server 2025 to prevent credential harvesting via Kerberoasting and other credential stuffing attacks. This new feature comes in the form of a new accou…
https://ipurple.team/2025/07/28/badsuccessor/
9 months ago
0
0
0
loading . . .
The Ultimate Guide to Windows Coercion Techniques in 2025
Windows authentication coercion often feels like a magic bullet against the average Active Directory. With any old low-privileged account, it usually allows us to gain full administrative access to al...
https://blog.redteam-pentesting.de/2025/windows-coercion/
11 months ago
0
2
1
loading . . .
Boflink: A Linker For Beacon Object Files
Intro This is a blog post written for a project I recently released. The source code for it can be found here on Github. Background The design of Cobalt Strike’s Beacon Object Files is rather unique w...
https://blog.cybershenanigans.space/posts/boflink-a-linker-for-beacon-object-files/
11 months ago
0
1
1
loading . . .
Stealth Syscall Execution: Bypassing ETW, Sysmon, and EDR Detection
"Stealth syscalls: Because life's too short to argue with an angry EDR!" Discover how Stealth Syscall Execution bypasses ETW, Sysmon, and EDR detection. Learn advanced stealth techniques for red teami...
https://www.darkrelay.com/post/stealth-syscall-execution-bypass-edr-detection
11 months ago
0
6
2
loading . . .
Revisiting COM Hijacking - SpecterOps
Learn how to use COM hijacking for persistence and post-exploitation by targeting commonly used applications in Windows environments.
https://specterops.io/blog/2025/05/28/revisiting-com-hijacking/
11 months ago
0
3
1
loading . . .
GitHub - EvilBytecode/Ebyte-AMSI-ProxyInjector: A lightweight tool that injects a custom assembly proxy into a target process to silently bypass AMSI scanning by redirecting AmsiScanBuffer calls. It s...
A lightweight tool that injects a custom assembly proxy into a target process to silently bypass AMSI scanning by redirecting AmsiScanBuffer calls. It suspends the target’s threads, patches the fun...
https://github.com/EvilBytecode/Ebyte-AMSI-ProxyInjector
12 months ago
0
1
0
loading . . .
Living-off-the-COM: Type Coercion Abuse
This technique leverages PowerShell’s .NET interop layer and COM automation to achieve stealthy command execution by abusing implicit type…
https://medium.com/@andreabocchetti88/living-off-the-com-type-coercion-abuse-108f988bb00a
12 months ago
0
4
1
loading . . .
GitHub - Thunter-HackTeam/EvilentCoerce
Contribute to Thunter-HackTeam/EvilentCoerce development by creating an account on GitHub.
https://github.com/Thunter-HackTeam/EvilentCoerce
12 months ago
0
0
0
loading . . .
Beacon Object Files vs Tiny EXE Files
TL;DR A lot of bloat in an EXE file is just the statically linked C runtime. Link dynamically to msvcrt.dll (or ucrtbase.dll on Win 10+) plus a 40-line stub, and depending on the size of the progra…
https://modexp.wordpress.com/2025/04/27/beacon-object-files-vs-tiny-executables/
12 months ago
0
1
0
loading . . .
GitHub - quarkslab/proxyblob: SOCKS5 proxy tool that uses Azure Blob Storage as a means of communication.
SOCKS5 proxy tool that uses Azure Blob Storage as a means of communication. - quarkslab/proxyblob
https://github.com/quarkslab/proxyblob
12 months ago
0
0
0
loading . . .
Writing your own RDI /sRDI loader using C and ASM
In this post, I am going to show the readers how to write their own RDI/sRDI loader in C, and then show how to optimize the code to make it fully position independent.
https://blog.malicious.group/writing-your-own-rdi-srdi-loader-using-c-and-asm/
about 1 year ago
0
0
0
loading . . .
Attacking and Defending Configuration Manager - An Attackers Easy Win
Introduction System Center Configuration Manager (SCCM) or Microsoft Configuration Manager allows endpoint administrators to utilize a single platform for seamless device management inside of an Activ...
https://logan-goins.com/2025-04-25-sccm/
about 1 year ago
0
3
0
loading . . .
GitHub - backdoorskid/ClrAmsiScanPatcher: Patches the AmsiScan function in clr.dll allowing for unrestricted assembly loading in .NET
Patches the AmsiScan function in clr.dll allowing for unrestricted assembly loading in .NET - backdoorskid/ClrAmsiScanPatcher
https://github.com/backdoorskid/ClrAmsiScanPatcher
about 1 year ago
0
2
0
loading . . .
GitHub - cogiceo/GPOHound: Offensive GPO dumping and analysis tool that leverages and enriches BloodHound data
Offensive GPO dumping and analysis tool that leverages and enriches BloodHound data - cogiceo/GPOHound
https://github.com/cogiceo/gpohound
about 1 year ago
0
3
0
loading . . .
Windows Defender antivirus bypass in 2025 - part 2
Discover how hackers bypass an antivirus such as Windows Defender, using advanced techniques such as direct syscalls and shellcode encryption
https://www.hackmosphere.fr/bypass-windows-defender-antivirus-2025-part-2/
about 1 year ago
0
0
0
loading . . .
Bypassing AMSI with Dynamic API Resolution in PowerShell - ROOTFU.IN
function LookupFunc { Param ($moduleName, $functionName) $assem = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1]. Equals('System.dl...
https://rootfu.in/bypassing-amsi-with-dynamic-api-resolution-in-powershell/
about 1 year ago
0
1
1
loading . . .
GitHub - almounah/go-buena-clr: Good CLR Host with Native patchless AMSI Bypass
Good CLR Host with Native patchless AMSI Bypass. Contribute to almounah/go-buena-clr development by creating an account on GitHub.
https://github.com/almounah/go-buena-clr
about 1 year ago
0
0
0
loading . . .
GitHub - tdeerenberg/InlineWhispers3: Tool for working with Indirect System Calls in Cobalt Strike's Beacon Object Files (BOF) using SysWhispers3 for EDR evasion
Tool for working with Indirect System Calls in Cobalt Strike's Beacon Object Files (BOF) using SysWhispers3 for EDR evasion - tdeerenberg/InlineWhispers3
https://github.com/tdeerenberg/InlineWhispers3
about 1 year ago
0
0
0
Load more
feeds!
log in
