Chisel-Strike
A .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities.
Why write this?
In my experience I found socks4/socks4a proxies quite slow in comparison to its socks5 counterparts and a lack of implementation of socks5 in most C2 frameworks. There is a C# wrapper around the go version of chisel called SharpChisel. This wrapper has a few issues and isn't maintained to the latest version of chisel. It didn’t allow using shellcode with donut, reflection methods or execute-assembly
. I found a fix for this using the SharpChisel-NG project.
Since the SharpChisel assembly is around 16.7 MB
, execute-assembly
(has a hidden size limitation of 1 MB
) and similar in memory methods wouldn’t work. To maintain most of the execution in memory I incorporated the NetLoader project by Flangvik which is executed via execute-assembly
to reflectively host and load a XOR encrypted version of SharpChisel
with base64 arguments in memory.
As an alternative, it is also possible to implement similar C# proxies like SharpSocks by replacing the appropriate chisel binaries in the project.
Setup
Note: If using a Windows teamserver skip steps 2 and 3.
-
Clone/download the repository:
git clone https://github.com/m3rcer/Chisel-Strike.git
-
Make all binaries executable:
-
cd Chisel-Strike
-
chmod +x -R chisel-modules
-
chmod +x -R tools
- Install
Mingw-w64
andmono
:
-
sudo apt-get install mingw-w64
-
sudo apt install mono-complete
- Import
ChiselStrike.cna
in cobalt strike using theScript Manager
Recompile binaries from the src
folder if needed.
Usage
chisel can be executed on both the CS teamserver client (windows/linux) and the beacon. With either acting as the server/client. A normal execution flow would be to setup a chisel server on the CS teamserver client and create a client on the beacon connecting back to the CS teamserver client.
Commands
-
chisel <client/server> <command>
: Run Chisel on a beacon -
chisel-tms <client/server> <command>
: Run Chisel on your CS teamserver client -
chisel-enc
: XOR EncryptSharpChisel.exe
with a password of choice -
chisel-jobs
: List active chisel jobs on the CS teamserver client and beacon -
chisel-kill
: Kill active chisel jobs on a beacon -
chisel-tms-kill
: Kill active chisel jobs on your CS teamserver client
Example
OPSEC
NetLoader can easily be obfuscated and used to bypass defender using projects like NimCrypt2 and the like.
Yet SharpChisel.exe
drops a dll
on disk due to the use of Costura/Fody
packages at a location similar to: C:\Users\m3rcer\AppData\Local\Temp\Costura\CB9433C24E75EC539BF34CD1AA12B236\64\main.dll
which is detected by defender. It is advised to obfuscate chisel dll's using projects like gobfuscate in the SharpChisel-NG project and re-build new SharpChisel-NG binaries as shown here.
TODO
-
Figure a way to avoid
SharpChisel
droppingmain.dll
on disk / Create a new C# wrapper for chisel. -
Create a method to parse command output for the
chisel-tms
command.
Credits
-
shantanu561993 for the C# wrapper implementation of chisel: SharpChisel
-
latortuga71 for the
load-assembly
fix: SharpChisel-NG