USN Journal full path builder

Local & remote Windows DLL Proxying

Digital Forensics Investigation Platform

MemProcFS

Automated YARA Rule Standardization and Quality Assurance Tool

Yet Another Memory Analyzer for malware detection

A PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes.

HVNC for Cobalt Strike

AADInternals PowerShell module for administering Azure AD and Office 365

SysWhispers on Steroids - AV/EDR evasion via direct system calls.

Public script from SANS FOR509 Enterprise Cloud Incident Response

Configuration files for the SOF-ELK VM

OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, Constrained Language Mode and Script Block Logging disabled at startup

Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods

Universal Winlogbeat configuration

Set of Mindmaps providing a detailed overview of the different #Microsoft auditing capacities for Windows, Exchange, Azure,...

Canarytokens helps track activity and actions on your network.

E-Mail Header Analyzer

Elastic Security detection content for Endpoint

A PoC implementation for an evasion technique to terminate the current thread and restore it before resuming execution, while implementing page protection changes during no execution.

Detect and respond to Cobalt Strike beacons using ETW.

An advanced tool for working with access tokens and Windows security policy.

A tool to kill antimalware protected processes

Dumping DPAPI credz remotely

KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).