countercept

Rapidly Search and Hunt through Windows Forensic Artefacts

A python2 script for sweeping a network to find windows systems compromised with the DOUBLEPULSAR implant.

A helper script for unpacking and decompiling EXEs compiled from python code.

A PoC implementation for spoofing arbitrary call stacks when making sys calls (e.g. grabbing a handle via NtOpenProcess)

Incident Response collection and processing scripts with automated reporting scripts

A python2 script for processing a PCAP file to decrypt C2 traffic sent to DOUBLEPULSAR implant

snake - a malware storage zoo

Scripts for performing and detecting parent PID spoofing

Data visualization for blue teams

A utility to use the usermode shellcode from the DOUBLEPULSAR payload to reflectively load an arbitrary DLL into another process, for use in testing detection techniques or other security research.

https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/

A spiritual .NET equivalent to the Gargoyle memory scanning evasion technique

ESF modular ingestion tool for development and research.

A collection of useful radare2 scripts!

AMSI detection PoC

A document tagging library

A triage data collection script for macOS

RemotePSpy provides live monitoring of remote PowerShell sessions, which is particularly useful for older (pre-5.0) versions of PowerShell which do not have comprehensive logging facilities built in.

A higher-level wrapper on top of the official bson & mongodb crates.