AiTM WebSocket Kit Relay
Adversary-in-the-Middle (AiTM) kits operate a server-side WebSocket reverse proxy (typically Node.js + Socket.IO) tha...
Detection is a game of economics.
Make it expensive for attackers to avoid your detections.
Each entry targets an invariant prerequisite attackers can't bypass - detections anchored here survive tool rotation and obfuscation. Learn the framework →
Detection finds RMM/LOLBAS abuse. Application control stops it pre-execution. Learn how MagicSword blocks RMM / LOLBAS abuse →
Adversary-in-the-Middle (AiTM) kits operate a server-side WebSocket reverse proxy (typically Node.js + Socket.IO) tha...
Infostealers harvest credentials, cookies, and autofill data from browser credential databases. The invariant across ...
To extract plaintext credentials, NTLM hashes, or Kerberos tickets from a live Windows system, an attacker must read ...
Adversaries impair or neutralize EDR/AV products before executing their primary payload to prevent detection and resp...
Before encrypting files, ransomware operators stop and delete security tools, backup services, and database engines t...
Adversaries plant web-accessible scripts (web shells) on compromised servers to maintain persistent command execution...
Adversaries bring legitimate, vendor-signed scripting interpreters (Python, PHP, Node.js, Ruby, Perl, AutoHotKey, etc...
Adversaries abuse the OAuth 2.0 device authorization grant flow to obtain Microsoft access and refresh tokens without...
Within 10-20 minutes of successful AiTM session token theft, Tycoon 2FA's operator console tier executes an automated...
User pastes a malicious command from their clipboard into a Run dialog, terminal, or Explorer address bar. The lure p...
Legitimate RMM tools are renamed or masqueraded to appear as trusted applications (tax documents, invoices, IT suppor...
Offensive security tools (Impacket, NetExec, CrackMapExec, Evil-WinRM) used for remote code execution across Windows ...
After capturing a victim's session via AiTM proxy, the Tycoon 2FA kit registers a synthetic device with Microsoft Dev...
No chokepoints match your search.