S3cur3Th1sSh1t/SharpImpersonation

Stars
391
Rank 105,985 (Top 3 %)
Language
C#
License
BSD 3-Clause "New...
Created almost 3 years ago
Updated almost 2 years ago

S3cur3Th1sSh1t/SharpImpersonation

S3cur3Th1sSh1t

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

A User Impersonation tool - via Token or Shellcode injection

SharpImpersonation

This was a learning by doing project from my side. Well known techniques are used to built just another impersonation tool with some improvements in comparison to other public tools. The code base was taken from:

https://github.com/0xbadjuju/Tokenvator

A blog post for the intruduction can be found here:

https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/

List user processes

PS > PS C:\temp> SharpImpersonation.exe list

List only elevated processes

PS > PS C:\temp> SharpImpersonation.exe list elevated

Impersonate the first process of the target user to start a new binary

PS > PS C:\temp> SharpImpersonation.exe user:<user> binary:<binary-Path>

Inject base64 encoded shellcode into the first process of the target user

PS > PS C:\temp> SharpImpersonation.exe user:<user> shellcode:<base64shellcode>

Inject shellcode loaded from a webserver into the first process of the target user

PS > PS C:\temp> SharpImpersonation.exe user:<user> shellcode:<URL>

Impersonate the target user via ImpersonateLoggedOnuser for the current session

PS > PS C:\temp> SharpImpersonation.exe user:<user> technique:ImpersonateLoggedOnuser

WinPwn

Automation for internal Windows Penetrationtest / AD-Security

Pentest-Tools

Amsi-Bypass-Powershell

This repo contains some Amsi Bypass methods i found on different Blog Posts.

PowerSharpPack

OffensiveVBA

This repo covers some code execution and AV Evasion methods for Macros in Office documents

Creds

Some usefull Scripts and Executables for Pentest & Forensics

MultiPotato

Invoke-SharpLoader

Caro-Kann

Encrypted shellcode Injection to avoid Kernel triggered memory scans

Ruy-Lopez

SharpNamedPipePTH

Pass the Hash to a named pipe for token Impersonation

Nim-RunPE

A Nim implementation of reflective PE-Loading from memory

NimGetSyscallStub

Get fresh Syscalls from a fresh ntdll.dll copy

SharpVeeamDecryptor

Decrypt Veeam database passwords

NamedPipePTH

Pass the Hash to a named pipe for token Impersonation

SyscallAmsiScanBufferBypass

AmsiScanBufferBypass using D/Invoke

Nim_DInvoke

D/Invoke implementation in Nim

Excel-Phish

Phish password protected Excel-Files

Sharp-HackBrowserData

C# binary with embeded golang hack-browser-data

Get-System-Techniques

NimShellcodeFluctuation

ShellcodeFluctuation PoC ported to Nim

RDPThiefInject

RDPThief donut shellcode inject into mstsc

Invoke-Sharpcradle

Load C# Code straight to memory

Nim_CBT_Shellcode

CallBack-Techniques for Shellcode execution ported to Nim

LDAP-Signing-Scanner

A little scanner to check the LDAP Signing state

BitwardenDecryptBrute

Wordlist attacks on Bitwarden data.json files

SharpOxidResolver

IOXIDResolver from AirBus Security/PingCastle

SharpPolarBear

Privesc through import of Sheduled tasks + Hardlinks - CVE-2019-1069

SharpByeBear

AppXSVC Service race condition - privilege escalation

S3cur3Th1sSh1t

TeamViewerDecrypt

SharpLigolo

C# wrapper for ligolo

Invoke-WMI-Information

Straight forward script for WMI information gathering (local or remote)

EmpEISDecrypt

Decrypt Matrix42 Empirum /EIS Passwords

NimWinstaEveryoneAccess

darkamour_clone

WinFor

Powershell script to execute different forensic Powershell functions / tools on a compromised host

ssdp-poisoning

MimiMisc

SSJI---JSGen

Just a copy from here: https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py

Hosts-File---AD-Tracking-Blocker

Hosts File for Blocking Advertising & Tracking Domains