Awesome
SharpAllTheThings
The idea is to collect all the C# projects that are Sharp{Word} that can be used in Cobalt Strike as execute assembly command. Credit the name to the amazing PayloadAllTheThings github repo (https://github.com/swisskyrepo/PayloadsAllTheThings)
Build locally (Credit to ZephrFish)
You can use ZephrFish script to download the scripts and build locally, this can be done by following these instructions: https://github.com/N7WEra/SharpAllTheThings/blob/master/BuildAllTheThings/README.md
Precompiled binaries
You can find nightly builds of most of the tools in this awsome repo by Flangvik
https://github.com/Flangvik/SharpCollection
Execution
- SharpWMI - implementation of various WMI functionality. This includes local/remote WMI queries, remote WMI process creation through win32_process, and remote execution of arbitrary VBS through WMI event subscriptions. Alternate credentials are also supported for remote methods.
- Credit - https://twitter.com/harmj0y
- Link - https://github.com/GhostPack/SharpWMI
- SharpGPOAbuse - take advantage of a user's edit rights on a Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.
Persistence
- SharpPersist - Windows persistence toolkit written in C#.
- Credit - https://twitter.com/h4wkst3r
- Link - https://github.com/fireeye/SharPersist
- SharpStay - .NET project for installing Persistence
- SharpEventPersist - Persistence by writing/reading shellcode from Event Log.
Privilege Escalation
- SharpUp - port of various PowerUp functionality
- Credit - https://twitter.com/harmj0y
- Link - https://github.com/GhostPack/SharpUp
- Seatbelt - project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
- Credit -https://twitter.com/harmj0y
- Link - https://github.com/GhostPack/Seatbelt
- Watson - Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities
- UnquotedPath - Outputs a list of unquoted service paths that aren't in System32/SysWow64 to plant a PE into.
- SweetPotato - Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019
- Credit - https://twitter.com/_EthicalChaos_
- Link - https://github.com/CCob/SweetPotato
- AtYourService - Queries all services on a host and filters out services running as LocalSystem, NT Authority\LocalService, and NT Authority\NetworkService
Defense Evasion
- SharpCradle - download and execute .NET binaries into memory.
- Internal Monologue - Retrieving NTLM Hashes without Touching LSASS
- ATPMiniDump - Dumping LSASS memory with MiniDumpWriteDump on PssCaptureSnapShot to evade WinDefender ATP credential-theft.
- Credit - https://twitter.com/b4rtik
- Link - https://github.com/b4rtik/ATPMiniDump
- SharpeningCobaltStrike - in realtime v35/40 dotnet compiler for your linux Cobalt Strike C2. New fresh compiled and obfuscated binary for each use.
- BlockEtw - .Net Assembly to block ETW telemetry in current process
- Credit - https://twitter.com/Sol_Secure
- Link - https://github.com/Soledge/BlockEtw
- SharpEDRChecker - Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services, the registry and running drivers for the presence of known defensive products such as AV's, EDR's and logging tools.
- SharpBlock - SharpBlock can be used to load a child process and prevent any DLL from hooking into the child process.
- Credit - https://twitter.com/_EthicalChaos_
- Link - https://github.com/CCob/SharpBlock
Credential Access
- SharpLocker - helps get current user credentials by popping a fake Windows lock screen, all output is sent to Console which works perfect for Cobalt Strike.
- SharpDPAPI - port of some DPAPI functionality from @gentilkiwi's Mimikatz project.
- SharpDump - port of PowerSploit's Out-Minidump.ps1 functionality.
- Credit - https://twitter.com/harmj0y
- Link - https://github.com/GhostPack/SharpDump
- SharpWeb - Retrieve saved browser credentials from Google Chrome, Mozilla Firefox and Microsoft Internet Explorer/Edge.
- SharpCookieMonster - Extracts cookies from Chrome.
- Credit - https://twitter.com/m0rv4i , original work by @defaultnamehere
- Link - https://github.com/m0rv4i/SharpCookieMonster
- SafetyKatz - combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader.
- Credit - https://twitter.com/harmj0y
- Link - https://github.com/GhostPack/SafetyKatz
- CredSniper - Prompts the current user for their credentials using the CredUIPromptForWindowsCredentials WinAPI function. Supports an argument to provide the message text that will be shown to the user.
- Rubeus - toolset for raw Kerberos interaction and abuses.
- Credit - https://twitter.com/harmj0y
- Link - https://github.com/GhostPack/Rubeus
- RdpTheif - Extracting Clear Text Passwords from mstsc.exe using API Hooking.
- Credit - https://twitter.com/0x09AL
- Link - https://github.com/0x09AL/RdpThief
- SharpSecDump - port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py.
- SharpWifiGrabber - Sharp Wifi Password Grabber retrieves in clear-text the Wi-Fi Passwords from all WLAN Profiles saved on a workstation using native win32 API.
- SharpHandler - tool for stealing/duping handles to LSASS
- SharpLAPS - etrieve the LAPS password from the Active Directory for accounts with ExtendedRight or Generic All Rights
- BetterSafetyKatz - modified fork of SafetyKatz dynamically fetches the latest pre-compiled release of Mimikatz directly from the gentilkiwi GitHub repo, runtime patching on detected signatures and uses SharpSploit DInvoke to get it into memory.
- SharpKatz - Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands
- Credit - https://twitter.com/b4rtik
- Link - https://github.com/b4rtik/SharpKatz
- SharpMiniDump - Create a minidump of the LSASS process from memory (Windows 10 - Windows Server 2016). The entire process uses: dynamic API calls, direct syscall and Native API unhooking to evade the AV / EDR detection.
- Credit - https://twitter.com/b4rtik
- Link - https://github.com/b4rtik/SharpMiniDump
Discovery
- SharpHound - Uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment, executes collection options necessary to populate the backend BloodHound database.
- Credit - The amazing crew of Bloodhound (https://www.twitter.com/\_wald0, https://twitter.com/CptJesus, and https://twitter.com/CptJesus)
- Link - https://github.com/BloodHoundAD/SharpHound3
- SharpWitness - C# version of EyeWitness by Christopher Truncer. Take screenshots of websites, provide some server header info, and identify default credentials if possible.
- SharpDomainSpray - very simple password spraying tool written in .NET. It takes a password then finds users in the domain and attempts to authenticate to the domain with that given password.
- SharpSniper - Find specific users in active directory via their username and logon IP address
- SharpFruit - Port of Find-Fruit.ps1, aid Penetration Testers in finding juicy targets on internal networks without nmap scanning.
- Credit - https://twitter.com/424f424f
- Link - https://github.com/rvrsh3ll/SharpFruit
- SharpPrinter- tool to enumerate all visible network printers in local network
- Credit - https://twitter.com/424f424f
- Link - https://github.com/rvrsh3ll/SharpPrinter
- SharpView - C# implementation of harmj0y's PowerView
- Credit - https://twitter.com/tevora
- Link - https://github.com/tevora-threat/SharpView
- SharpSearch - Search files for extensions as well as text within.
- SharpClipHistory - Read the contents of a user's clipboard history in Windows 10 starting from the 1809 Build.
- SharpClipboard - Monitor of the clipboard for any passwords
- SharpChromium - .NET 4.0 CLR Project to retrieve Chromium data, such as cookies, history and saved logins.
- ADFSDump - dump all sorts of goodies from AD FS.
- Credit - https://twitter.com/doughsec
- Link - https://github.com/fireeye/ADFSDump
- SessionSearcher - Searches all connected drives for PuTTY private keys and RDP connection files and parses them for relevant details. Based on SessionGopher by @arvanaghi.
- InveighZero - Windows C# LLMNR/mDNS/NBNS/DNS spoofer/man-in-the-middle tool
- EyeWitness - take screenshots of websites, provide some server header info, and identify default credentials if possible
- Spray-AD - audit Active Directory user accounts for weak, well known or easy guessable passwords.
- Credit - https://twitter.com/Cneelis
- Link - https://github.com/outflanknl/Spray-AD
- Recon-AD - an AD recon tool based on ADSI and reflective DLL’s
- Credit - https://twitter.com/Cneelis
- Link - https://github.com/outflanknl/Recon-AD
- Grouper2 - A tool for pentesters to help find security-related misconfigurations in Active Directory Group Policy.
- Credit - l0ss (@mikeloss) https://twitter.com/mikeloss
- Link - https://github.com/l0ss/Grouper2/blob/master/README.md
- SharpMapExec - A sharpen version of CrackMapExec.
- Credit - Cube0x0 https://twitter.com/cube0x0
- Link - https://github.com/cube0x0/SharpMapExec
- SharpSMBSpray - Spray a hash via smb to check for local administrator access.
- Credit - rvrsh3ll https://twitter.com/424f424f
- Link - https://github.com/rvrsh3ll/SharpSMBSpray
- SauronEye - Search tool find specific files containing specific keywords (.doc, .docx, .xls, .xlsx)
- Credit - https://twitter.com/_vivami
- Link - https://github.com/vivami/SauronEye
- SharpShare - Multithreaded C# .NET Assembly to enumerate accessible network shares in a domain (Updated version)
- Credit - https://twitter.com/midi_v2
- Link - https://github.com/mitchmoser/SharpShares
- SharpLDAP - C# .NET Assembly to perform LDAP Queries
- ADCollector - a lightweight tool that enumerates the Active Directory environment to identify possible attack vectors.
- Credit - https://twitter.com/dev2nulI
- Link - https://github.com/dev-2null/ADCollector
- StandIn - small AD post-compromise toolkit
- Credit - https://twitter.com/FuzzySec
- Link - https://github.com/FuzzySecurity/StandIn
- TruffleSnout - iterative AD discovery toolkit for offensive operators
- ThunderFox - Retrieves data (contacts, emails, history, cookies and credentials) from Thunderbird and Firefox
- Credit - https://twitter.com/_theVIVI
- Link - https://github.com/V1V1/SharpScribbles
- SharpSQL- Quick and dirty .net console app for querying mssql servers.
- LdapSignCheck - Beacon Object File to scan a Domain Controller to see if LdapEnforceChannelBinding or LdapServerIntegrity has been modified to mitigate against relaying attacks.
- Credit - https://twitter.com/cube0x0
- Link - https://github.com/cube0x0/LdapSignCheck
Lateral Movement
- SharpCom - port of Invoke-DCOM, Execute's commands via various DCOM methods as demonstrated by (@enigma0x3)
- Credit - https://twitter.com/424f424f
- Link - https://github.com/rvrsh3ll/SharpCOM
- Sharpexcel4_dcom - Port of Invoke-Excel4DCOM, Lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe)
- SharpExec - C# tool designed to aid with lateral movement
- SharpRDP - Remote Desktop Protocol .NET Console Application for Authenticated Command Execution
- Credit - https://twitter.com/0xthirteen
- Link - https://github.com/0xthirteen/SharpRDP
- SharpMove - .NET Project for performing Authenticated Remote Execution
- SCShell - fileless lateral movement tool that relies on ChangeServiceConfigA to run commands.
- Credit - https://twitter.com/MrUn1k0d3r
- Link - https://github.com/Mr-Un1k0d3r/SCShell
- SharpSphere - gives red teamers the ability to easily interact with the guest operating systems of virtual machines managed by vCenter.
- Sharp-SMBExec - A native C# conversion of Kevin Robertsons Invoke-SMBExec powershell script
- SharpNoPSExec- File less command execution for lateral movement.
Exfiltration
- SharpBox - Tool for compressing, encrypting, and exfiltrating data to DropBox using the DropBox API.
- Credit - https://twitter.com/_P1CKLES_
- Link - https://github.com/P1CKLES/SharpBox
- EncryptedZIP -Compresses a directory or file and then encrypts the ZIP file with a supplied key using AES256 CFB. This assembly also clears the key out of memory using RtlZeroMemory. Use the included Decrypter progam to decrypt the archive.
- Zipper - a CobaltStrike file and folder compression utility.
- Credit - Cornelis de Plaa (@Cneelis) / Outflank
- Link - https://github.com/outflanknl/Zipper
Other projects
- OffensiveCSharp - Collection of Offensive C# Tooling
- SharpAllowedToAct - implementation of a computer object takeover through Resource-Based Constrained Delegation (msDS-AllowedToActOnBehalfOfOtherIdentity)
-
Credit - https://twitter.com/pkb1s
-