This is a collection of C# tooling and POCs I've created for use on operations. Each project is designed to use no external libraries. Open each project's .SLN in Visual Studio and compile as "Release".
Project | Description | Minimum .NET Version |
---|---|---|
AbandonedCOMKeys | Enumerates abandoned COM keys (specifically InprocServer32 ). Useful for persistence as you can, in some cases, write to the missing location and call with rundll32.exe -sta {CLSID} . Technique referenced in this post by @bohops |
4.0 |
COMHunter | Enumerates COM servers set in LocalServer32 and InProc32 keys on a system using WMI |
4.0 |
CredPhisher | Prompts the current user for their credentials using the CredUIPromptForWindowsCredentials WinAPI function. Supports an argument to provide the message text that will be shown to the user. |
3.5 |
DriverQuery | Collect details about drivers on the system and optionally filter to find only ones not signed by Microsoft | 3.5 |
EncryptedZIP | Compresses a directory or file and then encrypts the ZIP file with a supplied key using AES256 CFB. This assembly also clears the key out of memory using RtlZeroMemory . Use the included Decrypter progam to decrypt the archive. |
3.5 |
ETWEventSubscription | Similar to WMI event subscriptions but leverages Event Tracing for Windows. When the event on the system occurs, currently either when any user logs in or a specified process is started, the DoEvil() method is executed. |
4.6 |
GPSCoordinates | Tracks the system's GPS coordinates (accurate within 1km currently) if Location Services are enabled. Works on Windows 10 currently, but hoping to cover all versions 7+. | 4.0 |
HijackHunter | Parses a target's PE header in order to find lined DLLs vulnerable to hijacking. Provides reasoning and abuse techniques for each detected hijack opportunity | 4.0 |
HookDetector | Detects hooked Native API functions in the current process, indicating the presence of EDR | 4.0 |
ImplantSSP | Installs a user-supplied Security Support Provider (SSP) DLL on the system, which will be loaded by LSA on system start. The DLL must export SpLsaModeInitialize . Inspired by Install-SSP by @mattifestation. |
3.5 |
InspectAssembly | Inspect's a target .NET assembly's CIL for calls to deserializers and .NET remoting usage to aid in triaging potential privilege escalations. | 4.0 |
JunctionFolder | Creates a junction folder in the Windows Accessories Start Up folder as described in the Vault 7 leaks. On start or when a user browses the directory, the referenced DLL will be executed by verclsid.exe in medium integrity. |
3.5 |
MockDirUACBypass | Creates a mock trusted directory, C:\Windows \System32\ , and moves an auto-elevating Windows executable into the mock directory. A user-supplied DLL which exports the appropriate functions is dropped and when the executable is run, the DLL is loaded and run as high integrity. Technique discovered by @ce2wells and outlined in this post. |
3.5 |
PhantomService | Searches for and removes non-ASCII services that can't be easily removed by built-in Windows tools. Reference | 4.0 |
SessionSearcher | Searches all connected drives for PuTTY private keys and RDP connection files and parses them for relevant details. Based on SessionGopher by @arvanaghi. | 4.0 |
UnquotedPath | Outputs a list of unquoted service paths that aren't in System32/SysWow64 to plant a PE into. ATT&CK Reference | 3.5 |