-
-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathguids_only.yara
4607 lines (3685 loc) · 339 KB
/
guids_only.yara
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
rule GUID_Detection
{
meta:
author = "@mthcht"
description = "Detects GUIDs of offensive tools - https://github.com/BADGUIDS/badguids.github.io"
strings:
// A windows token impersonation tool
// https://github.com/sensepost/impersonate
$guid_00630066_0B43_474E_A93B_417CF1A65195_str = "00630066-0B43-474E-A93B-417CF1A65195" ascii wide nocase
$guid_00630066_0B43_474E_A93B_417CF1A65195_bin = { 66 00 63 00 43 0B 4E 47 A9 3B 41 7C F1 A6 51 95 }
// Cross-platform multi-protocol VPN software abused by attackers
// https://github.com/SoftEtherVPN/SoftEtherVPN
$guid_00B41CF0_7AE9_4542_9970_77B312412535_str = "00B41CF0-7AE9-4542-9970-77B312412535" ascii wide nocase
$guid_00B41CF0_7AE9_4542_9970_77B312412535_bin = { F0 1C B4 00 E9 7A 42 45 99 70 77 B3 12 41 25 35 }
// Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections
// https://github.com/bytecode77/r77-rootkit
$guid_00D7268A_92A9_4CD4_ADDF_175E9BF16AE0_str = "00D7268A-92A9-4CD4-ADDF-175E9BF16AE0" ascii wide nocase
$guid_00D7268A_92A9_4CD4_ADDF_175E9BF16AE0_bin = { 8A 26 D7 00 A9 92 D4 4C AD DF 17 5E 9B F1 6A E0 }
// Command line tool to extract/decrypt the password that was stored in the LSA by SysInternals AutoLogon
// https://github.com/securesean/DecryptAutoLogon
$guid_015A37FC_53D0_499B_BFFE_AB88C5086040_str = "015A37FC-53D0-499B-BFFE-AB88C5086040" ascii wide nocase
$guid_015A37FC_53D0_499B_BFFE_AB88C5086040_bin = { FC 37 5A 01 D0 53 9B 49 BF FE AB 88 C5 08 60 40 }
// remote backdoor used by a group of the same name (Carbanak). It is intended for espionage - data exfiltration and providing remote access to infected machines
// https://github.com/0x25bit/Updated-Carbanak-Source-with-Plugins
$guid_01871B2B_B006_4069_997D_BAB3EB216160_str = "01871B2B-B006-4069-997D-BAB3EB216160" ascii wide nocase
$guid_01871B2B_B006_4069_997D_BAB3EB216160_bin = { 2B 1B 87 01 06 B0 69 40 99 7D BA B3 EB 21 61 60 }
// Abusing Azure AD SSO with the Primary Refresh Token - ROADtoken is a tool that uses the BrowserCore.exe binary to obtain a cookie that can be used with SSO and Azure AD
// https://github.com/dirkjanm/ROADtoken
$guid_018BD6D4_9019_42FD_8D3A_831B23B47CB2_str = "018BD6D4-9019-42FD-8D3A-831B23B47CB2" ascii wide nocase
$guid_018BD6D4_9019_42FD_8D3A_831B23B47CB2_bin = { D4 D6 8B 01 19 90 FD 42 8D 3A 83 1B 23 B4 7C B2 }
// StandIn is a small .NET35/45 AD post-exploitation toolkit
// https://github.com/FuzzySecurity/StandIn
$guid_01C142BA_7AF1_48D6_B185_81147A2F7DB7_str = "01C142BA-7AF1-48D6-B185-81147A2F7DB7" ascii wide nocase
$guid_01C142BA_7AF1_48D6_B185_81147A2F7DB7_bin = { BA 42 C1 01 F1 7A D6 48 B1 85 81 14 7A 2F 7D B7 }
// Malware RAT with keylogger - dll injection - C2 - Remote control
// https://github.com/sin5678/gh0st
$guid_0228336A_2F4C_0D17_2E11_86654A1FAD8D_str = "0228336A-2F4C-0D17-2E11-86654A1FAD8D" ascii wide nocase
$guid_0228336A_2F4C_0D17_2E11_86654A1FAD8D_bin = { 6A 33 28 02 4C 2F 17 0D 2E 11 86 65 4A 1F AD 8D }
// remotely killing EDR with WDAC
// https://github.com/logangoins/Krueger
$guid_022E5A85_D732_4C5D_8CAD_A367139068D8_str = "022E5A85-D732-4C5D-8CAD-A367139068D8" ascii wide nocase
$guid_022E5A85_D732_4C5D_8CAD_A367139068D8_bin = { 85 5A 2E 02 32 D7 5D 4C 8C AD A3 67 13 90 68 D8 }
// Framework designed for red teams to create and manage custom C2 (Command and Control) channels. Unlike traditional C2 frameworks that rely on typical communication methods like HTTP/S DNS or TCP - C3 allows for the creation of non-traditional and esoteric C2 channels using platforms like Slack Dropbox GitHub OneDrive and more.
// https://github.com/WithSecureLabs/C3
$guid_023B2DB0_6DA4_4F0D_988B_4D9BF522DA37_str = "023B2DB0-6DA4-4F0D-988B-4D9BF522DA37" ascii wide nocase
$guid_023B2DB0_6DA4_4F0D_988B_4D9BF522DA37_bin = { B0 2D 3B 02 A4 6D 0D 4F 98 8B 4D 9B F5 22 DA 37 }
// A one-click program to steal the icon, resource information, version information, modification time, and digital signature (invalid) to make the program appear legitimate
// https://github.com/INotGreen/SharpThief
$guid_025280A3_24F7_4C55_9B5E_D08124A52546_str = "025280A3-24F7-4C55-9B5E-D08124A52546" ascii wide nocase
$guid_025280A3_24F7_4C55_9B5E_D08124A52546_bin = { A3 80 52 02 F7 24 55 4C 9B 5E D0 81 24 A5 25 46 }
// NetRipper - Smart traffic sniffing for penetration testers
// https://github.com/NytroRST/NetRipper
$guid_027FAC75_3FDB_4044_8DD0_BC297BD4C461_str = "027FAC75-3FDB-4044-8DD0-BC297BD4C461" ascii wide nocase
$guid_027FAC75_3FDB_4044_8DD0_BC297BD4C461_bin = { 75 AC 7F 02 DB 3F 44 40 8D D0 BC 29 7B D4 C4 61 }
// Injects a DLL into a suspended process running as SYSTEM via the OfficeClickToRun service for privilege escalation - Shim Injector: Injects a DLL into a process by modifying shim data in memory without creating or registering new SDB files to evade detection.
// https://github.com/deepinstinct/ShimMe
$guid_0286bd5f_1a56_4251_8758_adb0338d4e98_str = "0286bd5f-1a56-4251-8758-adb0338d4e98" ascii wide nocase
$guid_0286bd5f_1a56_4251_8758_adb0338d4e98_bin = { 5F BD 86 02 56 1A 51 42 87 58 AD B0 33 8D 4E 98 }
// ConfuserEx is a widely used open source obfuscator often found in malware
// https://github.com/yck1509/ConfuserEx
$guid_02948DD6_47BD_4C82_9B4B_78931DB23B8A_str = "02948DD6-47BD-4C82-9B4B-78931DB23B8A" ascii wide nocase
$guid_02948DD6_47BD_4C82_9B4B_78931DB23B8A_bin = { D6 8D 94 02 BD 47 82 4C 9B 4B 78 93 1D B2 3B 8A }
// PoCs for Kernelmode rootkit techniques research.
// https://github.com/daem0nc0re/VectorKernel/
$guid_02EF15C0_BA19_4115_BB7F_F5B04F7087FE_str = "02EF15C0-BA19-4115-BB7F-F5B04F7087FE" ascii wide nocase
$guid_02EF15C0_BA19_4115_BB7F_F5B04F7087FE_bin = { C0 15 EF 02 19 BA 15 41 BB 7F F5 B0 4F 70 87 FE }
// automate abuse of clickonce applications
// https://github.com/trustedsec/The_Shelf
$guid_02FAF312_BF2A_466B_8AD2_1339A31C303B_str = "02FAF312-BF2A-466B-8AD2-1339A31C303B" ascii wide nocase
$guid_02FAF312_BF2A_466B_8AD2_1339A31C303B_bin = { 12 F3 FA 02 2A BF 6B 46 8A D2 13 39 A3 1C 30 3B }
// ConfuserEx is a widely used open source obfuscator often found in malware
// https://github.com/yck1509/ConfuserEx
$guid_034B1C28_96B9_486A_B238_9C651EAA32CA_str = "034B1C28-96B9-486A-B238-9C651EAA32CA" ascii wide nocase
$guid_034B1C28_96B9_486A_B238_9C651EAA32CA_bin = { 28 1C 4B 03 B9 96 6A 48 B2 38 9C 65 1E AA 32 CA }
// SharpSCCM is a post-exploitation tool designed to leverage Microsoft Endpoint Configuration Manager (a.k.a. ConfigMgr. formerly SCCM) for Lateral Movement and credential gathering without requiring access to the SCCM administration console GUI
// https://github.com/Mayyhem/SharpSCCM/
$guid_03652836_898E_4A9F_B781_B7D86E750F60_str = "03652836-898E-4A9F-B781-B7D86E750F60" ascii wide nocase
$guid_03652836_898E_4A9F_B781_B7D86E750F60_bin = { 36 28 65 03 8E 89 9F 4A B7 81 B7 D8 6E 75 0F 60 }
// MeshCentral is a full computer management web site - abused by attackers
// https://github.com/Ylianst/MeshAgent
$guid_03A09084_0576_45C5_97CA_B83B1A8688B8_str = "03A09084-0576-45C5-97CA-B83B1A8688B8" ascii wide nocase
$guid_03A09084_0576_45C5_97CA_B83B1A8688B8_bin = { 84 90 A0 03 76 05 C5 45 97 CA B8 3B 1A 86 88 B8 }
// another C2 framework
// https://github.com/trustedsec/The_Shelf
$guid_042BF22B_7728_486B_B8C9_D5B91733C46D_str = "042BF22B-7728-486B-B8C9-D5B91733C46D" ascii wide nocase
$guid_042BF22B_7728_486B_B8C9_D5B91733C46D_bin = { 2B F2 2B 04 28 77 6B 48 B8 C9 D5 B9 17 33 C4 6D }
// from Malware RAT samples
// https://github.com/x-cod3r/Remote-administration-tools-archive
$guid_043EE329_C00A_4F67_971F_BF1C55D4BC1A_str = "043EE329-C00A-4F67-971F-BF1C55D4BC1A" ascii wide nocase
$guid_043EE329_C00A_4F67_971F_BF1C55D4BC1A_bin = { 29 E3 3E 04 0A C0 67 4F 97 1F BF 1C 55 D4 BC 1A }
// unhooking ntdll from disk - from KnownDlls - from suspended process - from remote server (fileless)
// https://github.com/TheD1rkMtr/ntdlll-unhooking-collection
$guid_0472A393_9503_491D_B6DA_FA47CD567EDE_str = "0472A393-9503-491D-B6DA-FA47CD567EDE" ascii wide nocase
$guid_0472A393_9503_491D_B6DA_FA47CD567EDE_bin = { 93 A3 72 04 03 95 1D 49 B6 DA FA 47 CD 56 7E DE }
// EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections
// https://github.com/wavestone-cdt/EDRSandblast
$guid_04DFB6E4_809E_4C35_88A1_2CC5F1EBFEBD_str = "04DFB6E4-809E-4C35-88A1-2CC5F1EBFEBD" ascii wide nocase
$guid_04DFB6E4_809E_4C35_88A1_2CC5F1EBFEBD_bin = { E4 B6 DF 04 9E 80 35 4C 88 A1 2C C5 F1 EB FE BD }
// Kernel mode WinDbg extension and PoCs for token privilege investigation.
// https://github.com/daem0nc0re/PrivFu
$guid_04FC654C_D89A_44F9_9E34_6D95CE152E9D_str = "04FC654C-D89A-44F9-9E34-6D95CE152E9D" ascii wide nocase
$guid_04FC654C_D89A_44F9_9E34_6D95CE152E9D_bin = { 4C 65 FC 04 9A D8 F9 44 9E 34 6D 95 CE 15 2E 9D }
// Windows Privilege Escalation Exploit BadPotato
// https://github.com/BeichenDream/BadPotato
$guid_0527a14f_1591_4d94_943e_d6d784a50549_str = "0527a14f-1591-4d94-943e-d6d784a50549" ascii wide nocase
$guid_0527a14f_1591_4d94_943e_d6d784a50549_bin = { 4F A1 27 05 91 15 94 4D 94 3E D6 D7 84 A5 05 49 }
// RevengeRAT - AsyncRAT Simple RAT
// https://github.com/NYAN-x-CAT/RevengeRAT-Stub-Cssharp
$guid_052C26C0_7979_4555_89CE_34C5CE8D8B34_str = "052C26C0-7979-4555-89CE-34C5CE8D8B34" ascii wide nocase
$guid_052C26C0_7979_4555_89CE_34C5CE8D8B34_bin = { C0 26 2C 05 79 79 55 45 89 CE 34 C5 CE 8D 8B 34 }
// ConfuserEx is a widely used open source obfuscator often found in malware
// https://github.com/yck1509/ConfuserEx
$guid_055BC73F_FCAE_4361_B035_2E156A101EA9_str = "055BC73F-FCAE-4361-B035-2E156A101EA9" ascii wide nocase
$guid_055BC73F_FCAE_4361_B035_2E156A101EA9_bin = { 3F C7 5B 05 AE FC 61 43 B0 35 2E 15 6A 10 1E A9 }
// Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes. protect and elevate them with token manipulation.
// https://github.com/XaFF-XaFF/Cronos-Rootkit
$guid_05B4EB7F_3D59_4E6A_A7BC_7C1241578CA7_str = "05B4EB7F-3D59-4E6A-A7BC-7C1241578CA7" ascii wide nocase
$guid_05B4EB7F_3D59_4E6A_A7BC_7C1241578CA7_bin = { 7F EB B4 05 59 3D 6A 4E A7 BC 7C 12 41 57 8C A7 }
// Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections
// https://github.com/bytecode77/r77-rootkit
$guid_06AF1D64_F2FC_4767_8794_7313C7BB0A40_str = "06AF1D64-F2FC-4767-8794-7313C7BB0A40" ascii wide nocase
$guid_06AF1D64_F2FC_4767_8794_7313C7BB0A40_bin = { 64 1D AF 06 FC F2 67 47 87 94 73 13 C7 BB 0A 40 }
// *.NET post-exploitation toolkit for Active Directory reconnaissance and exploitation*
// https://github.com/logangoins/Cable
$guid_06B2AE2B_7FD3_4C36_B825_1594752B1D7B_str = "06B2AE2B-7FD3-4C36-B825-1594752B1D7B" ascii wide nocase
$guid_06B2AE2B_7FD3_4C36_B825_1594752B1D7B_bin = { 2B AE B2 06 D3 7F 36 4C B8 25 15 94 75 2B 1D 7B }
// Xeno-RAT is an open-source remote access tool (RAT) developed in C# providing a comprehensive set of features for remote system management. Has features such as HVNC - live microphone - reverse proxy and much much more
// https://github.com/moom825/xeno-rat
$guid_06B2B14A_CE87_41C0_A77A_2644FE3231C7_str = "06B2B14A-CE87-41C0-A77A-2644FE3231C7" ascii wide nocase
$guid_06B2B14A_CE87_41C0_A77A_2644FE3231C7_bin = { 4A B1 B2 06 87 CE C0 41 A7 7A 26 44 FE 32 31 C7 }
// .NET executable to use when dealing with privilege escalation on Windows to gain local administrator access
// https://github.com/notdodo/LocalAdminSharp
$guid_07628592_5A22_4C0A_9330_6C90BD7A94B6_str = "07628592-5A22-4C0A-9330-6C90BD7A94B6" ascii wide nocase
$guid_07628592_5A22_4C0A_9330_6C90BD7A94B6_bin = { 92 85 62 07 22 5A 0A 4C 93 30 6C 90 BD 7A 94 B6 }
// Terminate AV/EDR leveraging BYOVD attack
// https://github.com/dmcxblue/SharpBlackout
$guid_07DFC5AA_5B1F_4CCC_A3D3_816ECCBB6CB6_str = "07DFC5AA-5B1F-4CCC-A3D3-816ECCBB6CB6" ascii wide nocase
$guid_07DFC5AA_5B1F_4CCC_A3D3_816ECCBB6CB6_bin = { AA C5 DF 07 1F 5B CC 4C A3 D3 81 6E CC BB 6C B6 }
// Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.
// https://github.com/hfiref0x/UACME
$guid_07EF7652_1C2D_478B_BB4B_F9560695A387_str = "07EF7652-1C2D-478B-BB4B-F9560695A387" ascii wide nocase
$guid_07EF7652_1C2D_478B_BB4B_F9560695A387_bin = { 52 76 EF 07 2D 1C 8B 47 BB 4B F9 56 06 95 A3 87 }
// Metasploit is a widely-used. open-source framework designed for penetration testing. vulnerability assessment. and exploit development. It provides security professionals and researchers with a comprehensive platform to discover. exploit. and validate vulnerabilities in computer systems and networks. Metasploit includes a large database of pre-built exploits. payloads. and auxiliary modules that can be used to test various attack vectors. identify security weaknesses. and simulate real-world cyberattacks. By utilizing Metasploit. security teams can better understand potential threats and improve their overall security posture.
// https://github.com/rapid7/metasploit-omnibus
$guid_080A880D_BA94_4CF8_9015_5B2063073E02_str = "080A880D-BA94-4CF8-9015-5B2063073E02" ascii wide nocase
$guid_080A880D_BA94_4CF8_9015_5B2063073E02_bin = { 0D 88 0A 08 94 BA F8 4C 90 15 5B 20 63 07 3E 02 }
// remote backdoor used by a group of the same name (Carbanak). It is intended for espionage - data exfiltration and providing remote access to infected machines
// https://github.com/0x25bit/Updated-Carbanak-Source-with-Plugins
$guid_0845B3E9_B6AE_4227_B484_CECBC2EB1C87_str = "0845B3E9-B6AE-4227-B484-CECBC2EB1C87" ascii wide nocase
$guid_0845B3E9_B6AE_4227_B484_CECBC2EB1C87_bin = { E9 B3 45 08 AE B6 27 42 B4 84 CE CB C2 EB 1C 87 }
// An open-source windows defender manager. Now you can disable windows defender permanently
// https://github.com/pgkt04/defender-control
$guid_089CA7D6_3277_4998_86AF_F6413290A442_str = "089CA7D6-3277-4998-86AF-F6413290A442" ascii wide nocase
$guid_089CA7D6_3277_4998_86AF_F6413290A442_bin = { D6 A7 9C 08 77 32 98 49 86 AF F6 41 32 90 A4 42 }
// Extract Windows Defender database from vdm files and unpack it
// https://github.com/hfiref0x/WDExtract/
$guid_08AEC00F_42ED_4E62_AE8D_0BFCE30A3F57_str = "08AEC00F-42ED-4E62-AE8D-0BFCE30A3F57" ascii wide nocase
$guid_08AEC00F_42ED_4E62_AE8D_0BFCE30A3F57_bin = { 0F C0 AE 08 ED 42 62 4E AE 8D 0B FC E3 0A 3F 57 }
// notable code snippets for Offensive Security's PEN-300 (OSEP) course
// https://github.com/chvancooten/OSEP-Code-Snippets
$guid_08DBC2BF_E9F3_4AE4_B0CC_6E9C8767982D_str = "08DBC2BF-E9F3-4AE4-B0CC-6E9C8767982D" ascii wide nocase
$guid_08DBC2BF_E9F3_4AE4_B0CC_6E9C8767982D_bin = { BF C2 DB 08 F3 E9 E4 4A B0 CC 6E 9C 87 67 98 2D }
// COM-hunter is a COM Hijacking persistnce tool written in C#
// https://github.com/nickvourd/COM-Hunter
$guid_09323E4D_BE0F_452A_9CA8_B07D2CFA9804_str = "09323E4D-BE0F-452A-9CA8-B07D2CFA9804" ascii wide nocase
$guid_09323E4D_BE0F_452A_9CA8_B07D2CFA9804_bin = { 4D 3E 32 09 0F BE 2A 45 9C A8 B0 7D 2C FA 98 04 }
// From an account member of the group Backup Operators to Domain Admin without RDP or WinRM on the Domain Controller
// https://github.com/mpgn/BackupOperatorToDA
$guid_0971A047_A45A_43F4_B7D8_16AC1114B524_str = "0971A047-A45A-43F4-B7D8-16AC1114B524" ascii wide nocase
$guid_0971A047_A45A_43F4_B7D8_16AC1114B524_bin = { 47 A0 71 09 5A A4 F4 43 B7 D8 16 AC 11 14 B5 24 }
// A POC of a new threadless process injection technique that works by utilizing the concept of DLL Notification Callbacks in local and remote processes.
// https://github.com/ShorSec/DllNotificationInjection
$guid_0A1C2C46_33F7_4D4C_B8C6_1FC9B116A6DF_str = "0A1C2C46-33F7-4D4C-B8C6-1FC9B116A6DF" ascii wide nocase
$guid_0A1C2C46_33F7_4D4C_B8C6_1FC9B116A6DF_bin = { 46 2C 1C 0A F7 33 4C 4D B8 C6 1F C9 B1 16 A6 DF }
// erase specified records from Windows event logs
// https://github.com/QAX-A-Team/EventCleaner
$guid_0A2B3F8A_EDC2_48B5_A5FC_DE2AC57C8990_str = "0A2B3F8A-EDC2-48B5-A5FC-DE2AC57C8990" ascii wide nocase
$guid_0A2B3F8A_EDC2_48B5_A5FC_DE2AC57C8990_bin = { 8A 3F 2B 0A C2 ED B5 48 A5 FC DE 2A C5 7C 89 90 }
// PoCs for sensitive token privileges such SeDebugPrivilege
// https://github.com/daem0nc0re/PrivFu
$guid_0A78E156_D03F_4667_B70E_4E9B4AA1D491_str = "0A78E156-D03F-4667-B70E-4E9B4AA1D491" ascii wide nocase
$guid_0A78E156_D03F_4667_B70E_4E9B4AA1D491_bin = { 56 E1 78 0A 3F D0 67 46 B7 0E 4E 9B 4A A1 D4 91 }
// A basic emulation of an "RPC Backdoor"
// https://github.com/eladshamir/RPC-Backdoor
$guid_0ABB9F2A_6913_4174_9431_851F9D3E94B4_str = "0ABB9F2A-6913-4174-9431-851F9D3E94B4" ascii wide nocase
$guid_0ABB9F2A_6913_4174_9431_851F9D3E94B4_bin = { 2A 9F BB 0A 13 69 74 41 94 31 85 1F 9D 3E 94 B4 }
// Manipulating and Abusing Windows Access Tokens
// https://github.com/S1ckB0y1337/TokenPlayer
$guid_0ADFD1F0_7C15_4A22_87B4_F67E046ECD96_str = "0ADFD1F0-7C15-4A22-87B4-F67E046ECD96" ascii wide nocase
$guid_0ADFD1F0_7C15_4A22_87B4_F67E046ECD96_bin = { F0 D1 DF 0A 15 7C 22 4A 87 B4 F6 7E 04 6E CD 96 }
// The OpenBullet web testing application.
// https://github.com/openbullet/openbullet
$guid_0B6D8B01_861E_4CAF_B1C9_6670884381DB_str = "0B6D8B01-861E-4CAF-B1C9-6670884381DB" ascii wide nocase
$guid_0B6D8B01_861E_4CAF_B1C9_6670884381DB_bin = { 01 8B 6D 0B 1E 86 AF 4C B1 C9 66 70 88 43 81 DB }
// mimikatz GUID project
// https://github.com/gentilkiwi/mimikatz
$guid_0BD5DE6B_8DA5_4CF1_AE53_A265010F52AA_str = "0BD5DE6B-8DA5-4CF1-AE53-A265010F52AA" ascii wide nocase
$guid_0BD5DE6B_8DA5_4CF1_AE53_A265010F52AA_bin = { 6B DE D5 0B A5 8D F1 4C AE 53 A2 65 01 0F 52 AA }
// a Windows service in C# that is self installing as a single executable and sets proper attributes to prevent an administrator from stopping or pausing the service through the Windows Service Control Manager interface
// https://github.com/malcomvetter/UnstoppableService
$guid_0C117EE5_2A21_496D_AF31_8CC7F0CAAA86_str = "0C117EE5-2A21-496D-AF31-8CC7F0CAAA86" ascii wide nocase
$guid_0C117EE5_2A21_496D_AF31_8CC7F0CAAA86_bin = { E5 7E 11 0C 21 2A 6D 49 AF 31 8C C7 F0 CA AA 86 }
// Extracts passwords from a KeePass 2.x database directly from memory
// https://github.com/denandz/KeeFarce
$guid_0C3EB2F7_92BA_4895_99FC_7098A16FFE8C_str = "0C3EB2F7-92BA-4895-99FC-7098A16FFE8C" ascii wide nocase
$guid_0C3EB2F7_92BA_4895_99FC_7098A16FFE8C_bin = { F7 B2 3E 0C BA 92 95 48 99 FC 70 98 A1 6F FE 8C }
// Dump cookies directly from Chrome process memory
// https://github.com/Meckazin/ChromeKatz
$guid_0C81C7D4_736A_4876_A36E_15E5B2EF5117_str = "0C81C7D4-736A-4876-A36E-15E5B2EF5117" ascii wide nocase
$guid_0C81C7D4_736A_4876_A36E_15E5B2EF5117_bin = { D4 C7 81 0C 6A 73 76 48 A3 6E 15 E5 B2 EF 51 17 }
// PoCs for Kernelmode rootkit techniques research.
// https://github.com/daem0nc0re/VectorKernel/
$guid_0C89EC7D_AC60_4591_8F6B_CB5F20EC0D8D_str = "0C89EC7D-AC60-4591-8F6B-CB5F20EC0D8D" ascii wide nocase
$guid_0C89EC7D_AC60_4591_8F6B_CB5F20EC0D8D_bin = { 7D EC 89 0C 60 AC 91 45 8F 6B CB 5F 20 EC 0D 8D }
// ConfuserEx is a widely used open source obfuscator often found in malware
// https://github.com/yck1509/ConfuserEx
$guid_0C8F49D8_BD68_420A_907D_031B83737C50_str = "0C8F49D8-BD68-420A-907D-031B83737C50" ascii wide nocase
$guid_0C8F49D8_BD68_420A_907D_031B83737C50_bin = { D8 49 8F 0C 68 BD 0A 42 90 7D 03 1B 83 73 7C 50 }
// ArtsOfGetSystem privesc tools
// https://github.com/daem0nc0re/PrivFu/
$guid_0CC923FB_E1FD_456B_9FE4_9EBA5A3DC2FC_str = "0CC923FB-E1FD-456B-9FE4-9EBA5A3DC2FC" ascii wide nocase
$guid_0CC923FB_E1FD_456B_9FE4_9EBA5A3DC2FC_bin = { FB 23 C9 0C FD E1 6B 45 9F E4 9E BA 5A 3D C2 FC }
// PrintNightmare exploitation
// https://github.com/outflanknl/PrintNightmare
$guid_0CD16C7B_2A65_44E5_AB74_843BD23241D3_str = "0CD16C7B-2A65-44E5-AB74-843BD23241D3" ascii wide nocase
$guid_0CD16C7B_2A65_44E5_AB74_843BD23241D3_bin = { 7B 6C D1 0C 65 2A E5 44 AB 74 84 3B D2 32 41 D3 }
// Abusing mhyprotect to kill AVs / EDRs / XDRs / Protected Processes.
// https://github.com/zer0condition/mhydeath
$guid_0D17A4B4_A7C4_49C0_99E3_B856F9F3B271_str = "0D17A4B4-A7C4-49C0-99E3-B856F9F3B271" ascii wide nocase
$guid_0D17A4B4_A7C4_49C0_99E3_B856F9F3B271_bin = { B4 A4 17 0D C4 A7 C0 49 99 E3 B8 56 F9 F3 B2 71 }
// tools for Lateral Movement/Code Execution
// https://github.com/klezVirus/CheeseTools
$guid_0DD419E5_D7B3_4360_874E_5838A7519355_str = "0DD419E5-D7B3-4360-874E-5838A7519355" ascii wide nocase
$guid_0DD419E5_D7B3_4360_874E_5838A7519355_bin = { E5 19 D4 0D B3 D7 60 43 87 4E 58 38 A7 51 93 55 }
// Open-Source Remote Administration Tool For Windows C# (RAT)
// https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp
$guid_0DE8DA5D_061D_4649_8A56_48729CF1F789_str = "0DE8DA5D-061D-4649-8A56-48729CF1F789" ascii wide nocase
$guid_0DE8DA5D_061D_4649_8A56_48729CF1F789_bin = { 5D DA E8 0D 1D 06 49 46 8A 56 48 72 9C F1 F7 89 }
// Volumiser is a command line tool and interactive console GUI for listing - browsing and extracting files from common virtual machine hard disk image formats.
// https://github.com/CCob/Volumiser
$guid_0DF38AD4_60AF_4F93_9C7A_7FB7BA692017_str = "0DF38AD4-60AF-4F93-9C7A-7FB7BA692017" ascii wide nocase
$guid_0DF38AD4_60AF_4F93_9C7A_7FB7BA692017_bin = { D4 8A F3 0D AF 60 93 4F 9C 7A 7F B7 BA 69 20 17 }
// Dump lsass using only Native APIs by hand-crafting Minidump files (without MinidumpWriteDump!)
// https://github.com/ricardojoserf/NativeDump
$guid_0DF612AE_47D8_422C_B0C5_0727EA60784F_str = "0DF612AE-47D8-422C-B0C5-0727EA60784F" ascii wide nocase
$guid_0DF612AE_47D8_422C_B0C5_0727EA60784F_bin = { AE 12 F6 0D D8 47 2C 42 B0 C5 07 27 EA 60 78 4F }
// DcRat C2 A simple remote tool in C#
// https://github.com/qwqdanchun/DcRat
$guid_0E423DD6_FAAF_4A66_8828_6A5A5F22269B_str = "0E423DD6-FAAF-4A66-8828-6A5A5F22269B" ascii wide nocase
$guid_0E423DD6_FAAF_4A66_8828_6A5A5F22269B_bin = { D6 3D 42 0E AF FA 66 4A 88 28 6A 5A 5F 22 26 9B }
// EfiGuard is a portable x64 UEFI bootkit that patches the Windows boot manager - boot loader and kernel at boot time in order to disable PatchGuard and Driver Signature Enforcement (DSE).
// https://github.com/Mattiwatti/EfiGuard
$guid_0E4BAB8F_E6E0_47A8_8E99_8D451839967E_str = "0E4BAB8F-E6E0-47A8-8E99-8D451839967E" ascii wide nocase
$guid_0E4BAB8F_E6E0_47A8_8E99_8D451839967E_bin = { 8F AB 4B 0E E0 E6 A8 47 8E 99 8D 45 18 39 96 7E }
// active directory weakness scan Vulnerability scanner
// https://github.com/netwrix/pingcastle
$guid_0E5D043A_CAA1_40C7_A616_773F347FA43F_str = "0E5D043A-CAA1-40C7-A616-773F347FA43F" ascii wide nocase
$guid_0E5D043A_CAA1_40C7_A616_773F347FA43F_bin = { 3A 04 5D 0E A1 CA C7 40 A6 16 77 3F 34 7F A4 3F }
// A New Exploitation Technique for Visual Studio Projects
// https://github.com/cjm00n/EvilSln
$guid_0FE0D049_F352_477D_BCCD_ACBF7D4F6F15_str = "0FE0D049-F352-477D-BCCD-ACBF7D4F6F15" ascii wide nocase
$guid_0FE0D049_F352_477D_BCCD_ACBF7D4F6F15_bin = { 49 D0 E0 0F 52 F3 7D 47 BC CD AC BF 7D 4F 6F 15 }
// Windows Local Privilege Escalation from Service Account to System
// https://github.com/antonioCoco/RoguePotato
$guid_105C2C6D_1C0A_4535_A231_80E355EFB112_str = "105C2C6D-1C0A-4535-A231-80E355EFB112" ascii wide nocase
$guid_105C2C6D_1C0A_4535_A231_80E355EFB112_bin = { 6D 2C 5C 10 0A 1C 35 45 A2 31 80 E3 55 EF B1 12 }
// A Post-Compromise granular .NET library to embed persistency to persistency by abusing Security Descriptors of remote machines
// https://github.com/cybersectroll/SharpPersistSD
$guid_107EBC1B_0273_4B3D_B676_DE64B7F52B33_str = "107EBC1B-0273-4B3D-B676-DE64B7F52B33" ascii wide nocase
$guid_107EBC1B_0273_4B3D_B676_DE64B7F52B33_bin = { 1B BC 7E 10 73 02 3D 4B B6 76 DE 64 B7 F5 2B 33 }
// Spoofing desktop login applications with WinForms and WPF
// https://github.com/mlcsec/FormThief
$guid_10CC4D5B_DC87_4AEB_887B_E47367BF656B_str = "10CC4D5B-DC87-4AEB-887B-E47367BF656B" ascii wide nocase
$guid_10CC4D5B_DC87_4AEB_887B_E47367BF656B_bin = { 5B 4D CC 10 87 DC EB 4A 88 7B E4 73 67 BF 65 6B }
// from Malware RAT samples
// https://github.com/x-cod3r/Remote-administration-tools-archive
$guid_111BB935_2A0A_4AE2_AEB0_EF2FAA529840_str = "111BB935-2A0A-4AE2-AEB0-EF2FAA529840" ascii wide nocase
$guid_111BB935_2A0A_4AE2_AEB0_EF2FAA529840_bin = { 35 B9 1B 11 0A 2A E2 4A AE B0 EF 2F AA 52 98 40 }
// simple shellcode Loader - Encoders (base64 - custom - UUID - IPv4 - MAC) - Encryptors (AES) - Fileless Loader (Winhttp socket)
// https://github.com/TheD1rkMtr/Shellcode-Hide
$guid_11385CC1_54B7_4968_9052_DF8BB1961F1E_str = "11385CC1-54B7-4968-9052-DF8BB1961F1E" ascii wide nocase
$guid_11385CC1_54B7_4968_9052_DF8BB1961F1E_bin = { C1 5C 38 11 B7 54 68 49 90 52 DF 8B B1 96 1F 1E }
// remote administration tool for Windows (RAT)
// https://github.com/NYAN-x-CAT/Lime-RAT
$guid_116472CE_3924_40EA_90F9_50A1A00D0EC5_str = "116472CE-3924-40EA-90F9-50A1A00D0EC5" ascii wide nocase
$guid_116472CE_3924_40EA_90F9_50A1A00D0EC5_bin = { CE 72 64 11 24 39 EA 40 90 F9 50 A1 A0 0D 0E C5 }
// PoCs for Kernelmode rootkit techniques research.
// https://github.com/daem0nc0re/VectorKernel/
$guid_1250BAE1_D26F_4EF2_9452_9B5009568336_str = "1250BAE1-D26F-4EF2-9452-9B5009568336" ascii wide nocase
$guid_1250BAE1_D26F_4EF2_9452_9B5009568336_bin = { E1 BA 50 12 6F D2 F2 4E 94 52 9B 50 09 56 83 36 }
// MeshCentral is a full computer management web site - abused by attackers
// https://github.com/Ylianst/MeshAgent
$guid_128C450F_C8B3_403A_9D0C_E5AD6B7F566F_str = "128C450F-C8B3-403A-9D0C-E5AD6B7F566F" ascii wide nocase
$guid_128C450F_C8B3_403A_9D0C_E5AD6B7F566F_bin = { 0F 45 8C 12 B3 C8 3A 40 9D 0C E5 AD 6B 7F 56 6F }
// ConfuserEx is a widely used open source obfuscator often found in malware
// https://github.com/yck1509/ConfuserEx
$guid_13431429_2DB6_480F_B73F_CA019FE759E3_str = "13431429-2DB6-480F-B73F-CA019FE759E3" ascii wide nocase
$guid_13431429_2DB6_480F_B73F_CA019FE759E3_bin = { 29 14 43 13 B6 2D 0F 48 B7 3F CA 01 9F E7 59 E3 }
// Xeno-RAT is an open-source remote access tool (RAT) developed in C# providing a comprehensive set of features for remote system management. Has features such as HVNC - live microphone - reverse proxy and much much more
// https://github.com/moom825/xeno-rat
$guid_13A59BB8_0246_4FFA_951B_89B9A341F159_str = "13A59BB8-0246-4FFA-951B-89B9A341F159" ascii wide nocase
$guid_13A59BB8_0246_4FFA_951B_89B9A341F159_bin = { B8 9B A5 13 46 02 FA 4F 95 1B 89 B9 A3 41 F1 59 }
// Nidhogg is an all-in-one simple to use rootkit for red teams.
// https://github.com/Idov31/Nidhogg
$guid_13C57810_FF18_4258_ABC9_935040A54F0B_str = "13C57810-FF18-4258-ABC9-935040A54F0B" ascii wide nocase
$guid_13C57810_FF18_4258_ABC9_935040A54F0B_bin = { 10 78 C5 13 18 FF 58 42 AB C9 93 50 40 A5 4F 0B }
// SharpExShell automates the DCOM lateral movment technique which abuses ActivateMicrosoftApp method of Excel application
// https://github.com/grayhatkiller/SharpExShell
$guid_13C84182_2F5F_4EE8_A37A_4483E7E57154_str = "13C84182-2F5F-4EE8-A37A-4483E7E57154" ascii wide nocase
$guid_13C84182_2F5F_4EE8_A37A_4483E7E57154_bin = { 82 41 C8 13 5F 2F E8 4E A3 7A 44 83 E7 E5 71 54 }
// XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.
// https://github.com/FSecureLABS/Xrulez
$guid_14083A04_DD4B_4E7D_A16E_86947D3D6D74_str = "14083A04-DD4B-4E7D-A16E-86947D3D6D74" ascii wide nocase
$guid_14083A04_DD4B_4E7D_A16E_86947D3D6D74_bin = { 04 3A 08 14 4B DD 7D 4E A1 6E 86 94 7D 3D 6D 74 }
// from Malware RAT samples
// https://github.com/x-cod3r/Remote-administration-tools-archive
$guid_14CA405B_8BAC_48AB_9FBA_8FB5DF88FD0D_str = "14CA405B-8BAC-48AB-9FBA-8FB5DF88FD0D" ascii wide nocase
$guid_14CA405B_8BAC_48AB_9FBA_8FB5DF88FD0D_bin = { 5B 40 CA 14 AC 8B AB 48 9F BA 8F B5 DF 88 FD 0D }
// exploit for CVE-2020-1472
// https://github.com/leitosama/SharpZeroLogon
$guid_15ce9a3c_4609_4184_87b2_e29fc5e2b770_str = "15ce9a3c-4609-4184-87b2-e29fc5e2b770" ascii wide nocase
$guid_15ce9a3c_4609_4184_87b2_e29fc5e2b770_bin = { 3C 9A CE 15 09 46 84 41 87 B2 E2 9F C5 E2 B7 70 }
// Injects a DLL into a suspended process running as SYSTEM via the OfficeClickToRun service for privilege escalation - Shim Injector: Injects a DLL into a process by modifying shim data in memory without creating or registering new SDB files to evade detection.
// https://github.com/deepinstinct/ShimMe
$guid_1605d453_7d62_4198_a436_27e48ef828eb_str = "1605d453-7d62-4198-a436-27e48ef828eb" ascii wide nocase
$guid_1605d453_7d62_4198_a436_27e48ef828eb_bin = { 53 D4 05 16 62 7D 98 41 A4 36 27 E4 8E F8 28 EB }
// simple shellcode Loader - Encoders (base64 - custom - UUID - IPv4 - MAC) - Encryptors (AES) - Fileless Loader (Winhttp socket)
// https://github.com/TheD1rkMtr/Shellcode-Hide
$guid_1617117C_0E94_4E6A_922C_836D616EC1F5_str = "1617117C-0E94-4E6A-922C-836D616EC1F5" ascii wide nocase
$guid_1617117C_0E94_4E6A_922C_836D616EC1F5_bin = { 7C 11 17 16 94 0E 6A 4E 92 2C 83 6D 61 6E C1 F5 }
// notable code snippets for Offensive Security's PEN-300 (OSEP) course
// https://github.com/chvancooten/OSEP-Code-Snippets
$guid_1659E645_27B0_4AB9_A10E_64BA4B801CB0_str = "1659E645-27B0-4AB9-A10E-64BA4B801CB0" ascii wide nocase
$guid_1659E645_27B0_4AB9_A10E_64BA4B801CB0_bin = { 45 E6 59 16 B0 27 B9 4A A1 0E 64 BA 4B 80 1C B0 }
// PoCs for Kernelmode rootkit techniques research.
// https://github.com/daem0nc0re/VectorKernel/
$guid_171A9A71_EDEF_4891_9828_44434A00585E_str = "171A9A71-EDEF-4891-9828-44434A00585E" ascii wide nocase
$guid_171A9A71_EDEF_4891_9828_44434A00585E_bin = { 71 9A 1A 17 EF ED 91 48 98 28 44 43 4A 00 58 5E }
// Collection of self-made Red Team tools
// https://github.com/samkenxstream/SAMkenXCCorePHdLAwiN8SoLr77
$guid_17332F12_D796_42D1_9A3E_460590A49382_str = "17332F12-D796-42D1-9A3E-460590A49382" ascii wide nocase
$guid_17332F12_D796_42D1_9A3E_460590A49382_bin = { 12 2F 33 17 96 D7 D1 42 9A 3E 46 05 90 A4 93 82 }
// Extracts passwords from a KeePass 2.x database directly from memory
// https://github.com/denandz/KeeFarce
$guid_17589EA6_FCC9_44BB_92AD_D5B3EEA6AF03_str = "17589EA6-FCC9-44BB-92AD-D5B3EEA6AF03" ascii wide nocase
$guid_17589EA6_FCC9_44BB_92AD_D5B3EEA6AF03_bin = { A6 9E 58 17 C9 FC BB 44 92 AD D5 B3 EE A6 AF 03 }
// mimikatz UUID
// https://github.com/gentilkiwi/mimikatz
$guid_17FC11E9_C258_4B8D_8D07_2F4125156244_str = "17FC11E9-C258-4B8D-8D07-2F4125156244" ascii wide nocase
$guid_17FC11E9_C258_4B8D_8D07_2F4125156244_bin = { E9 11 FC 17 58 C2 8D 4B 8D 07 2F 41 25 15 62 44 }
// Decrypt Navicat,Xmanager,Filezilla,Foxmail,WinSCP,etc
// https://github.com/RowTeam/SharpDecryptPwd
$guid_1824ED63_BE4D_4306_919D_9C749C1AE271_str = "1824ED63-BE4D-4306-919D-9C749C1AE271" ascii wide nocase
$guid_1824ED63_BE4D_4306_919D_9C749C1AE271_bin = { 63 ED 24 18 4D BE 06 43 91 9D 9C 74 9C 1A E2 71 }
// notable code snippets for Offensive Security's PEN-300 (OSEP) course
// https://github.com/chvancooten/OSEP-Code-Snippets
$guid_189219A1_9A2A_4B09_8F69_6207E9996F94_str = "189219A1-9A2A-4B09-8F69-6207E9996F94" ascii wide nocase
$guid_189219A1_9A2A_4B09_8F69_6207E9996F94_bin = { A1 19 92 18 2A 9A 09 4B 8F 69 62 07 E9 99 6F 94 }
// Hide your powershell script in plain sight! Invisi-Shell bypasses all of Powershell security features (ScriptBlock logging. Module logging. Transcription. AMSI) by hooking .Net assemblies. The hook is performed via CLR Profiler API.
// https://github.com/OmerYa/Invisi-Shell
$guid_18A66118_B98D_4FFC_AABE_DAFF5779F14C_str = "18A66118-B98D-4FFC-AABE-DAFF5779F14C" ascii wide nocase
$guid_18A66118_B98D_4FFC_AABE_DAFF5779F14C_bin = { 18 61 A6 18 8D B9 FC 4F AA BE DA FF 57 79 F1 4C }
// proof-of-concept of Process Forking.
// https://github.com/D4stiny/ForkPlayground
$guid_18C681A2_072F_49D5_9DE6_74C979EAE08B_str = "18C681A2-072F-49D5-9DE6-74C979EAE08B" ascii wide nocase
$guid_18C681A2_072F_49D5_9DE6_74C979EAE08B_bin = { A2 81 C6 18 2F 07 D5 49 9D E6 74 C9 79 EA E0 8B }
// C++ stealer (passwords - cookies - forms - cards - wallets)
// https://github.com/SecUser1/PredatorTheStealer
$guid_190DFAEB_0288_4043_BE0E_3273FA653B52_str = "190DFAEB-0288-4043-BE0E-3273FA653B52" ascii wide nocase
$guid_190DFAEB_0288_4043_BE0E_3273FA653B52_bin = { EB FA 0D 19 88 02 43 40 BE 0E 32 73 FA 65 3B 52 }
// A C# Command & Control framework
// https://github.com/DragoQCC/HardHatC2
$guid_196B8469_F798_4ECC_9A77_C1CAB5BF6EAE_str = "196B8469-F798-4ECC-9A77-C1CAB5BF6EAE" ascii wide nocase
$guid_196B8469_F798_4ECC_9A77_C1CAB5BF6EAE_bin = { 69 84 6B 19 98 F7 CC 4E 9A 77 C1 CA B5 BF 6E AE }
// DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain.
// https://github.com/dafthack/DomainPasswordSpray
$guid_1a3c4069_8c11_4336_bef8_9a43c0ba60e2_str = "1a3c4069-8c11-4336-bef8-9a43c0ba60e2" ascii wide nocase
$guid_1a3c4069_8c11_4336_bef8_9a43c0ba60e2_bin = { 69 40 3C 1A 11 8C 36 43 BE F8 9A 43 C0 BA 60 E2 }
// registry manipulation to create scheduled tasks without triggering the usual event logs.
// https://github.com/dmcxblue/SharpGhostTask
$guid_1A8C9BD8_1800_46B0_8E22_7D3823C68366_str = "1A8C9BD8-1800-46B0-8E22-7D3823C68366" ascii wide nocase
$guid_1A8C9BD8_1800_46B0_8E22_7D3823C68366_bin = { D8 9B 8C 1A 00 18 B0 46 8E 22 7D 38 23 C6 83 66 }
// simple POC to show how to tunnel traffic through Azure Application Proxy
// https://github.com/xpn/AppProxyC2
$guid_1A99EBED_6E53_469F_88B7_F4C3D2C96B07_str = "1A99EBED-6E53-469F-88B7-F4C3D2C96B07" ascii wide nocase
$guid_1A99EBED_6E53_469F_88B7_F4C3D2C96B07_bin = { ED EB 99 1A 53 6E 9F 46 88 B7 F4 C3 D2 C9 6B 07 }
// Proof of concept code for thread pool based process injection in Windows.
// https://github.com/Uri3n/Thread-Pool-Injection-PoC
$guid_1AFD1BA3_028A_4E0F_82A8_095F38694ECF_str = "1AFD1BA3-028A-4E0F-82A8-095F38694ECF" ascii wide nocase
$guid_1AFD1BA3_028A_4E0F_82A8_095F38694ECF_bin = { A3 1B FD 1A 8A 02 0F 4E 82 A8 09 5F 38 69 4E CF }
// Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012)
// https://github.com/itm4n/Perfusion
$guid_1B1F64B3_B8A4_4BBB_BB66_F020E2D4F288_str = "1B1F64B3-B8A4-4BBB-BB66-F020E2D4F288" ascii wide nocase
$guid_1B1F64B3_B8A4_4BBB_BB66_F020E2D4F288_bin = { B3 64 1F 1B A4 B8 BB 4B BB 66 F0 20 E2 D4 F2 88 }
// The LocalPotato attack is a type of NTLM reflection attack that targets local authentication. This attack allows for arbitrary file read/write and elevation of privilege.
// https://github.com/decoder-it/LocalPotato
$guid_1B3C96A3_F698_472B_B786_6FED7A205159_str = "1B3C96A3-F698-472B-B786-6FED7A205159" ascii wide nocase
$guid_1B3C96A3_F698_472B_B786_6FED7A205159_bin = { A3 96 3C 1B 98 F6 2B 47 B7 86 6F ED 7A 20 51 59 }
// remote backdoor used by a group of the same name (Carbanak). It is intended for espionage - data exfiltration and providing remote access to infected machines
// https://github.com/0x25bit/Updated-Carbanak-Source-with-Plugins
$guid_1B454840_E496_4F27_AA18_439A4E97BCC6_str = "1B454840-E496-4F27-AA18-439A4E97BCC6" ascii wide nocase
$guid_1B454840_E496_4F27_AA18_439A4E97BCC6_bin = { 40 48 45 1B 96 E4 27 4F AA 18 43 9A 4E 97 BC C6 }
// ConfuserEx is a widely used open source obfuscator often found in malware
// https://github.com/yck1509/ConfuserEx
$guid_1B52A3D9_014C_4CBF_BB98_09080D9A8D16_str = "1B52A3D9-014C-4CBF-BB98-09080D9A8D16" ascii wide nocase
$guid_1B52A3D9_014C_4CBF_BB98_09080D9A8D16_bin = { D9 A3 52 1B 4C 01 BF 4C BB 98 09 08 0D 9A 8D 16 }
// Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections
// https://github.com/bytecode77/r77-rootkit
$guid_1BA54A13_B390_47B3_9628_B58A2BBA193B_str = "1BA54A13-B390-47B3-9628-B58A2BBA193B" ascii wide nocase
$guid_1BA54A13_B390_47B3_9628_B58A2BBA193B_bin = { 13 4A A5 1B 90 B3 B3 47 96 28 B5 8A 2B BA 19 3B }
// Proof-of-Concept for CVE-2023-38146
// https://github.com/gabe-k/themebleed
$guid_1BACEDDC_CD87_41DC_948C_1C12F960BECB_str = "1BACEDDC-CD87-41DC-948C-1C12F960BECB" ascii wide nocase
$guid_1BACEDDC_CD87_41DC_948C_1C12F960BECB_bin = { DC ED AC 1B 87 CD DC 41 94 8C 1C 12 F9 60 BE CB }
// Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019
// https://github.com/CCob/SweetPotato
$guid_1BF9C10F_6F89_4520_9D2E_AAF17D17BA5E_str = "1BF9C10F-6F89-4520-9D2E-AAF17D17BA5E" ascii wide nocase
$guid_1BF9C10F_6F89_4520_9D2E_AAF17D17BA5E_bin = { 0F C1 F9 1B 89 6F 20 45 9D 2E AA F1 7D 17 BA 5E }
// Enumerate valid usernames from Office 365 using ActiveSync - Autodiscover v1 or office.com login page.
// https://github.com/gremwell/o365enum
$guid_1c50adeb_53ac_41b9_9c34_7045cffbae45_str = "1c50adeb-53ac-41b9-9c34-7045cffbae45" ascii wide nocase
$guid_1c50adeb_53ac_41b9_9c34_7045cffbae45_bin = { EB AD 50 1C AC 53 B9 41 9C 34 70 45 CF FB AE 45 }
// unhooking ntdll from disk - from KnownDlls - from suspended process - from remote server (fileless)
// https://github.com/TheD1rkMtr/ntdlll-unhooking-collection
$guid_1C5EDA8C_D27F_44A4_A156_6F863477194D_str = "1C5EDA8C-D27F-44A4-A156-6F863477194D" ascii wide nocase
$guid_1C5EDA8C_D27F_44A4_A156_6F863477194D_bin = { 8C DA 5E 1C 7F D2 A4 44 A1 56 6F 86 34 77 19 4D }
// shadowsocks is a fast tunnel proxy that helps you bypass firewalls
// https://github.com/shadowsocks/shadowsocks-windows
$guid_1CC6E8A9_1875_430C_B2BB_F227ACD711B1_str = "1CC6E8A9-1875-430C-B2BB-F227ACD711B1" ascii wide nocase
$guid_1CC6E8A9_1875_430C_B2BB_F227ACD711B1_bin = { A9 E8 C6 1C 75 18 0C 43 B2 BB F2 27 AC D7 11 B1 }
// A tool for auditing network shares in an Active Directory environment
// https://github.com/dionach/ShareAudit
$guid_1D1B59D9_10AF_40FE_BE99_578C09DB7A2A_str = "1D1B59D9-10AF-40FE-BE99-578C09DB7A2A" ascii wide nocase
$guid_1D1B59D9_10AF_40FE_BE99_578C09DB7A2A_bin = { D9 59 1B 1D AF 10 FE 40 BE 99 57 8C 09 DB 7A 2A }
// A tool for auditing network shares in an Active Directory environment
// https://github.com/dionach/ShareAudit
$guid_1DFC488D_E104_4F35_98DA_F23BF6D3F9DC_str = "1DFC488D-E104-4F35-98DA-F23BF6D3F9DC" ascii wide nocase
$guid_1DFC488D_E104_4F35_98DA_F23BF6D3F9DC_bin = { 8D 48 FC 1D 04 E1 35 4F 98 DA F2 3B F6 D3 F9 DC }
// Retrieve LAPS password from LDAP
// https://github.com/swisskyrepo/SharpLAPS
$guid_1E0986B4_4BF3_4CEA_A885_347B6D232D46_str = "1E0986B4-4BF3-4CEA-A885-347B6D232D46" ascii wide nocase
$guid_1E0986B4_4BF3_4CEA_A885_347B6D232D46_bin = { B4 86 09 1E F3 4B EA 4C A8 85 34 7B 6D 23 2D 46 }
// VBA payload generation framework
// https://github.com/trustedsec/The_Shelf
$guid_1e1f0cff_ff7a_406d_bd82_e53809a5e93a_str = "1e1f0cff-ff7a-406d-bd82-e53809a5e93a" ascii wide nocase
$guid_1e1f0cff_ff7a_406d_bd82_e53809a5e93a_bin = { FF 0C 1F 1E 7A FF 6D 40 BD 82 E5 38 09 A5 E9 3A }
// remote administration tool for Windows (RAT)
// https://github.com/NYAN-x-CAT/Lime-RAT
$guid_1E2A1E78_ED0B_414B_A956_86232B1025BE_str = "1E2A1E78-ED0B-414B-A956-86232B1025BE" ascii wide nocase
$guid_1E2A1E78_ED0B_414B_A956_86232B1025BE_bin = { 78 1E 2A 1E 0B ED 4B 41 A9 56 86 23 2B 10 25 BE }
// A Streamlined FTP-Driven Command and Control Conduit for Interconnecting Remote Systems
// https://github.com/PhrozenIO/SharpFtpC2
$guid_1E474090_96A7_433C_BFE6_0F8B45DECC42_str = "1E474090-96A7-433C-BFE6-0F8B45DECC42" ascii wide nocase
$guid_1E474090_96A7_433C_BFE6_0F8B45DECC42_bin = { 90 40 47 1E A7 96 3C 43 BF E6 0F 8B 45 DE CC 42 }
// Run Powershell without software restrictions.
// https://github.com/iomoath/PowerShx
$guid_1E70D62D_CC36_480F_82BB_E9593A759AF9_str = "1E70D62D-CC36-480F-82BB-E9593A759AF9" ascii wide nocase
$guid_1E70D62D_CC36_480F_82BB_E9593A759AF9_bin = { 2D D6 70 1E 36 CC 0F 48 82 BB E9 59 3A 75 9A F9 }
// SeTcbPrivilege exploitation
// https://github.com/daem0nc0re/PrivFu/
$guid_1eb987e0_23a5_415e_9194_cd961314441b_str = "1eb987e0-23a5-415e-9194-cd961314441b" ascii wide nocase
$guid_1eb987e0_23a5_415e_9194_cd961314441b_bin = { E0 87 B9 1E A5 23 5E 41 91 94 CD 96 13 14 44 1B }
// Keylogging server and client that uses DNS tunneling/exfiltration to transmit keystrokes
// https://github.com/Geeoon/DNS-Tunnel-Keylogger
$guid_1fc325f3_c548_43db_a13f_8c460dda8381_str = "1fc325f3-c548-43db-a13f-8c460dda8381" ascii wide nocase
$guid_1fc325f3_c548_43db_a13f_8c460dda8381_bin = { F3 25 C3 1F 48 C5 DB 43 A1 3F 8C 46 0D DA 83 81 }
// Tools for discovery and abuse of COM hijacks
// https://github.com/nccgroup/Accomplice
$guid_1FDCAD33_E5D1_4D5F_ACD5_FA6F8661DFE5_str = "1FDCAD33-E5D1-4D5F-ACD5-FA6F8661DFE5" ascii wide nocase
$guid_1FDCAD33_E5D1_4D5F_ACD5_FA6F8661DFE5_bin = { 33 AD DC 1F D1 E5 5F 4D AC D5 FA 6F 86 61 DF E5 }
// A C# implementation of RDPThief to steal credentials from RDP
// https://github.com/passthehashbrowns/SharpRDPThief
$guid_20B3AA84_9CA7_43E5_B0CD_8DBA5091DF92_str = "20B3AA84-9CA7-43E5-B0CD-8DBA5091DF92" ascii wide nocase
$guid_20B3AA84_9CA7_43E5_B0CD_8DBA5091DF92_bin = { 84 AA B3 20 A7 9C E5 43 B0 CD 8D BA 50 91 DF 92 }
// Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.
// https://github.com/hfiref0x/UACME
$guid_210A3DB2_11E3_4BB4_BE7D_554935DCCA43_str = "210A3DB2-11E3-4BB4-BE7D-554935DCCA43" ascii wide nocase
$guid_210A3DB2_11E3_4BB4_BE7D_554935DCCA43_bin = { B2 3D 0A 21 E3 11 B4 4B BE 7D 55 49 35 DC CA 43 }
// Recovering NTLM hashes from Credential Guard
// https://github.com/ly4k/PassTheChallenge
$guid_2116E6C5_F609_4CA8_B1A1_E87B7BE770A4_str = "2116E6C5-F609-4CA8-B1A1-E87B7BE770A4" ascii wide nocase
$guid_2116E6C5_F609_4CA8_B1A1_E87B7BE770A4_bin = { C5 E6 16 21 09 F6 A8 4C B1 A1 E8 7B 7B E7 70 A4 }
// ConfuserEx is a widely used open source obfuscator often found in malware
// https://github.com/yck1509/ConfuserEx
$guid_211A4598_B46E_4CD3_BA5A_1EC259D4DB5A_str = "211A4598-B46E-4CD3-BA5A-1EC259D4DB5A" ascii wide nocase
$guid_211A4598_B46E_4CD3_BA5A_1EC259D4DB5A_bin = { 98 45 1A 21 6E B4 D3 4C BA 5A 1E C2 59 D4 DB 5A }
// Adaptive DLL hijacking / dynamic export forwarding
// https://github.com/monoxgas/Koppeling
$guid_2150D252_AA17_45C2_8981_A6DCF7055CA6_str = "2150D252-AA17-45C2-8981-A6DCF7055CA6" ascii wide nocase
$guid_2150D252_AA17_45C2_8981_A6DCF7055CA6_bin = { 52 D2 50 21 17 AA C2 45 89 81 A6 DC F7 05 5C A6 }
// The goal of Shutter is to manage windows network stack communication via Windows Filtering Platform. Management can include blocking or permiting traffic based on IP or an executable that initiates or receives the traffic.
// https://github.com/dsnezhkov/shutter
$guid_2164E6D9_6023_4932_A08F_7A5C15E2CA0B_str = "2164E6D9-6023-4932-A08F-7A5C15E2CA0B" ascii wide nocase
$guid_2164E6D9_6023_4932_A08F_7A5C15E2CA0B_bin = { D9 E6 64 21 23 60 32 49 A0 8F 7A 5C 15 E2 CA 0B }
// Creating a persistent service
// https://github.com/uknowsec/CreateService
$guid_22020898_6F0D_4D71_B14D_CB5897C5A6AA_str = "22020898-6F0D-4D71-B14D-CB5897C5A6AA" ascii wide nocase
$guid_22020898_6F0D_4D71_B14D_CB5897C5A6AA_bin = { 98 08 02 22 0D 6F 71 4D B1 4D CB 58 97 C5 A6 AA }
// Windows Privilege escalation POC exploitation for CVE-2024-49138
// https://github.com/emdnaia/CVE-2024-49138-POC
$guid_227c72ed_494a_4d29_9170_5e5994c12f5c_str = "227c72ed-494a-4d29-9170-5e5994c12f5c" ascii wide nocase
$guid_227c72ed_494a_4d29_9170_5e5994c12f5c_bin = { ED 72 7C 22 4A 49 29 4D 91 70 5E 59 94 C1 2F 5C }
// PoCs for sensitive token privileges such SeDebugPrivilege
// https://github.com/daem0nc0re/PrivFu
$guid_2297A528_E866_4056_814A_D01C1C305A38_str = "2297A528-E866-4056-814A-D01C1C305A38" ascii wide nocase
$guid_2297A528_E866_4056_814A_D01C1C305A38_bin = { 28 A5 97 22 66 E8 56 40 81 4A D0 1C 1C 30 5A 38 }
// collection of C# tools that include functionalities like Kerberoasting - ticket manipulation - Mimikatz - privilege escalation - domain enumeration and more
// https://github.com/Lexus89/SharpPack
$guid_22A156EA_2623_45C7_8E50_E864D9FC44D3_str = "22A156EA-2623-45C7-8E50-E864D9FC44D3" ascii wide nocase
$guid_22A156EA_2623_45C7_8E50_E864D9FC44D3_bin = { EA 56 A1 22 23 26 C7 45 8E 50 E8 64 D9 FC 44 D3 }
// Enumerate valid usernames from Office 365 using ActiveSync - Autodiscover v1 or office.com login page.
// https://github.com/gremwell/o365enum
$guid_23975ac9_f51c_443a_8318_db006fd83100_str = "23975ac9-f51c-443a-8318-db006fd83100" ascii wide nocase
$guid_23975ac9_f51c_443a_8318_db006fd83100_bin = { C9 5A 97 23 1C F5 3A 44 83 18 DB 00 6F D8 31 00 }
// Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.
// https://github.com/hfiref0x/UACME
$guid_23A2E629_DC9D_46EA_8B5A_F1D60566EA09_str = "23A2E629-DC9D-46EA-8B5A-F1D60566EA09" ascii wide nocase
$guid_23A2E629_DC9D_46EA_8B5A_F1D60566EA09_bin = { 29 E6 A2 23 9D DC EA 46 8B 5A F1 D6 05 66 EA 09 }
// A tool that shows detailed information about named pipes in Windows
// https://github.com/cyberark/PipeViewer
$guid_2419CEDC_BF3A_4D8D_98F7_6403415BEEA4_str = "2419CEDC-BF3A-4D8D-98F7-6403415BEEA4" ascii wide nocase
$guid_2419CEDC_BF3A_4D8D_98F7_6403415BEEA4_bin = { DC CE 19 24 3A BF 8D 4D 98 F7 64 03 41 5B EE A4 }
// Perform DCSync operation
// https://github.com/notsoshant/DCSyncer
$guid_253e716a_ab96_4f87_88c7_052231ec2a12_str = "253e716a-ab96-4f87-88c7-052231ec2a12" ascii wide nocase
$guid_253e716a_ab96_4f87_88c7_052231ec2a12_bin = { 6A 71 3E 25 96 AB 87 4F 88 C7 05 22 31 EC 2A 12 }
// Another Windows Local Privilege Escalation from Service Account to System
// https://github.com/antonioCoco/JuicyPotatoNG
$guid_261f880e_4bee_428d_9f64_c29292002c19_str = "261f880e-4bee-428d-9f64-c29292002c19" ascii wide nocase
$guid_261f880e_4bee_428d_9f64_c29292002c19_bin = { 0E 88 1F 26 EE 4B 8D 42 9F 64 C2 92 92 00 2C 19 }
// XRulez is a Windows executable that can add malicious rules to Outlook from the command line of a compromised host.
// https://github.com/FSecureLABS/Xrulez
$guid_2661F29C_69F5_4010_9198_A418C061DD7C_str = "2661F29C-69F5-4010-9198-A418C061DD7C" ascii wide nocase
$guid_2661F29C_69F5_4010_9198_A418C061DD7C_bin = { 9C F2 61 26 F5 69 10 40 91 98 A4 18 C0 61 DD 7C }
// A PoC that combines AutodialDLL Lateral Movement technique and SSP to scrape NTLM hashes from LSASS process.
// https://github.com/mdsecactivebreach/DragonCastle
$guid_274F19EC_7CBA_4FC7_80E6_BB41C1FE6728_str = "274F19EC-7CBA-4FC7-80E6-BB41C1FE6728" ascii wide nocase
$guid_274F19EC_7CBA_4FC7_80E6_BB41C1FE6728_bin = { EC 19 4F 27 BA 7C C7 4F 80 E6 BB 41 C1 FE 67 28 }
// remote administration tool for Windows (RAT)
// https://github.com/NYAN-x-CAT/Lime-RAT
$guid_27CF1AE0_5FDE_4B31_A4DA_6FAD1D77351D_str = "27CF1AE0-5FDE-4B31-A4DA-6FAD1D77351D" ascii wide nocase
$guid_27CF1AE0_5FDE_4B31_A4DA_6FAD1D77351D_bin = { E0 1A CF 27 DE 5F 31 4B A4 DA 6F AD 1D 77 35 1D }
// Local Privilege Escalation from Admin to Kernel vulnerability on Windows 10 and Windows 11 operating systems with HVCI enabled.
// https://github.com/hakaioffsec/CVE-2024-21338
$guid_27E42E24_9F76_44E2_B1D6_82F68D5C4466_str = "27E42E24-9F76-44E2-B1D6-82F68D5C4466" ascii wide nocase
$guid_27E42E24_9F76_44E2_B1D6_82F68D5C4466_bin = { 24 2E E4 27 76 9F E2 44 B1 D6 82 F6 8D 5C 44 66 }
// Persistence by writing/reading shellcode from Event Log
// https://github.com/improsec/SharpEventPersist
$guid_27F85701_FD37_4D18_A107_20E914F8E779_str = "27F85701-FD37-4D18-A107-20E914F8E779" ascii wide nocase
$guid_27F85701_FD37_4D18_A107_20E914F8E779_bin = { 01 57 F8 27 37 FD 18 4D A1 07 20 E9 14 F8 E7 79 }
// A tool for auditing network shares in an Active Directory environment
// https://github.com/dionach/ShareAudit
$guid_28CF3837_FF58_463B_AF81_E6B0039DE55F_str = "28CF3837-FF58-463B-AF81-E6B0039DE55F" ascii wide nocase
$guid_28CF3837_FF58_463B_AF81_E6B0039DE55F_bin = { 37 38 CF 28 58 FF 3B 46 AF 81 E6 B0 03 9D E5 5F }
// PoCs for Kernelmode rootkit techniques research.
// https://github.com/daem0nc0re/VectorKernel/
$guid_28F9E001_67E0_4200_B120_3021596689E9_str = "28F9E001-67E0-4200-B120-3021596689E9" ascii wide nocase
$guid_28F9E001_67E0_4200_B120_3021596689E9_bin = { 01 E0 F9 28 E0 67 00 42 B1 20 30 21 59 66 89 E9 }
// Tool for viewing NTDS.dit
// https://github.com/trustedsec/DitExplorer
$guid_29021B28_61F9_492D_BB51_7CA8889087E5_str = "29021B28-61F9-492D-BB51-7CA8889087E5" ascii wide nocase
$guid_29021B28_61F9_492D_BB51_7CA8889087E5_bin = { 28 1B 02 29 F9 61 2D 49 BB 51 7C A8 88 90 87 E5 }
// remote backdoor used by a group of the same name (Carbanak). It is intended for espionage - data exfiltration and providing remote access to infected machines
// https://github.com/0x25bit/Updated-Carbanak-Source-with-Plugins
$guid_29390239_C06E_4F26_B5A3_594A08D8D30C_str = "29390239-C06E-4F26-B5A3-594A08D8D30C" ascii wide nocase
$guid_29390239_C06E_4F26_B5A3_594A08D8D30C_bin = { 39 02 39 29 6E C0 26 4F B5 A3 59 4A 08 D8 D3 0C }
// Github as C2
// https://github.com/TheD1rkMtr/GithubC2
$guid_29446C11_A1A5_47F6_B418_0D699C6C3339_str = "29446C11-A1A5-47F6-B418-0D699C6C3339" ascii wide nocase
$guid_29446C11_A1A5_47F6_B418_0D699C6C3339_bin = { 11 6C 44 29 A5 A1 F6 47 B4 18 0D 69 9C 6C 33 39 }
// Enumerate valid usernames from Office 365 using ActiveSync - Autodiscover v1 or office.com login page.
// https://github.com/gremwell/o365enum
$guid_2944dbfc_8a1e_4759_a8a2_e4568950601d_str = "2944dbfc-8a1e-4759-a8a2-e4568950601d" ascii wide nocase
$guid_2944dbfc_8a1e_4759_a8a2_e4568950601d_bin = { FC DB 44 29 1E 8A 59 47 A8 A2 E4 56 89 50 60 1D }
// Remote Command Executor: A OSS replacement for PsExec and RunAs
// https://github.com/kavika13/RemCom
$guid_29548EB7_5E44_21F9_5C82_15DDDC80449A_str = "29548EB7-5E44-21F9-5C82-15DDDC80449A" ascii wide nocase
$guid_29548EB7_5E44_21F9_5C82_15DDDC80449A_bin = { B7 8E 54 29 44 5E F9 21 5C 82 15 DD DC 80 44 9A }
// SharpStay - .NET Persistence
// https://github.com/0xthirteen/SharpStay
$guid_2963C954_7B1E_47F5_B4FA_2FC1F0D56AEA_str = "2963C954-7B1E-47F5-B4FA-2FC1F0D56AEA" ascii wide nocase
$guid_2963C954_7B1E_47F5_B4FA_2FC1F0D56AEA_bin = { 54 C9 63 29 1E 7B F5 47 B4 FA 2F C1 F0 D5 6A EA }
// Dump the memory of any PPL with a Userland exploit chain
// https://github.com/itm4n/PPLmedic
$guid_29CBBC24_363F_42D7_B018_5EF068BA8777_str = "29CBBC24-363F-42D7-B018-5EF068BA8777" ascii wide nocase
$guid_29CBBC24_363F_42D7_B018_5EF068BA8777_bin = { 24 BC CB 29 3F 36 D7 42 B0 18 5E F0 68 BA 87 77 }
// SharpSpray is a Windows domain password spraying tool written in .NET C#
// https://github.com/iomoath/SharpSpray
$guid_29CFAA16_9277_4EFB_9E91_A7D11225160B_str = "29CFAA16-9277-4EFB-9E91-A7D11225160B" ascii wide nocase
$guid_29CFAA16_9277_4EFB_9E91_A7D11225160B_bin = { 16 AA CF 29 77 92 FB 4E 9E 91 A7 D1 12 25 16 0B }
// RDP Wrapper Library used by malwares
// https://github.com/stascorp/rdpwrap
$guid_29E4E73B_EBA6_495B_A76C_FBB462196C64_str = "29E4E73B-EBA6-495B-A76C-FBB462196C64" ascii wide nocase
$guid_29E4E73B_EBA6_495B_A76C_FBB462196C64_bin = { 3B E7 E4 29 A6 EB 5B 49 A7 6C FB B4 62 19 6C 64 }
// ArtsOfGetSystem privesc tools
// https://github.com/daem0nc0re/PrivFu/
$guid_2AD3951D_DEA6_4CF7_88BE_4C73344AC9DA_str = "2AD3951D-DEA6-4CF7-88BE-4C73344AC9DA" ascii wide nocase
$guid_2AD3951D_DEA6_4CF7_88BE_4C73344AC9DA_bin = { 1D 95 D3 2A A6 DE F7 4C 88 BE 4C 73 34 4A C9 DA }
// DeadPotato is a windows privilege escalation utility from the Potato family of exploits leveraging the SeImpersonate right to obtain SYSTEM privileges
// https://github.com/lypd0/DeadPotato
$guid_2AE886C3_3272_40BE_8D3C_EBAEDE9E61E1_str = "2AE886C3-3272-40BE-8D3C-EBAEDE9E61E1" ascii wide nocase
$guid_2AE886C3_3272_40BE_8D3C_EBAEDE9E61E1_bin = { C3 86 E8 2A 72 32 BE 40 8D 3C EB AE DE 9E 61 E1 }
// remote administration tool for Windows (RAT)
// https://github.com/NYAN-x-CAT/Lime-RAT
$guid_2B47F84C_9CA3_47E9_9970_8AF8233A9F12_str = "2B47F84C-9CA3-47E9-9970-8AF8233A9F12" ascii wide nocase
$guid_2B47F84C_9CA3_47E9_9970_8AF8233A9F12_bin = { 4C F8 47 2B A3 9C E9 47 99 70 8A F8 23 3A 9F 12 }
// SeTcbPrivilege exploitation
// https://github.com/daem0nc0re/PrivFu/
$guid_2B704D89_41B9_4051_A51C_36A82ACEBE10_str = "2B704D89-41B9-4051-A51C-36A82ACEBE10" ascii wide nocase
$guid_2B704D89_41B9_4051_A51C_36A82ACEBE10_bin = { 89 4D 70 2B B9 41 51 40 A5 1C 36 A8 2A CE BE 10 }
// ConfuserEx is a widely used open source obfuscator often found in malware
// https://github.com/yck1509/ConfuserEx
$guid_2B914EE7_F206_4A83_B435_460D054315BB_str = "2B914EE7-F206-4A83-B435-460D054315BB" ascii wide nocase
$guid_2B914EE7_F206_4A83_B435_460D054315BB_bin = { E7 4E 91 2B 06 F2 83 4A B4 35 46 0D 05 43 15 BB }
// ConfuserEx is a widely used open source obfuscator often found in malware
// https://github.com/yck1509/ConfuserEx
$guid_2C059FE7_C868_4C6D_AFA0_D62BA3C1B2E1_str = "2C059FE7-C868-4C6D-AFA0-D62BA3C1B2E1" ascii wide nocase
$guid_2C059FE7_C868_4C6D_AFA0_D62BA3C1B2E1_bin = { E7 9F 05 2C 68 C8 6D 4C AF A0 D6 2B A3 C1 B2 E1 }
// MultiDump is a post-exploitation tool for dumping and extracting LSASS memory discreetly
// https://github.com/Xre0uS/MultiDump
$guid_2C6D323A_B51F_47CB_AD37_972FD051D475_str = "2C6D323A-B51F-47CB-AD37-972FD051D475" ascii wide nocase
$guid_2C6D323A_B51F_47CB_AD37_972FD051D475_bin = { 3A 32 6D 2C 1F B5 CB 47 AD 37 97 2F D0 51 D4 75 }
// injection technique abusing windows fork API to evade EDRs
// https://github.com/deepinstinct/Dirty-Vanity
$guid_2C809982_78A1_4F1C_B0E8_C957C93B242F_str = "2C809982-78A1-4F1C-B0E8-C957C93B242F" ascii wide nocase
$guid_2C809982_78A1_4F1C_B0E8_C957C93B242F_bin = { 82 99 80 2C A1 78 1C 4F B0 E8 C9 57 C9 3B 24 2F }
// Tool for abusing the Windows Filtering Platform for privilege escalation. It can launch a new console as NT AUTHORITY\SYSTEM or as another user that is logged on to the machine.
// https://github.com/deepinstinct/NoFilter
$guid_2CFB9E9E_479D_4E23_9A8E_18C92E06B731_str = "2CFB9E9E-479D-4E23-9A8E-18C92E06B731" ascii wide nocase
$guid_2CFB9E9E_479D_4E23_9A8E_18C92E06B731_bin = { 9E 9E FB 2C 9D 47 23 4E 9A 8E 18 C9 2E 06 B7 31 }
// Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections
// https://github.com/bytecode77/r77-rootkit
$guid_2D6FDD44_39B1_4FF8_8AE0_60A6B0979F5F_str = "2D6FDD44-39B1-4FF8-8AE0-60A6B0979F5F" ascii wide nocase
$guid_2D6FDD44_39B1_4FF8_8AE0_60A6B0979F5F_bin = { 44 DD 6F 2D B1 39 F8 4F 8A E0 60 A6 B0 97 9F 5F }
// This PoC shows a technique that can be used to weaponize privileged file write vulnerabilities on Windows. It provides an alternative to the DiagHub DLL loading exploit
// https://github.com/itm4n/UsoDllLoader
$guid_2D863D7A_A369_419C_B4B3_54BDB88B5816_str = "2D863D7A-A369-419C-B4B3-54BDB88B5816" ascii wide nocase
$guid_2D863D7A_A369_419C_B4B3_54BDB88B5816_bin = { 7A 3D 86 2D 69 A3 9C 41 B4 B3 54 BD B8 8B 58 16 }
// Hotkey-based keylogger for Windows
// https://github.com/yo-yo-yo-jbo/hotkeyz
$guid_2deff2ca_c313_4d85_aeee_414bac32e7ae_str = "2deff2ca-c313-4d85-aeee-414bac32e7ae" ascii wide nocase
$guid_2deff2ca_c313_4d85_aeee_414bac32e7ae_bin = { CA F2 EF 2D 13 C3 85 4D AE EE 41 4B AC 32 E7 AE }
// Windows injection of x86/x64 DLL and Shellcode
// https://github.com/Joe1sn/S-inject
$guid_2E98B8D4_7A26_4F04_A95D_2051B0AB884C_str = "2E98B8D4-7A26-4F04-A95D-2051B0AB884C" ascii wide nocase
$guid_2E98B8D4_7A26_4F04_A95D_2051B0AB884C_bin = { D4 B8 98 2E 26 7A 04 4F A9 5D 20 51 B0 AB 88 4C }
// p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). It has a lot of offensive PowerShell modules and binaries included to make the process of Post Exploitation easier. What we tried was to build an ?all in one? Post Exploitation tool which we could use to bypass all mitigations solutions (or at least some off). and that has all relevant tooling included. You can use it to perform modern attacks within Active Directory environments and create awareness within your Blue team so they can build the right defense strategies.
// https://github.com/Cn33liz/p0wnedShell
$guid_2E9B1462_F47C_48CA_9D85_004493892381_str = "2E9B1462-F47C-48CA-9D85-004493892381" ascii wide nocase
$guid_2E9B1462_F47C_48CA_9D85_004493892381_bin = { 62 14 9B 2E 7C F4 CA 48 9D 85 00 44 93 89 23 81 }
// SharpDPAPI is a C# port of some Mimikatz DPAPI functionality.
// https://github.com/GhostPack/SharpDPAPI
$guid_2F00A05B_263D_4FCC_846B_DA82BD684603_str = "2F00A05B-263D-4FCC-846B-DA82BD684603" ascii wide nocase
$guid_2F00A05B_263D_4FCC_846B_DA82BD684603_bin = { 5B A0 00 2F 3D 26 CC 4F 84 6B DA 82 BD 68 46 03 }
// Abusing Windows Telemetry for persistence through registry modifications and scheduled tasks to execute arbitrary commands with system-level privileges.
// https://github.com/Imanfeng/Telemetry
$guid_2f00a05b_263d_4fcc_846b_da82bd684603_str = "2f00a05b-263d-4fcc-846b-da82bd684603" ascii wide nocase
$guid_2f00a05b_263d_4fcc_846b_da82bd684603_bin = { 5B A0 00 2F 3D 26 CC 4F 84 6B DA 82 BD 68 46 03 }
// remote backdoor used by a group of the same name (Carbanak). It is intended for espionage - data exfiltration and providing remote access to infected machines
// https://github.com/0x25bit/Updated-Carbanak-Source-with-Plugins
$guid_2F8E74D2_3474_408C_9469_A4E3C97B7BBF_str = "2F8E74D2-3474-408C-9469-A4E3C97B7BBF" ascii wide nocase
$guid_2F8E74D2_3474_408C_9469_A4E3C97B7BBF_bin = { D2 74 8E 2F 74 34 8C 40 94 69 A4 E3 C9 7B 7B BF }
// PoCs for Kernelmode rootkit techniques research.
// https://github.com/daem0nc0re/VectorKernel/
$guid_2FB94059_2D49_4EEA_AAF8_7E89E249644B_str = "2FB94059-2D49-4EEA-AAF8-7E89E249644B" ascii wide nocase
$guid_2FB94059_2D49_4EEA_AAF8_7E89E249644B_bin = { 59 40 B9 2F 49 2D EA 4E AA F8 7E 89 E2 49 64 4B }
// Crack any Microsoft Windows users password without any privilege (Guest account included)
// https://github.com/PhrozenIO/win-brute-logon
$guid_2FE6C1D0_0538_48DB_B4FA_55F0296A5150_str = "2FE6C1D0-0538-48DB-B4FA-55F0296A5150" ascii wide nocase
$guid_2FE6C1D0_0538_48DB_B4FA_55F0296A5150_bin = { D0 C1 E6 2F 38 05 DB 48 B4 FA 55 F0 29 6A 51 50 }
// PAExec is a freely-redistributable re-implementation of SysInternal/Microsoft's popular PsExec program
// https://github.com/poweradminllc/PAExec
$guid_2FEB96F5_08E6_48A3_B306_794277650A08_str = "2FEB96F5-08E6-48A3-B306-794277650A08" ascii wide nocase
$guid_2FEB96F5_08E6_48A3_B306_794277650A08_bin = { F5 96 EB 2F E6 08 A3 48 B3 06 79 42 77 65 0A 08 }
// Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.
// https://github.com/hfiref0x/UACME
$guid_304D5A8A_EF98_4E21_8F4D_91E66E0BECAC_str = "304D5A8A-EF98-4E21-8F4D-91E66E0BECAC" ascii wide nocase
$guid_304D5A8A_EF98_4E21_8F4D_91E66E0BECAC_bin = { 8A 5A 4D 30 98 EF 21 4E 8F 4D 91 E6 6E 0B EC AC }
// Dumpert. an LSASS memory dumper using direct system calls and API unhooking Recent malware research shows that there is an increase in malware that is using direct system calls to evade user-mode API hooks used by security products. This tool demonstrates the use of direct System Calls and API unhooking and combine these techniques in a proof of concept code which can be used to create a LSASS memory dump using Cobalt Strike. while not touching disk and evading AV/EDR monitored user-mode API calls.
// https://github.com/outflanknl/Dumpert
$guid_307088B9_2992_4DE7_A57D_9E657B1CE546_str = "307088B9-2992-4DE7-A57D-9E657B1CE546" ascii wide nocase
$guid_307088B9_2992_4DE7_A57D_9E657B1CE546_bin = { B9 88 70 30 92 29 E7 4D A5 7D 9E 65 7B 1C E5 46 }
// ConfuserEx is a widely used open source obfuscator often found in malware
// https://github.com/yck1509/ConfuserEx
$guid_30B8883F_A0A2_4256_ADCF_A790525D3696_str = "30B8883F-A0A2-4256-ADCF-A790525D3696" ascii wide nocase
$guid_30B8883F_A0A2_4256_ADCF_A790525D3696_bin = { 3F 88 B8 30 A2 A0 56 42 AD CF A7 90 52 5D 36 96 }
// Xeno-RAT is an open-source remote access tool (RAT) developed in C# providing a comprehensive set of features for remote system management. Has features such as HVNC - live microphone - reverse proxy and much much more
// https://github.com/moom825/xeno-rat
$guid_310FC5BE_6F5E_479C_A246_6093A39296C0_str = "310FC5BE-6F5E-479C-A246-6093A39296C0" ascii wide nocase
$guid_310FC5BE_6F5E_479C_A246_6093A39296C0_bin = { BE C5 0F 31 5E 6F 9C 47 A2 46 60 93 A3 92 96 C0 }
// remote backdoor used by a group of the same name (Carbanak). It is intended for espionage - data exfiltration and providing remote access to infected machines
// https://github.com/0x25bit/Updated-Carbanak-Source-with-Plugins
$guid_315C301F_E392_4F7D_9108_8E621C11D662_str = "315C301F-E392-4F7D-9108-8E621C11D662" ascii wide nocase
$guid_315C301F_E392_4F7D_9108_8E621C11D662_bin = { 1F 30 5C 31 92 E3 7D 4F 91 08 8E 62 1C 11 D6 62 }
// ConfuserEx is a widely used open source obfuscator often found in malware
// https://github.com/yck1509/ConfuserEx
$guid_32223BE8_3E78_489C_92ED_7900B26DFF43_str = "32223BE8-3E78-489C-92ED-7900B26DFF43" ascii wide nocase
$guid_32223BE8_3E78_489C_92ED_7900B26DFF43_bin = { E8 3B 22 32 78 3E 9C 48 92 ED 79 00 B2 6D FF 43 }
// The goal of Shutter is to manage windows network stack communication via Windows Filtering Platform. Management can include blocking or permiting traffic based on IP or an executable that initiates or receives the traffic.
// https://github.com/dsnezhkov/shutter
$guid_326D0AB1_CF2F_4A9B_B612_04B62D4EBA89_str = "326D0AB1-CF2F-4A9B-B612-04B62D4EBA89" ascii wide nocase
$guid_326D0AB1_CF2F_4A9B_B612_04B62D4EBA89_bin = { B1 0A 6D 32 2F CF 9B 4A B6 12 04 B6 2D 4E BA 89 }
// enabling Recall in Windows 11 version 24H2 on unsupported devices
// https://github.com/thebookisclosed/AmperageKit
$guid_327F3F26_182F_4E58_ABEA_A0CEDBCA0FCD_str = "327F3F26-182F-4E58-ABEA-A0CEDBCA0FCD" ascii wide nocase
$guid_327F3F26_182F_4E58_ABEA_A0CEDBCA0FCD_bin = { 26 3F 7F 32 2F 18 58 4E AB EA A0 CE DB CA 0F CD }
// Open-Source Remote Administration Tool for Windows. Quasar is a fast and light-weight remote administration tool coded in C#.
// https://github.com/quasar/Quasar
$guid_32A2A734_7429_47E6_A362_E344A19C0D85_str = "32A2A734-7429-47E6-A362-E344A19C0D85" ascii wide nocase
$guid_32A2A734_7429_47E6_A362_E344A19C0D85_bin = { 34 A7 A2 32 29 74 E6 47 A3 62 E3 44 A1 9C 0D 85 }
// ConfuserEx is a widely used open source obfuscator often found in malware
// https://github.com/yck1509/ConfuserEx
$guid_32CE1CB1_B7D9_416F_8EFE_6A0055867537_str = "32CE1CB1-B7D9-416F-8EFE-6A0055867537" ascii wide nocase
$guid_32CE1CB1_B7D9_416F_8EFE_6A0055867537_bin = { B1 1C CE 32 D9 B7 6F 41 8E FE 6A 00 55 86 75 37 }
// enumerate Active Directory environments via the Active Directory Web Services (ADWS)
// https://github.com/FalconForceTeam/SOAPHound
$guid_33571B09_4E94_43CB_ABDC_0226D769E701_str = "33571B09-4E94-43CB-ABDC-0226D769E701" ascii wide nocase
$guid_33571B09_4E94_43CB_ABDC_0226D769E701_bin = { 09 1B 57 33 94 4E CB 43 AB DC 02 26 D7 69 E7 01 }
// CoercedPotato From Patate (LOCAL/NETWORK SERVICE) to SYSTEM by abusing SeImpersonatePrivilege on Windows 10 Windows 11 and Server 2022.
// https://github.com/Prepouce/CoercedPotato
$guid_337ED7BE_969A_40C4_A356_BE99561F4633_str = "337ED7BE-969A-40C4-A356-BE99561F4633" ascii wide nocase
$guid_337ED7BE_969A_40C4_A356_BE99561F4633_bin = { BE D7 7E 33 9A 96 C4 40 A3 56 BE 99 56 1F 46 33 }
// RunAsWinTcb uses an userland exploit to run a DLL with a protection level of WinTcb-Light.
// https://github.com/tastypepperoni/RunAsWinTcb
$guid_33BF8AA2_18DE_4ED9_9613_A4118CBFC32A_str = "33BF8AA2-18DE-4ED9-9613-A4118CBFC32A" ascii wide nocase
$guid_33BF8AA2_18DE_4ED9_9613_A4118CBFC32A_bin = { A2 8A BF 33 DE 18 D9 4E 96 13 A4 11 8C BF C3 2A }
// RDPCredentialStealer it's a malware that steal credentials provided by users in RDP using API Hooking with Detours in C++
// https://github.com/S12cybersecurity/RDPCredentialStealer
$guid_33d0f399_f79a_44a2_a487_21fce657be35_str = "33d0f399-f79a-44a2-a487-21fce657be35" ascii wide nocase
$guid_33d0f399_f79a_44a2_a487_21fce657be35_bin = { 99 F3 D0 33 9A F7 A2 44 A4 87 21 FC E6 57 BE 35 }
// ConfuserEx is a widely used open source obfuscator often found in malware
// https://github.com/yck1509/ConfuserEx
$guid_3504F678_95FA_4DB2_8437_31A927CABC16_str = "3504F678-95FA-4DB2-8437-31A927CABC16" ascii wide nocase
$guid_3504F678_95FA_4DB2_8437_31A927CABC16_bin = { 78 F6 04 35 FA 95 B2 4D 84 37 31 A9 27 CA BC 16 }
// SCRIPTBLOCK SMUGGLING: SPOOFING POWERSHELL SECURITY LOGS AND BYPASSING AMSI WITHOUT REFLECTION OR PATCHING
// https://github.com/BC-SECURITY/ScriptBlock-Smuggling
$guid_360F9CE5_D927_46B9_8416_4118D0B68360_str = "360F9CE5-D927-46B9-8416-4118D0B68360" ascii wide nocase
$guid_360F9CE5_D927_46B9_8416_4118D0B68360_bin = { E5 9C 0F 36 27 D9 B9 46 84 16 41 18 D0 B6 83 60 }
// remote administration tool for Windows (RAT)
// https://github.com/NYAN-x-CAT/Lime-RAT
$guid_363A6DE4_59D9_451B_A4FD_1FE763970E1E_str = "363A6DE4-59D9-451B-A4FD-1FE763970E1E" ascii wide nocase
$guid_363A6DE4_59D9_451B_A4FD_1FE763970E1E_bin = { E4 6D 3A 36 D9 59 1B 45 A4 FD 1F E7 63 97 0E 1E }
// NetRipper - Smart traffic sniffing for penetration testers
// https://github.com/NytroRST/NetRipper
$guid_36AB45D2_F886_4803_AA7E_6FD5520458FC_str = "36AB45D2-F886-4803-AA7E-6FD5520458FC" ascii wide nocase
$guid_36AB45D2_F886_4803_AA7E_6FD5520458FC_bin = { D2 45 AB 36 86 F8 03 48 AA 7E 6F D5 52 04 58 FC }
// Keylogger written in C#
// https://github.com/djhohnstein/SharpLogger
$guid_36E00152_E073_4DA8_AA0C_375B6DD680C4_str = "36E00152-E073-4DA8-AA0C-375B6DD680C4" ascii wide nocase
$guid_36E00152_E073_4DA8_AA0C_375B6DD680C4_bin = { 52 01 E0 36 73 E0 A8 4D AA 0C 37 5B 6D D6 80 C4 }
// Run PowerShell with dlls only Does not require access to powershell.exe as it uses powershell automation dlls. PowerShdll can be run with: rundll32.exe. installutil.exe. regsvcs.exe. regasm.exe. regsvr32.exe or as a standalone executable.
// https://github.com/p3nt4/PowerShdll
$guid_36EBF9AA_2F37_4F1D_A2F1_F2A45DEEAF21_str = "36EBF9AA-2F37-4F1D-A2F1-F2A45DEEAF21" ascii wide nocase
$guid_36EBF9AA_2F37_4F1D_A2F1_F2A45DEEAF21_bin = { AA F9 EB 36 37 2F 1D 4F A2 F1 F2 A4 5D EE AF 21 }
// tools for Lateral Movement/Code Execution
// https://github.com/klezVirus/CheeseTools
$guid_36F9C306_5F45_4946_A259_610C05BD90DF_str = "36F9C306-5F45-4946-A259-610C05BD90DF" ascii wide nocase
$guid_36F9C306_5F45_4946_A259_610C05BD90DF_bin = { 06 C3 F9 36 45 5F 46 49 A2 59 61 0C 05 BD 90 DF }
// DebugAmsi is another way to bypass AMSI through the Windows process debugger mechanism.
// https://github.com/MzHmO/DebugAmsi
$guid_375D8508_F60D_4E24_9DF6_1E591D2FA474_str = "375D8508-F60D-4E24-9DF6-1E591D2FA474" ascii wide nocase
$guid_375D8508_F60D_4E24_9DF6_1E591D2FA474_bin = { 08 85 5D 37 0D F6 24 4E 9D F6 1E 59 1D 2F A4 74 }
// collection of C# tools that include functionalities like Kerberoasting - ticket manipulation - Mimikatz - privilege escalation - domain enumeration and more
// https://github.com/Lexus89/SharpPack
$guid_3787435B_8352_4BD8_A1C6_E5A1B73921F4_str = "3787435B-8352-4BD8-A1C6-E5A1B73921F4" ascii wide nocase
$guid_3787435B_8352_4BD8_A1C6_E5A1B73921F4_bin = { 5B 43 87 37 52 83 D8 4B A1 C6 E5 A1 B7 39 21 F4 }
// DcRat C2 A simple remote tool in C#
// https://github.com/qwqdanchun/DcRat
$guid_378FC1AA_37BD_4C61_B5DE_4E45C2CDB8C9_str = "378FC1AA-37BD-4C61-B5DE-4E45C2CDB8C9" ascii wide nocase
$guid_378FC1AA_37BD_4C61_B5DE_4E45C2CDB8C9_bin = { AA C1 8F 37 BD 37 61 4C B5 DE 4E 45 C2 CD B8 C9 }
// DcRat C2 A simple remote tool in C#
// https://github.com/qwqdanchun/DcRat
$guid_37E20BAF_3577_4CD9_BB39_18675854E255_str = "37E20BAF-3577-4CD9-BB39-18675854E255" ascii wide nocase
$guid_37E20BAF_3577_4CD9_BB39_18675854E255_bin = { AF 0B E2 37 77 35 D9 4C BB 39 18 67 58 54 E2 55 }
// ConfuserEx is a widely used open source obfuscator often found in malware
// https://github.com/yck1509/ConfuserEx
$guid_382B6332_4A57_458D_96EB_B312688A7604_str = "382B6332-4A57-458D-96EB-B312688A7604" ascii wide nocase
$guid_382B6332_4A57_458D_96EB_B312688A7604_bin = { 32 63 2B 38 57 4A 8D 45 96 EB B3 12 68 8A 76 04 }
// Command and control server - multi-person collaborative penetration testing graphical framework
// https://github.com/INotGreen/Xiebro-Plugins
$guid_38AF011B_95F8_4F42_B4B9_B1AEE328A583_str = "38AF011B-95F8-4F42-B4B9-B1AEE328A583" ascii wide nocase
$guid_38AF011B_95F8_4F42_B4B9_B1AEE328A583_bin = { 1B 01 AF 38 F8 95 42 4F B4 B9 B1 AE E3 28 A5 83 }
// AutoHotkey - macro-creation and automation-oriented scripting utility for Windows
// https://github.com/AutoHotkey/AutoHotkey
$guid_39037993_9571_4DF2_8E39_CD2909043574_str = "39037993-9571-4DF2-8E39-CD2909043574" ascii wide nocase
$guid_39037993_9571_4DF2_8E39_CD2909043574_bin = { 93 79 03 39 71 95 F2 4D 8E 39 CD 29 09 04 35 74 }
// EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections
// https://github.com/wavestone-cdt/EDRSandblast
$guid_3A2FCB56_01A3_41B3_BDAA_B25F45784B23_str = "3A2FCB56-01A3-41B3-BDAA-B25F45784B23" ascii wide nocase
$guid_3A2FCB56_01A3_41B3_BDAA_B25F45784B23_bin = { 56 CB 2F 3A A3 01 B3 41 BD AA B2 5F 45 78 4B 23 }
// ConfuserEx is a widely used open source obfuscator often found in malware
// https://github.com/yck1509/ConfuserEx
$guid_3ADB8BB1_AE14_49DA_A7E1_1C0D9BEB76E9_str = "3ADB8BB1-AE14-49DA-A7E1-1C0D9BEB76E9" ascii wide nocase
$guid_3ADB8BB1_AE14_49DA_A7E1_1C0D9BEB76E9_bin = { B1 8B DB 3A 14 AE DA 49 A7 E1 1C 0D 9B EB 76 E9 }
// acts as an SMB server (instead of DCOM) to relay Kerberos AP-REQ to CIFS or HTTP
// https://github.com/decoder-it/KrbRelay-SMBServer
$guid_3B47EEBC_0D33_4E0B_BAB5_782D2D3680AF_str = "3B47EEBC-0D33-4E0B-BAB5-782D2D3680AF" ascii wide nocase
$guid_3B47EEBC_0D33_4E0B_BAB5_782D2D3680AF_bin = { BC EE 47 3B 33 0D 0B 4E BA B5 78 2D 2D 36 80 AF }
// ConfuserEx is a widely used open source obfuscator often found in malware
// https://github.com/yck1509/ConfuserEx