Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64.

The pattern matching swiss knife

This project hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google which impact non-Google owned code.

MemProcFS

Simple (relatively) things allowing you to dig a bit deeper than usual.

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Sysmon for Linux

Credentials Dumper for Linux using eBPF

ebpfkit is a rootkit powered by eBPF

The multi-platform memory acquisition tool.

SSH Session Monitoring Daemon

Deep Linux runtime visibility meets Wireshark

The Linux port of the Sysinternals Sysmon tool.

Library and tools to access the Windows New Technology File System (NTFS)

Monitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events.

ebpfkit-monitor is a tool that detects and protects against eBPF powered rootkits

Tool designed to exfiltrate OneDrive Business OCR Data

Enumerate Windows Defender threat families and dump their names according category

This repo will contain the core detection, only for Cobaltstrike's leaked versions. Non-leaked version detections wont be shared

List the ETW provider(s) in the registration table of a process.

This tool have the power to hide any PID/directory in the Linux kernel

Combining Sealighter with unpatched exploits to run the Threat-Intelligence ETW Provider

Simple (relatively) things allowing you to dig a bit deeper than usual.

Snoopy Command Logger is a small library that logs all program executions on your Linux/BSD system.

LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquir…