Scapy: the Python-based interactive packet manipulation program & library.

Monitor linux processes without root permissions

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.

RDP Bitmap Cache parser

ngrep is like GNU grep applied to the network layer. It's a PCAP-based tool that allows you to specify an extended regular or hexadecimal expression to match against data payloads of packets. It un…

TCP/IP packet demultiplexer. Download from:

Zeek support for Community ID flow hashing.

HASSH is a network fingerprinting standard which can be used to identify specific Client and Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of a …

JA3 is a standard for creating SSL client fingerprints in an easy to produce and shareable way.

Techniques based on named pipes for pool overflow exploitation targeting the most recent (and oldest) Windows versions demonstrated on CVE-2020-17087 and an off-by-one overflow

An open standard for hashing network flows into identifiers, a.k.a "Community IDs".

SS7 tools and scripts

Curated Windows event log Sigma rules used in Hayabusa and Velociraptor.

ReversingLabs YARA Rules

A set of fully-undetectable process injection techniques abusing Windows Thread Pools

Cybersecurity oriented awesome list

The Havoc Framework

Binary coverage tool without binary modification for Windows

MVT (Mobile Verification Toolkit) helps with conducting forensics of mobile devices in order to find signs of a potential compromise.

static analysis of C/C++ code

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

Evasive shellcode loader for bypassing event-based injection detection (PoC)

A PoC implementation for an evasion technique to terminate the current thread and restore it before resuming execution, while implementing page protection changes during no execution.

A PoC implementation for dynamically masking call stacks with timers.

PoC Implementation of a fully dynamic call stack spoofer

A memory scanning evasion technique

Arkime is an open source, large scale, full packet capturing, indexing, and database system.

This repository includes code and IoCs that are the product of research done in Akamai's various security research teams.

Public content repository for Windows Server content.

Hunts out CobaltStrike beacons and logs operator command output