Verified 2026-03-09 · All tests live

51 tests. 0 failures.

Every tool, every database, every edge case — documented and verified against a live server. This is the unfiltered output record of CodeRed MCP in production.

24/24

Smoke Test

Direct function calls · all tool modules

27/27

Live Server Test

Real MCP endpoint · full protocol flow

24/24

Tool Verification

24 tools · complete input/output validation

Intelligence Databases

1,234 techniques. 6 sources.

Database	Platform	Entries	Coverage
LOLBAS	Windows	227	Living-Off-the-Land binaries — native binaries with documented offensive abuse techniques
GTFOBins	Linux	175	Unix privilege escalation binaries — shell escapes, file reads, PrivEsc one-liners
WADComs	Active Directory	99	Active Directory attack commands — Kerberoasting, lateral movement, domain escalation
LOLDrivers	Kernel / BYOVD	508	Vulnerable & malicious signed kernel drivers — EDR kill, kernel R/W, driver abuse
PAT	Web / App	66	PayloadsAllTheThings categories — SQLi, XSS, SSRF, XXE, command injection and more
PEASS-ng	Enumeration	159	linPEAS/winPEAS modules — privilege escalation enumeration checks, mapped to MITRE
Total		1,234

Real Outputs

Tool output showcase

Every output below is an actual response from CodeRed MCP — no mocking, no sanitization.

attack_chain()Planning

One call from plain-English objective to a fully-phased kill chain with stealth scores and MITRE IDs.

VERIFIED ✓

{
  "scenario": "domain user → domain admin",
  "target_os": "windows",
  "has_creds": false,
  "total_techniques": 23,
  "phases": [
    {
      "name": "Phase 1 — Reconnaissance & Enumeration",
      "techniques": [
        { "name": "ADCSEnumeration",          "source": "WADComs",    "stealth_score": 90 },
        { "name": "BloodHound.py",            "source": "WADComs",    "stealth_score": 90,  "requires": ["No_Creds"] },
        { "name": "Pktmon.exe",               "source": "LOLBAS",     "stealth_score": 75 },
        { "name": "Psr.exe",                  "source": "LOLBAS",     "stealth_score": 65 }
      ]
    },
    {
      "name": "Phase 2 — Initial Access & Exploitation",
      "techniques": [
        { "name": "AppLauncher.exe",          "source": "LOLBAS",     "stealth_score": 100 },
        { "name": "Dementor",                 "source": "WADComs",    "stealth_score": 70 },
        { "name": "Evil-WinRM-PTH",           "source": "WADComs",    "stealth_score": 70 }
      ]
    },
    {
      "name": "Phase 3 — Privilege Escalation",
      "techniques": [
        { "name": "isodrivep64.sys",          "source": "LOLDrivers", "stealth_score": 95 },
        { "name": "AsrDrv10.sys",             "source": "LOLDrivers", "stealth_score": 95 }
      ]
    },
    {
      "name": "Phase 4 — Lateral Movement",
      "techniques": [
        { "name": "Impacket-NTLMRelayX-Socks","source": "WADComs",    "stealth_score": 70,  "requires": ["No_Creds"] },
        { "name": "Impacket-PsExec-PassTheTicket","source": "WADComs","stealth_score": 70 }
      ]
    },
    {
      "name": "Phase 5 — Persistence & Impact",
      "techniques": [
        { "name": "Findstr.exe",              "source": "LOLBAS",     "stealth_score": 85 },
        { "name": "Forfiles.exe",             "source": "LOLBAS",     "stealth_score": 85 }
      ]
    }
  ],
  "notes": [
    "No creds — chain prioritises no-auth AD attacks: ASREPRoasting, NTLM relay",
    "LOLDrivers BYOVD in Phase 3 for EDR neutralisation"
  ]
}

attack_chain()

From one call to a full kill chain

Describe an objective in plain English. CodeRed queries 6 databases, ranks techniques by stealth score, and structures a MITRE-mapped engagement plan.

attack_chain — executive summary

  [foothold — User]
       │
       ▼  PHASE 1  ┄ Recon & Enumeration
       │            ├─ ADCSEnumeration   [WADComs]   90/100
       │            └─ BloodHound.py     [WADComs]   90/100
       │
       ▼  PHASE 2  ┄ Initial Access
       │            ├─ AppLauncher.exe   [LOLBAS]   100/100
       │            └─ Dementor          [WADComs]    70/100
       │
       ▼  PHASE 3  ┄ Privilege Escalation
       │            ├─ isodrivep64.sys   [Drivers]   95/100
       │            └─ AsrDrv10.sys      [Drivers]   95/100
       │
       ▼  PHASE 4  ┄ Lateral Movement
       │            ├─ NTLM RelayX-Socks [WADComs]   70/100
       │            └─ PsExec-PTH        [WADComs]   70/100
       │
       ▼  PHASE 5  ┄ Persistence
       │            └─ Findstr.exe       [LOLBAS]    85/100
       │
  [Domain Admin]  →  23 techniques · 5 phases

evasion scores — selected binaries

Binary	MITRE	σ	Evasion
cmdkey.exe	T1078	0	VERY LOW
findstr.exe	T1552.001	0	VERY LOW
rpcping.exe	T1187	0	VERY LOW
iscsicpl.exe	T1548.002	1	VERY LOW *
RTCore64.sys	T1068	2	LOW
rdrleakdiag.exe	T1003.001	0	LOW
sqldumper.exe	T1003.001	0	VERY LOW
wmic.exe	T1218	4	MEDIUM **
Sqlps.exe	T1218	0	VERY LOW

σ = Sigma rules count. Data from CodeRed detection_context tool.

Real-World Proof

Not examples. Operational intelligence.

🛡️

SafeLine WAF — Live Intercept

Signature ID: 65764

HTTP/1.1 403 Forbidden

A CodeRed-generated certutil payload triggered a corporate WAF block in production. The tool produces the same exact signatures used by real APT actors — which is precisely why it's useful for adversary emulation exercises.

📋

Operation Tracking — Per-User Isolation

SQLite-backed · session-scoped

op_id: fa991ca8

scenario: "domain user → domain admin"

used: ["BloodHound.py"]

next: Phase 2 — Initial Access

Each user's operation data is fully isolated from every other user — your ops, loot, and timelines stay yours.

External Validation

“
This appears to be part of a red team playbook for an Active Directory intrusion exercise… Reveals specific knowledge of the modern offensive Windows ecosystem (LOLDrivers, BYOVD). The author thinks in chained operations and precondition modelling — something typical of mature red teams or elite consultancies like Mandiant.
”

Verified in production. Ready for yours.

24 tools. 6 databases. 1,234 techniques. One MCP server.

View Pricing Try the Playground