an autogenerated collection of false positives sourced from some of the most popular rule sets. The information is categorized along with ATT&CK techniques, rule source, and data source.

Land Drivers is a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks

GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems

The goal of the LOLBAS project is to document every binary, noscript, and library that can be used for Living Off The Land techniques

Attackers are using popular legitimate domains when conducting phishing, C&C, exfiltration and downloading tools to evade detection. The list of websites below allow attackers to use their domain or subdomain

File extensions being used by attackers

This project provides an curated list of DLL Hijacking candidates

WADComs is an interactive cheat sheet, containing a curated list of offensive security tools and their respective commands, to be used against Windows/AD environments

Living Off the Orchard: macOS Binaries (LOOBins) is designed to provide detailed information on various built-in macOS binaries and how they can be used by threat actors for malicious purposes

This project was made because exploitation isn’t limited to binaries using command line techniques. Both built-in and third-party applications have been used & abused for adversarial gain since the dawn of time, and knowing these methods can help when all else fail.

Curated list of known malicious bootloaders for various operating systems. The project aims to assist security professionals in staying informed and mitigating potential threats associated with bootloaders
BYOL Bring Your Own Land (BYOL)

Living Off The Hardware is a resource collection that provides guidance on identifying and utilizing malicious hardware and malicious devices

WTFBin is a binary that behaves exactly like malware, except, somehow, it’s not

Living Off the Foreign Land (LOFL) are LOFL Cmdlets and Binaries (LOFLCABs) that are capable of performing activities from the local (Offensive Windows) system to a REMOTE system.

This contains information about Windows persistence mechanisms to make the protection/detection more efficient.

Threat actors are known to sign their malware using stolen, or even legally acquired, code signing certificates. This project aims at collecting the details of the certificates that are known to be abused in the wild by malicious actors.

Inventory how development tools (typically CLIs), commonly used in CI/CD pipelines, have lesser-known RCE-By-Design features (“foot guns”), or more generally, can be used to achieve arbitrary code execution by running on untrusted code changes or following a workflow injection.

This project that aims to help cyber defenders understand how LOLBin binaries are used by threat actors during an intrusion in a graphical and digestible format.

This project features a comprehensive list of binaries/noscripts natively available in VMware ESXi that adversaries have utilised in their operations.

This project is a curated list of Remote Monitoring and Management (RMM) tools that could potentially be abused by threat actors.

The purpose is to scan hooked NTDLL and retrieve the Syscall number to then do an indirect Syscall with it, thus allowing the bypass of AV/EDR that put hooks on functions.


https://github.com/almounah/superdeye.git

Timeroasting takes advantage of Windows' NTP authentication mechanism, allowing unauthenticated attackers to effectively request a password hash of any computer account by sending an NTP request with that account's RID

The Instrlen plugin is a tool for IDA Pro that allows for setting the length of an instruction to a custom value. This can be useful when the code is obfuscated or there are jumps after the instruction prefixes.