Home

Awesome

OffensiveCSharp

This is a collection of C# tooling and POCs I've created for use on operations. Each project is designed to use no external libraries. Open each project's .SLN in Visual Studio and compile as "Release".

ProjectDescriptionMinimum .NET Version
AbandonedCOMKeysEnumerates abandoned COM keys (specifically InprocServer32). Useful for persistence as you can, in some cases, write to the missing location and call with rundll32.exe -sta {CLSID}. Technique referenced in this post by @bohops4.0
COMHunterEnumerates COM servers set in LocalServer32 and InProc32 keys on a system using WMI4.0
CredPhisherPrompts the current user for their credentials using the CredUIPromptForWindowsCredentials WinAPI function. Supports an argument to provide the message text that will be shown to the user.3.5
DriverQueryCollect details about drivers on the system and optionally filter to find only ones not signed by Microsoft3.5
EncryptedZIPCompresses a directory or file and then encrypts the ZIP file with a supplied key using AES256 CFB. This assembly also clears the key out of memory using RtlZeroMemory. Use the included Decrypter progam to decrypt the archive.3.5
ETWEventSubscriptionSimilar to WMI event subscriptions but leverages Event Tracing for Windows. When the event on the system occurs, currently either when any user logs in or a specified process is started, the DoEvil() method is executed.4.6
GPSCoordinatesTracks the system's GPS coordinates (accurate within 1km currently) if Location Services are enabled. Works on Windows 10 currently, but hoping to cover all versions 7+.4.0
HijackHunterParses a target's PE header in order to find lined DLLs vulnerable to hijacking. Provides reasoning and abuse techniques for each detected hijack opportunity4.0
HookDetectorDetects hooked Native API functions in the current process, indicating the presence of EDR4.0
ImplantSSPInstalls a user-supplied Security Support Provider (SSP) DLL on the system, which will be loaded by LSA on system start. The DLL must export SpLsaModeInitialize. Inspired by Install-SSP by @mattifestation.3.5
InspectAssemblyInspect's a target .NET assembly's CIL for calls to deserializers and .NET remoting usage to aid in triaging potential privilege escalations.4.0
JunctionFolderCreates a junction folder in the Windows Accessories Start Up folder as described in the Vault 7 leaks. On start or when a user browses the directory, the referenced DLL will be executed by verclsid.exe in medium integrity.3.5
MockDirUACBypassCreates a mock trusted directory, C:\Windows \System32\, and moves an auto-elevating Windows executable into the mock directory. A user-supplied DLL which exports the appropriate functions is dropped and when the executable is run, the DLL is loaded and run as high integrity. Technique discovered by @ce2wells and outlined in this post.3.5
PhantomServiceSearches for and removes non-ASCII services that can't be easily removed by built-in Windows tools. Reference4.0
SessionSearcherSearches all connected drives for PuTTY private keys and RDP connection files and parses them for relevant details. Based on SessionGopher by @arvanaghi.4.0
UnquotedPathOutputs a list of unquoted service paths that aren't in System32/SysWow64 to plant a PE into. ATT&CK Reference3.5