Muz1K1zuM

Muz1K1zuM / kslkatz_bof

Public

Havoc C2 BOF port of the KslD.sys BYOVD technique. Credential extraction from lsass via physical memory — no OpenProcess, no auditable API calls.

18
0
69% credibility
Found Apr 02, 2026 at 18 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
C
AI Summary

A red team toolkit for the Havoc C2 framework that extracts Windows credentials stealthily using a pre-installed Microsoft driver.

How It Works

1
🔍 Discover the tool

You hear about a helpful security testing tool from fellow testers on GitHub or forums.

2
📥 Get it ready

Download the files and prepare them simply so they're good to go for your tests.

3
💻 Set up test session

In your own controlled lab, connect to a Windows computer you're allowed to test.

4
🚀 Run credential scan

Launch the tool during your session to quietly look for stored logins without alerts.

5
Watch it work

The tool runs smoothly in the background, gathering info securely.

6
📋 Review results

Get a clear list of usernames, passwords, and hashes right in your session.

Test complete

Finish your security check with valuable insights for your report, all cleaned up safely.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 18 to 18 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is kslkatz_bof?

This C-based Beacon Object File (BOF) for the GitHub Havoc framework ports the KslD.sys BYOVD technique to extract credentials from lsass physical memory. It pulls NT hashes, WDigest cleartext passwords (if enabled), and LSA keys without OpenProcess or auditable API calls, running in-process via Havoc C2 beacons. Red teamers get stealthy dumping on Windows 7-11/Server 2016-2022, with Credential Guard detection.

Why is it gaining traction?

Unlike standalone tools or noisy dumpers, this Havoc BOF github module avoids EDR triggers by leveraging the existing vulnerable Microsoft-signed driver—no disk drops, no process spawns. Havoc bof development shines here: compile once with mingw-gcc, then inline-execute in beacons for native C2 tasking and output. Its build-aware offsets and KASLR bypass make it reliable across OS versions, even post-patch.

Who should use this?

Red team operators running Havoc C2 in authorized engagements, especially those targeting domain creds without alerting lsass monitors. It's for post-compromise ops where stealth trumps speed—think evading API-based behavioral detection in enterprise hunts. Skip if you're on Cobalt Strike or need zero kernel interaction.

Verdict

Solid for Havoc demon github users needing a low-trace credential tool, but with only 18 stars and 0.699999988079071% credibility score, treat it as experimental—strong README but unproven at scale. Test in labs first; pair with havoc github install for quick havoc modules github integration.

(187 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.