Windows Privilege Escalation & Post-Exploitation

December 16, 2022 · View on GitHub


Table of Contents



Post-Exploitation Windows



Windows Technologies

  • Application Shims
    • 101
    • Talks/Presentations/Videos
      • Abusing Native Shims for Post Exploitation - Sean Pierce(2015)
        • Shims offer a powerful rootkit-like framework that is natively implemented in most all modern Windows Operating Systems. This talk will focus on the wide array of post-exploitation options that a novice attacker could utilize to subvert the integrity of virtually any Windows application. I will demonstrate how Shim Database Files (sdb files / shims) are simple to create, easy to install, flexible, and stealthy. I will also show that there are other far more advanced applications such as in-memory patching, malware obfuscation, evasion, and system integrity subversion. For defenders, I am releasing 6 open source tools to prevent, detect, and block malicious shims.
  • Kernel Operations
    • 101
    • Articles/Blogposts/Writeups
    • Tools


C# & .NET Stuff

  • 101
  • Training
  • Discovery
    • Clipboard
      • Clippi-B
        • Steals clipboard data written in c#, executable by cobalt-strike or any other unmanaged CLR loader. you'll need costura.fody NuGet package to compile. Targets .NET 4.0 or above, but is potentially backwards compatible with 3.5 if you use an older costura fody NuGet (untested)
    • ActiveDirectory
      • Recon-AD
        • As a proof of concept, we[OutflankNL] developed an C/C++ Active Directory reconnaissance tool based on ADSI and reflective DLLs which can be used within Cobalt Strike. The tool is called “Recon-AD” and at this moment consist of seven Reflective DLLs and a corresponding aggressor script. This tool should help you moving away from PowerShell and .NET when enumerating Active Directory and help you stay under the radar from the latest monitoring and defense technologies being applied within modern environments.
      • SharpView
    • Browser
      • SharpChromium
        • SharpChromium is a .NET 4.0+ CLR project to retrieve data from Google Chrome, Microsoft Edge, and Microsoft Edge Beta.
    • File Discovery/Hunting
      • SharpShares
        • Enumerate all network shares in the current domain. Also, can resolve names to IP addresses.
      • SauronEye
        • Search tool to find specific files containing specific words, i.e. files containing passwords..
      • SharpDirLister
        • A .NET 4.0 application that uses an optimized file search algorithm that will output a full directory / file listing of a drive in a matter of seconds and at the end it will compress it to a .gz
      • SharpFiles
      • SharpFinder
        • Searches for files matching specific criteria on readable shares within the domain.
      • SharpShares
        • The goal of SharpShares is to be able to parse different input types and run across a network(s) to find SMB services, authenticate, and pull the ACLs for each share.
    • Network Services
    • Processes
      • SharpProcEnum
        • .NET tool for enumeration processes and dumping memory.
    • Printers
      • SharpPrinter
        • Printer is a modified and console version of ListNetworks
    • Screenshots
      • ScreenShooter
        • C# program to take a full size screenshot of the window. Takes in 0 or 1 flag for a filename.
        • Blogpost
    • Services
      • AtYourService
        • C# .NET Assembly and python script for Service Enumeration. Queries all services on a host and filters out services running as LocalSystem, NT Authority\LocalService, and NT Authority\NetworkService
    • Situational Awarness
      • Reconerator
        • This is a custom .NET assembly which will perform a number of situational awareness activities.
      • Scout
        • Scout is a .NET assembly used to perform recon on hosts during a pentest. Specifically, this was created as a way to check a host before laterally moving to it.
      • SitRep
        • SitRep is intended to provide a lightweight, extensible host triage alternative. Checks are loaded dynamically at runtime from stand-alone files. This allows operators to quickly modify existing checks, or add new checks as required.
      • SharpAppLocker
        • C# port of the Get-AppLockerPolicy PS cmdlet
      • Seatbelt
        • Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
      • HastySeries
        • A C# toolset to support offensive operators to triage, asses and make intelligent able decisions. Provided operators access to toolsets that can be integrated into other projects and workflow throughout a Red Team, Pentest or host investigation. We built this toolset over a period of a few days, hence the tool prefix of "Hasty".
    • User-Hunting
      • SharpSniper
        • Find specific users in active directory via their username and logon IP address
    • Web
      • SharpWitness
        • SharpWitness is my attempt at cobbling together a C# version of EyeWitness by Christopher Truncer. It still barely functions right now, but will hopefully become more useful once I put some dev time into it.
      • SharpFruit
        • A C# penetration testing tool to discover low-haning web fruit via web requests.
      • SharpShot
        • Capture screenshots from .NET, using either native Windows APIs or .NET methods. Screenshots can be saved to disk using a randomly generated file name, or output to the console in base64 encoded form (does not touch disk).
    • WMI
      • SharpStrike
        • SharpStrike is a post-exploitation tool written in C# that uses either CIM or WMI to query remote systems. It can use provided credentials or the current user's session.
  • Execution Tactics/Techniques
    • 101
    • Articles/Blogposts/Writeups
    • Talks/Presentations/Videos
      • .NET Manifesto - Win Friends and Influence the Loader - Casey Smith(Derbycon2019)
        • Everything you never wanted to know about .NET manifests and influencing binary loading. A growing number of security tools, both offensive and defensive rely on the .NET Framework. This talk will focus on a narrow but important aspect. We will cover Application and Machine configuration files, as well as Registration-Free and Side-By-Side Assembly loading. What do all these have in common?Manifests. XML manifest can influence how the Operating System locates and executes binaries. We will explore additional concepts around influencing assembly loads. This talk will provide excellent insight into how these mechanisms work. How they can be subverted, and how they can be instrumented to aid defenders.
      • Staying # & Bringing Covert Injection Tradecraft to .NET - The Wover, Ruben Boonen(BlueHat IL 2020)
        • As .NET has taken over as the preferred platform for development on Windows, many attackers have chosen to take advantage of its features for post-exploitation tradecraft. Legitimate APIs can be leveraged for nearly every imaginable task, managed code can be loaded and executed from memory with extraordinary ease, and scalable monitoring for suspicious usage of .NET APIs is a problem yet to be solved. However, offensive .NET tools are still hindered by a fundamental weakness: the inability to leverage unmanaged code (such as the Win32/NT APIs) safe from observation by EDR. Managed code must eventually invoke unmanaged code in order to interface with the operating system. It is here that the attacker may be caught in the hooks of any system keen on watching for fundamentally malicious behavior. To expose the depth of tradecraft still unexplored in .NET and highlight the fragility of many existing detections, we will detail the tools we have built for evading these hooks. All of our efforts have been integrated into SharpSploit, a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers. Over the past few months we have added numerous new tools and techniques for loading and executing unmanaged code safely from .NET. Unmanaged APIs may be safely accessed and modules loaded either from memory or from disk in the new DInvoke API, a dynamic replacement for .NET's PInvoke API. It also includes manual mapping, a generic syscall wrapper, a new technique we call Module Overloading, and more. Additionally, we have added a modular process injection API that allows tool developers to build their own injection technique. Simply select an allocation and injection primitive, pass in any options, and execute the result with your preferred payload. This exposes all possible design decisions to the user, and allows for easy adaptation when existing tools fail. In our talk we will focus on explaining the fundamental tradecraft behind these new developments, the challenges and requirements associated with them, and how they can be adapted to suit your needs. Additionally, we will discuss how SharpSploit can be combined with other open-source projects to be integrated into a red team's tooling. As much as possible, we will also discuss how to counter and detect the techniques that we have developed. Finally, we will explain the community-focused development of these projects and how you too can contribute to advance open-source .NET tradecraft
    • Papers
    • Tools
      • SharpCollection - Flangvik
        • Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines.
      • SharpGen
        • SharpGen is a .NET Core console application that utilizes the Rosyln C# compiler to quickly cross-compile .NET Framework console applications or libraries.
      • SharpCompile
        • SharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in realtime. This is a more slick approach than manually compiling an .NET assembly and loading it into Cobalt Strike. The project aims to make it easier to move away from adhoc PowerShell execution instead creating a temporary assembly and executing using beacon's 'execute-assembly' in seconds.
      • NetLoader
        • Loads any C# binary from filepath or url, patching AMSI and bypassing Windows Defender on runtime
      • AppDomainExample
        • A .NET tool that uses AppDomain's to enable dynamic execution and escape detection.
      • SharpAttack
        • SharpAttack is a console for certain things I use often during security assessments. It leverages .NET and the Windows API to perform its work. It contains commands for domain enumeration, code execution, and other fun things.
      • PowerSharpPack
        • Many usefull offensive CSharp Projects wraped into Powershell for easy usage.
      • peloader.cs
        • This scripts loads a base64 encoded x64 PE file (eg: Mimikatz or a Meterpreter) into memory and reflectively executes it.
      • RunSharp
        • Simple program that allows you to run commands as another user without being prompted for their password. This is useful in cases where you don't always get feedback from a prompt, such as the case with some remote shells.
      • GrayFrost
        • GrayFrost is a C++ DLL delivery system for C# payloads. Once compiled, GrayFrost can be injected into .NET applications using any DLL injection technique you wish!
      • RunPE
        • C# Reflective loader for unmanaged binaries.
      • RunasCs
        • RunasCs is an utility to run specific processes with different permissions than the user's current logon provides using explicit credentials.
      • RunDLL.Net
        • Execute .Net assemblies using Rundll32.exe
      • Fork-n-Run
        • Experimenting with reusable components for fork n' run operations.
      • ExecuteAssembly
        • ExecuteAssembly is an alternative of CS execute-assembly, built with C/C++ and it can be used to Load/Inject .NET assemblies by; reusing the host (spawnto) process loaded CLR Modules/AppDomainManager, Stomping Loader/.NET assembly PE DOS headers, Unlinking .NET related modules, bypassing ETW+AMSI, avoiding EDR hooks via NT static syscalls (x64) and hiding imports by dynamically resolving APIs via superfasthash hashing algorithm.
      • SharpZipRunner
        • Executes position independent shellcode from an encrypted zip. Get PIC code from your assembly either by using donut or metasploit or cobaltstrike RAW format.
      • DllExport
        • .NET DllExport with .NET Core support (aka 3F/DllExport)
      • RunDllMShim
        • A bridge DLL to make calling a managed assembly/type/method from an unmanaged dll invoker rundll32.exe easier)
      • Marauders Map
        • The internal attacker toolkit heavily inspired by the folks of MDSec and their SharpPack, highly recommend checking that post out. The Marauders Map is meant to be used on assessments where you have gained GUI access to an enviornment. The Marauders Map is a DLL written in C#, enriched by the DllExport project to export functions that can serve as an entrypoint of invocation for unmanaged code such as rundll32.
      • CSharpExec
        • This project can use both the current context and credentials to connect to a remote host, copy the payload, and then create and start a service. Once the service is running, it will then remove it.
      • CSharpRunAs
        • Run As... In C#...
      • DInvoke
        • Dynamically invoke arbitrary unmanaged code from managed code without PInvoke.
      • InMemoryNET
        • Exploring in-memory execution of .NET
      • CoreSploit
        • A Post-Exploitation Framework written for .NET 5.0 (Previously known as .NET Core)
      • SharpMapExec
        • A sharpen version of CrackMapExec. This tool is made to simplify penetration testing of networks and to create a swiss army knife that is made for running on Windows which is often a requirement during insider threat simulation engagements.
      • ExecutionTesting.cs
        • Execute process under a different PID and retrieve the output.
      • metasploit-execute-assembly
        • Custom Metasploit post module to executing a .NET Assembly from Meterpreter session
      • Vanara
        • A set of .NET libraries for Windows implementing PInvoke calls to many native Windows APIs with supporting wrappers.
      • AggressiveGadgetToJScript
        • A Cobalt Strike Aggressor script to generate GadgetToJScript payloads
      • Emulating Covert Operations - Dynamic Invocation (Avoiding PInvoke & API Hooks) - TheWover
      • go-dotnet
        • Go wrapper for the .NET Core Runtime.
      • go-execute-assembly
        • Allow a Go process to dynamically load .NET assemblies
      • SharpDllProxy
        • Retrieves exported functions from a legitimate DLL and generates a proxy DLL source code/template for DLL proxy loading or sideloading
      • Massaging your CLR: Preventing Environment.Exit in In-Process .NET Assemblies - Peter Winter-Smith(2020
      • Ceramic
        • A simple dotNET 5.0 application I built to do common Red Teaming things for me. This way no dotnet core and will run on Linux and windows. Think of this like a multi tool om for educational red teaming.
      • AppLocker-Bypass
        • Bypassing AppLocker with C#
    • Adversary Simulation
      • PurpleSharp
        • PurpleSharp is a C# adversary simulation tool that executes adversary techniques with the purpose of generating attack telemetry in monitored Windows environments
    • Assemblies & AppDomains
    • DInvoke
    • MSBuild-related
    • MS-SQL-related
      • Attacking SQL Server CLR Assemblies - Scott Sutherland
        • During this webinar we’ll review how to create, import, export, and modify CLR assemblies in SQL Server with the goal of privilege escalation, OS command execution, and persistence. Scott will also share a few PowerUpSQL functions that can be used to execute the CLR attacks on a larger scale in Active Directory environments.
    • Payloads
      • SharPyShell
        • tiny and obfuscated ASP.NET webshell for C# web applications
      • TCPRelayInjecter2
        • Tool for injecting a "TCP Relay" managed assembly into an unmanaged process
      • Salsa Tools
        • Salsa Tools is a collection of three different tools that combined, allows you to get a reverse shell on steroids in any Windows environment without even needing PowerShell for it's execution. In order to avoid the latest detection techniques (AMSI), most of the components were initially written on C#. Salsa Tools was publicly released by Luis Vacas during his Talk “Inmersión en la explotación tiene rima” which took place during h-c0n in 9th February 2019.
      • CasperStager
        • PoC for persisting .NET payloads in Windows Notification Facility (WNF) state names using low-level Windows Kernel API calls.
  • Exfiltration
  • Privilege Escalation
    • SharpUp
      • SharpUp is a C# port of various PowerUp functionality. Currently, only the most common checks have been ported; no weaponization functions have yet been implemented.
    • Net-GPPPassword
      • .NET/C# implementation of Get-GPPPassword. Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
    • Active Directory
      • Grouper2
        • Find vulnerabilities in AD Group Policy
      • SharpExchangePriv
        • A C# implementation of PrivExchange by @_dirkjan. Kudos to @g0ldenGunSec, as I relied on his code.
    • Patches
      • Watson
        • Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities
    • Registry
      • Reg1c1de: Windows Registry Privesc Scanner
        • Reg1c1de is a tool that scans specified registry hives and reports on any keys where the user has write permissions In addition, if any registry values are found that contain file paths with certain file extensions and they are writeable, these will be reported as well.
      • Blogpost
    • Services
      • SneakyService
        • A simple C# windows service implementation that can be used to demonstrate privilege escalation from misconfigured windows services.
  • Collection
    • Sharp-Profit
      • "Sharp-Profit is a C# version of my Profit script. This version can be utilized with Cobalt Strike's execute-assembly function."
    • Browser
      • FirePwd.Net
        • FirePwd.Net is an open source tool wrote in C# to decrypt Mozilla stored password.
      • SharpWeb
        • SharpWeb is a .NET 2.0 CLR compliant project that can retrieve saved logins from Google Chrome, Firefox, Internet Explorer and Microsoft Edge. In the future, this project will be expanded upon to retrieve Cookies and History items from these browsers.
    • File-Hunting
      • SharpSearch
        • Search files for extensions as well as text within.
    • Monitoring
      • WireTap
        • .NET 4.0 Project to interact with video, audio and keyboard hardware.
      • SharpLogger
        • Keylogger written in C#
  • Persistence
    • Scheduled Tasks
    • General
      • SharpStay
        • .NET project for installing Persistence
      • SharpHide
        • Technique Whitepaper
        • Just a nice persistence trick to confuse DFIR investigation. Uses NtSetValueKey native API to create a hidden (null terminated) registry key. This works by adding a null byte in front of the UNICODE_STRING key valuename.
    • Golden Tickets
      • GoldenTicket
        • This .NET assembly is specifically designed for creating Golden Tickets. It has been built with a custom version of SharpSploit and an old 2.0 alpha (x64) version of Powerkatz.
    • Registry-related
      • Reg_Built
        • C# Userland Registry RunKey persistence
    • Scheduled Tasks
    • Services
      • Unstoppable Service
        • A pattern for a self-installing Windows service in C# with the unstoppable attributes in C#.
  • Credential Attacks * * SharpCGHunter * SharpHook * SharpHook is inspired by the SharpRDPThief project, It uses various API hooks in order to give us the desired credentials. In the background it uses the EasyHook project, Once the desired process is up and running SharpHook will automatically inject its dependencies into the target process and then, It will send us the credentials through EasyHook's IPC server. * SharpHandler * This project reuses open handles to lsass to parse or minidump lsass, therefore you don't need to use your own lsass handle to interact with it. * CloneVault * CloneVault allows a red team operator to export and import entries including attributes from Windows Credential Manager. This allows for more complex stored credentials to be exfiltrated and used on an operator system. It is aimed at making it possible to port credentials that store credential material in binary blobs or those applications that store data in custom attributes. There are many use cases, please see our demonstration of cloning access to Microsoft OneDrive on the MDSec Blog
    • Process Memory
    • Clipboard
      • SharpClipboard
      • SharpClipHistory
        • SharpClipHistory is a .NET application written in C# that can be used to read the contents of a user's clipboard history in Windows 10 starting from the 1809 Build.
    • Credentials on Disk/Stored in files
      • SharpCloud
        • SharpCloud is a simple C# utility for checking for the existence of credential files related to Amazon Web Services, Microsoft Azure, and Google Compute.
    • DPAPI
    • Fake UI Prompt
      • Tools
        • SharpLocker
          • SharpLocker helps get current user credentials by popping a fake Windows lock screen, all output is sent to Console which works perfect for Cobalt Strike. It is written in C# to allow for direct execution via memory injection using techniques such as execute-assembly found in Cobalt Strike or others, this method prevents the executable from ever touching disk. It is NOT intended to be compilled and run locally on a device.
        • SharpLoginPrompt
          • This Program creates a login prompt to gather username and password of the current user. This project allows red team to phish username and password of the current user without touching lsass and having adminitrator credentials on the system.
        • ICU
          • Cred Prompt Phishing
    • Kerberos
      • Rubeus
        • Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpy's Kekeo project (CC BY-NC-SA 4.0 license) and Vincent LE TOUX's MakeMeEnterpriseAdmin project (GPL v3.0 license). Full credit goes to Benjamin and Vincent for working out the hard components of weaponization- without their prior work this project would not exist.https://www.slideshare.net/aj0612/a-study-on-net-framework-for-red-team-part-i
    • LLMNR/NBNS Spoofing
      • InveighZero
        • Windows C# LLMNR/mDNS/NBNS/DNS spoofer/man-in-the-middle tool
    • Multi-Tools
      • SafetyKatz
        • SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader.
    • Password Spray
      • SharpSpray
        • SharpSpray a simple code set to perform a password spraying attack against all users of a domain using LDAP and is compatible with Cobalt Strike.
    • Proxy
      • FreshCookies
        • C# .NET 3.5 tool that keeps proxy auth cookies fresh by maintaining a hidden IE process that navs to your hosted auto refresh page. Uses WMI event listeners to monitor for InstanceDeletionEvents of the Internet Explorer process, and starts a hidden IE process via COM object if no other IE processes are running.
    • Password Spraying
      • SharpDomainSpray
        • SharpDomainSpray is a very simple password spraying tool written in .NET. It takes a password then finds users in the domain and attempts to authenticate to the domain with that given password.
    • RDP
      • RdpThief
        • RdpThief by itself is a standalone DLL that when injected in the mstsc.exe process, will perform API hooking, extract the clear-text credentials and save them to a file.
        • Blogpost
      • HookedRDP
      • SharpRDPCheck
        • Use to check the valid account of the Remote Desktop Protocol(Support plaintext and ntlmhash)
    • Vault Credentials
      • SharpEdge
        • C# Implementation of Get-VaultCredential - Get-VaultCredential enumerates and displays all credentials stored in the Windows vault. Web credentials, specifically are displayed in cleartext. This script was inspired by the following C implementation: http://www.oxid.it/downloads/vaultdump.txt
    • ActiveDirectory-related
      • ADFSpoof
        • A python tool to forge AD FS security tokens. - Meant to be used with ADFSDump
      • ADFSDump
        • ADFSDump is a tool that will read information from Active Directory and from the AD FS Configuration Database that is needed to generate forged security tokens. This information can then be fed into ADFSpoof to generate those tokens. - Meant to be used with ADFSpoof
      • SharpAdidnsdump
        • c# implementation of Active Directory Integrated DNS dumping (authenticated user)
      • SprayAD
        • This tool can help Red and Blue teams to audit Active Directory useraccounts for weak, well known or easy guessable passwords and can help Blue teams to assess whether these events are properly logged and acted upon. When this tool is executed, it generates event IDs 4771 (Kerberos pre-authentication failed) instead of 4625 (logon failure). This event is not audited by default on domain controllers and therefore this tool might help evading detection while password spraying.
  • Lateral Movement
    • Multiple
    • .NET Remoting
    • DCOM
    • MSSQL
    • NTLM
    • RDP
      • Articles/Blogposts/Writeups
      • Tools
        • SharpRPD
          • Remote Desktop Protocol .NET Console Application for Authenticated Command Execution
        • SharpDoor
          • SharpDoor is alternative RDPWrap written in C# to allowed multiple RDP (Remote Desktop) sessions by patching termsrv.dll file, for opsec considerations SharpDoor still using cmd.exe to run sc services to impersonating as trustedinstaller in the future will be avoiding cmd.exe usage, currently only support for Windows 10.
        • SharpRDP
          • Blogpost
          • Remote Desktop Protocol .NET Console Application for Authenticated Command Execution
    • Registry
      • SCShell
        • Fileless lateral movement tool that relies on ChangeServiceConfigA to run command
    • SMB
      • CSExec
        • This is an example for how to implement psexec (from SysInternals Suite) functionality, but in open source C#. This does not implement all of the psexec functionality, but it does implement the equivalent functionality to running: psexec -s \target-host cmd.exe
      • SharpInvoke-SMBExec
        • A native C# conversion of Kevin Robertsons Invoke-SMBExec powershell script.
      • SharpSMBSpray
        • Spray a hash via smb to check for local administrator access
    • WinRM
    • WMI
      • SharpWMI
        • SharpWMI is a C# implementation of various WMI functionality. This includes local/remote WMI queries, remote WMI process creation through win32_process, and remote execution of arbitrary VBS through WMI event subscriptions. Alternate credentials are also supported for remote methods.
      • SharpInvoke-WMIExec
        • A native C# conversion of Kevin Robertsons Invoke-SMBExec powershell script
  • Evasion
    • Articles/Blogposts/Writeups
    • Talks/Presentations/Videos
      • Simple Windows Application Whitelisting Evasion - Casey Smith(ShmooCon 2015)
      • Quick Retooling in .Net for Red Teams - Dimitry Snezhkov(CircleCityCon2018
        • Quick Retooling in .Net for Red Teams PowerShell gave us a super-highway of convenient building blocks for offensive toolkits and operational automation. However, use of standalone .Net implants may be a desirable option in cases where PowerShell is heavily inspected and logged. While there are great toolkits to invoke unmanaged PowerShell or directly interface with .Net CLR - they are also statically compiled, and therefore easier identified by the defense. Red Teams are faced with specific challenges when they need to retool quickly in the field with .Net payloads. Can .Net toolkits accomplish their goals while maintaining flexibility, quick in-field retooling and operational security in the face of current detection mechanisms? We think so. This talk walks through some of the options present to the operators for .Net code compilation and presents ideas for extensibility of .Net tools at runtime, with the help of Dynamic Language Runtime (DLR). We will dive deeper into operational security lessons learned from dynamic code compilation. We will attempt to move beyond static nature of .Net assemblies into reflective DLR, achieving on-the-fly access to native Windows API. We will also discuss some methods of hiding sensitive aspects of execution in managed code memory. We will also touch on ways to help Defense fingerprint the attacks involving dynamic compilation of .Net assemblies, use of DLR and building blocks of offensive tooling involved in the process. A concept tool built on these ideas will be presented and released. It will be used as basis for our discussion.
    • Tools
      • tvasion
        • Anti virus evasion based on file signature change via AES encryption with Powershell and C# AV evasion templates which support executable and Powershell payloads with Windows executable, Powershell or batch output. Developed with Powershell on Linux for Windows targets :)
      • AVIator
        • Antivirus evasion project
      • PEunion
        • PEunion bundles multiple executables (or any other file type) into a single file. Each file can be configured individually to be compressed, encrypted, etc. In addition, an URL can be provided for a download to be executed. The resulting binary is compiled from dynamically generated C# code. No resources are exposed that can be harvested using tools like Resource Hacker. PEunion does not use managed resources either. Files are stored in byte[] code definitions and when encryption and compression is applied, files become as obscure as they can get.
      • Self-Morphing C# Binary
        • C# binary that mutates its own code, encrypts and obfuscates itself on runtime
      • Inception-Framework
        • Inception provides In-memory compilation and reflective loading of C# apps for AV evasion. Payloads are AES encrypted before transmission and are decrypted in memory. The payload server ensures that payloads can only be fetched a pre-determined number of times. Once decrypted, Roslyn is used to build the C# payload in memory, which is then executed using reflection.
      • SharpLoadImage
        • Hide .Net assembly into png images
      • BlockETW
        • .Net Assembly to block ETW telemetry in current process
      • SharpPack
        • Blogpost
        • SharpPack is a toolkit for insider threat assessments that lets you defeat application whitelisting to execute arbitrary DotNet and PowerShell tools.
  • Script Repos/Good Stuff
    • GhostPack
    • SharpSploit
      • SharpSploit is a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers.
    • Sharp-Suite
      • FuzzySecurity: 'My musings with C#'
    • OffensiveCSharp-matterpreter
      • This is a collection of C# tooling and POCs I've created for use on operations. Each project is designed to use no external libraries. Open each project's .SLN in Visual Studio and compile as "Release".
    • bytecode-api
      • C# library with common classes, extensions and additional features in addition to the .NET Framework. BytecodeApi implements lots of extensions and classes for general purpose use. In addition, specific classes implement more complex logic for both general app development as well as for WPF apps. Especially, boilerplate code that is known to be part of any Core DLL in a C# project is likely to be already here. In fact, I use this library in many of my own projects. For this reason, each class and method has been reviewed numerous times. BytecodeApi is highly consistent, particularly in terms of structure, naming conventions, patterns, etc. The entire code style resembles the patterns used in the .NET Framework itself. You will find it intuitive to understand.
    • OutlookToolbox
      • OutlookToolbox is a C# DLL that uses COM to do stuff with Outlook. Also included is a Cobalt Strike aggressor script that uses Outlooktoolbox.dll to give it a graphical and control interface.
      • Blogpost
    • OffensiveDLR
      • Toolbox containing research notes & PoC code for weaponizing .NET's DLR
    • RedTeamCSharpScripts - Mr-Un1k0d3r
    • CSharpScripts - Arno0x
    • Named Pipes
      • This is a proof of concept / pattern concept for creating a client/server communication model with named pipes in C#. In this example, a client passes a message to the server over a named pipe which is then executed as a command on the server. The standard out and standard error are redirected back to the client over the named pipe and printed to the terminal screen.
  • Utiltiies
    • Compression
      • MiddleOut
        • This tool was created to compress files through the command line and will work with Cobalt Strike's execute-assembly.
    • Files
      • FileWriter
        • .NET project for writing files to local or remote hosts
      • LockLess
        • LockLess is a C# tool that allows for the enumeration of open file handles and the copying of locked files.
    • Scheduled Tasks
    • Unsorted
      • SharpWebServer
        • A Red Team oriented simple HTTP & WebDAV server written in C# with functionality to capture Net-NTLM hashes. To be used for serving payloads on compromised machines for lateral movement purposes.
      • C# CmdLineHelper.cs Command line Parser
      • Cecil
        • Mono.Cecil is a library to generate and inspect programs and libraries in the ECMA CIL form.


Powershell Things



Windows Code Injection Techniques