Awesome

GhostBuild

GhostBuild is a (POC) collection of simple MSBuild launchers for various GhostPack projects (authored by @harmj0y). Other .Net project have been added as well.

As with other GhostPack projects, GhostBuild is licensed under the BSD 3-Clause license.

Instructions

These launchers include compiled/compressed/encoded versions of GhostPack utilities. However, you should inspect and compile your own versions.

1. Compile the target GhostPack project with the desired .NET Framework version.
2. Compress the .NET assembly with Out-CompressedDll.
3. Update and customize the GhostBuild XML CSharp (C#) project file -

• Ensure the AssemblyFile represents the correct framework and path.
• Assign GhostPack .Net assembly arguments to the args variable if required. This is a string array, so quote arguments and separate by commas (e.g. "arg1" , "arg2").
• Copy the compressed .Net assembly from the Out-CompressedDll operation and assign it to the compressedBin variable.
• Copy the byte length/size of the compressed .Net assembly from the Out-CompressedDll operation and assign it to the compressedBinSize variable.

4. Build and run with the proper version of MSBuild.exe.

• Example: C:\Windows\Microsoft.Net\Framework64\v4.0.30319\MSBuild.exe c:\path\to\project.xml

*OR - Leverage the GhostBuilder.py tool to build your MSBuild payload after you compile your assembly executable.

Ethics

GhostBuild is designed to help security professionals perform ethical and legal security assessments and penetration tests. Do not use for nefarious purposes.

Defensive Considerations

• MSBuild is a signed binary that can be used to execute unsigned code for Application Control and EDR bypass.
• Disable MSBuild.exe (with Application Control solution) if it does not serve a business purpose.
• Monitor MSBuild.exe execution events if it does serve a business purpose.

Credits

• @harmj0y - security researcher and primary author of GhostPack
• @mattifestation - security researcher and author of the Out-CompressedDll utility
• @subTee - MSBuild (.Net) wizard and security researcher
• @gentilkiwi - Mimikatz author and security researcher
• @b4rtik - SharpKatz author and security researcher