Rapidly Search and Hunt through Windows Forensic Artefacts
A python2 script for sweeping a network to find windows systems compromised with the DOUBLEPULSAR implant.
A helper script for unpacking and decompiling EXEs compiled from python code.
A PoC implementation for spoofing arbitrary call stacks when making sys calls (e.g. grabbing a handle via NtOpenProcess)
Incident Response collection and processing scripts with automated reporting scripts
A python2 script for processing a PCAP file to decrypt C2 traffic sent to DOUBLEPULSAR implant
Scripts for performing and detecting parent PID spoofing
https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/
A utility to use the usermode shellcode from the DOUBLEPULSAR payload to reflectively load an arbitrary DLL into another process, for use in testing detection techniques or other security research.
A spiritual .NET equivalent to the Gargoyle memory scanning evasion technique
A collection of useful radare2 scripts!
A triage data collection script for macOS
RemotePSpy provides live monitoring of remote PowerShell sessions, which is particularly useful for older (pre-5.0) versions of PowerShell which do not have comprehensive logging facilities built in.
A higher-level wrapper on top of the official bson & mongodb crates.