• Stars
    star
    912
  • Rank 50,097 (Top 1.0 %)
  • Language
    C#
  • Created over 5 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Writing custom backdoor payloads with C# - Defcon 27 Workshop

Writing custom backdoor payloads with C#

This workshop aims to provide attendees hands-on experience on writing custom backdoor payloads using C# for the most common command and control frameworks including Metasploit, Powershell Empire and Cobalt Strike. The workshop consists in 8 lab exercises; each of the exercises goes over a different technique that leverages C# and .NET capabilities to obtain a reverse shell on a victim Windows host. The covered techniques include raw shellcode injection, process injection, process hollowing, runtime compilation, parent pid spoofing, antivirus bypassing, etc. At the end of this workshop attendees will have a clear understanding of these techniques both from an attack and defense perspective.

Skill Level: Intermediate

Prerequisites: Basic to intermediate programming/scripting skills. Prior experience with C# helps but not required.

Materials: Laptop with virtualization software. A Windows 10 virtual machine and a Kali Linux Virtual Machine.

The "Writing custom back payloads with C#" workshop was first presented at Defcon 27.

Authors

Labs

Lab 1 : Hello World

The goal of this lab is to implement the typical Hello World example with C#. The first exercise uses .NETs Console class to print “Hello World” while the second uses .NETs Platform Invocation Services feature to import and call the Win32 Api MessageBox.

Lab 2 : Custom Meterpreter Stager

The goal of this lab is to write a custom Meterpreter stager with C# by leveraging the WebClient class to download meterpreter’s second stage and Win32 API functions to copy the second stage in memory and execute it.

Lab 3 : Raw Shellcode Injection

The goal of this lab is to write a custom binary that injects a pre-defined shellcode into memory and executes it. Metasploit’s msfvenom will be used to generate the shellcode and the same Win32 API calls used in Lab 2 will be used to perform the execution.

Lab 4 : Shellcode Obfuscation

The goal of this lab is to reduce detection of the custom payloads by signature based anti-malware. We can achieve this by obfuscating the shellcode generated by msfvenom using two common techniques: XOR and AES

Lab 5 : PowerShell without PowerShell.exe

The goal of this lab is to execute a Powershell script and avoid to use the powershell.exe binary by leveraging the .NET framework and C#. Using this technique, we will get a Powershell Empire agent.

Lab 6 : DLL Injection

The goal of this lab is to implement the DLL Injection technique using C# and obtain a reverse shell from a victim host. Using 3 different exercises, we will understand and implement the different steps for a successful injection.

Lab 7 : Process Hollowing

The goal of this lab is to understand and implement the Process Hollowing technique using C# technique to obtain a reverse shell on a victim host.

Lab 8 : Parent Process Spoofing

The goal of the final lab is to leverage C# to spawn a new process spoofing its parent process and inject shellcode to it to obtain a reverse shell.

Acknowledgments

Most of the labs on this workshop started from a Github repository/gist, a Stack Overflow code snippet or a Google search. Thank you to everyone who shares code for others to learn from.

More Repositories

1

PurpleSharp

PurpleSharp is a C# adversary simulation tool that executes adversary techniques with the purpose of generating attack telemetry in monitored Windows environments
C#
716
star
2

BadZure

BadZure orchestrates the setup of Azure AD tenants, populating them with diverse entities while also introducing common security misconfigurations to create vulnerable tenants with multiple attack paths.
PowerShell
327
star
3

Oriana

Oriana is a threat hunting tool that leverages a subset of Windows events to build relationships, calculate totals and run analytics. The results are presented in a Web layer to help defenders identify outliers and suspicious behavior on corporate environments.
Python
175
star
4

attack2jira

attack2jira automates the process of standing up a Jira environment that can be used to track and measure ATT&CK coverage
Python
111
star
5

PurpleTeamPlaybook

Active Directory Purple Team Playbook
92
star
6

PurpleSpray

PurpleSpray is an adversary simulation tool that executes password spray behavior under different scenarios and conditions with the purpose of generating attack telemetry in properly monitored Windows enterprise environments
Python
47
star
7

Invoke-SMBLogin

Validates username & password combination(s) across a host or group of hosts using the SMB protocol.
PowerShell
13
star
8

SharpShareFinder

SharpShareFinder is a minimalistic network share discovery POC designed to enumerate shares in Windows Active Directory networks leveraging .NET parallelism.
C#
11
star
9

Talks-Presentations

Resource links (video, slides & code) for my conference talks | presentations | workshops
8
star
10

SharpSnake

SharpSnake
C#
3
star
11

mvelazc0

1
star