Skip to content

Instantly share code, notes, and snippets.

View AlloySecureGroup's full-sized avatar

Alloy Secure Group AlloySecureGroup

View GitHub Profile
@AlloySecureGroup
AlloySecureGroup / Scan-InMemoryCompilePatterns.ps1
Created July 18, 2026 00:24
WDAC Bypass Capability Scanner
<#
.SYNOPSIS
Scans local .NET binaries for signatures matching two known LOLBAS-relevant
capability classes:
Tier1 - Self-contained compile-and-run (CodeDom or Roslyn compiling to
memory and executing without writing a payload assembly to disk).
Tier2 - Trusted loader of pre-built code (loads and invokes a caller
supplied DLL, e.g. InstallUtil-style installer class execution).
@AlloySecureGroup
AlloySecureGroup / Find-ComScriptSurface.ps1
Last active July 16, 2026 20:18
WDAC Evasion Finder
<#
.SYNOPSIS
Identifies registered COM DLLs with scripting or dynamic .NET loading
characteristics.
.DESCRIPTION
Read-only defensive scanner that examines registered in-process COM servers.
It detects:
- CATID_ActiveScript registration
@AlloySecureGroup
AlloySecureGroup / README.MD
Last active July 15, 2026 14:25
Bret Victor's Inventing on Principle Time Travel Debugger - recreation. Experiment in creators using AI to quicky get feedback.

Time Travel Debugger

A single page web app inspired by Bret Victor's talk "Inventing on Principle".

Talk: https://www.youtube.com/watch?v=PUv66718DII

In the talk, Bret Victor demonstrates a Mario style game in JavaScript with a time travel debugger. He can pause the game, scrub back and forth through time, see trails of the character's past and future, and change values in the code to see how the future changes.

This project recreates that demo in a single HTML file: time-travel-debugger.html. Open it in any browser. There are no dependencies and no build step.

@AlloySecureGroup
AlloySecureGroup / Enumerate-UrlSchemes.ps1
Last active July 15, 2026 09:45
Scheme Hunter - Enumerate URI schemes and prototype invocation
<#
.SYNOPSIS
Enumerates all registered URI/URL protocol handlers ("schemes") on a
Windows endpoint and statically risk-scores them for potential
execution-primitive abuse (cf. search-ms:, ms-officecmd:, and similar
scheme-hijack findings).
.DESCRIPTION
Does NOT invoke any handler. Purely reads HKEY_CLASSES_ROOT and
HKEY_CURRENT_USER\Software\Classes for keys that carry the