This is a collection of C# tooling and POCs I've created for use on operations. Each project is designed to use no external libraries. Open each project's .SLN in Visual Studio and compile as "Release".
| Project | Description | Minimum .NET Version |
|---|---|---|
| AbandonedCOMKeys | Enumerates abandoned COM keys (specifically InprocServer32). Useful for persistence as you can, in some cases, write to the missing location and call with rundll32.exe -sta {CLSID}. Technique referenced in this post by @bohops |
4.0 |
| COMHunter | Enumerates COM servers set in LocalServer32 and InProc32 keys on a system using WMI |
4.0 |
| CredPhisher | Prompts the current user for their credentials using the CredUIPromptForWindowsCredentials WinAPI function. Supports an argument to provide the message text that will be shown to the user. |
3.5 |
| DriverQuery | Collect details about drivers on the system and optionally filter to find only ones not signed by Microsoft | 3.5 |
| EncryptedZIP | Compresses a directory or file and then encrypts the ZIP file with a supplied key using AES256 CFB. This assembly also clears the key out of memory using RtlZeroMemory. Use the included Decrypter progam to decrypt the archive. |
3.5 |
| ETWEventSubscription | Similar to WMI event subscriptions but leverages Event Tracing for Windows. When the event on the system occurs, currently either when any user logs in or a specified process is started, the DoEvil() method is executed. |
4.6 |
| GPSCoordinates | Tracks the system's GPS coordinates (accurate within 1km currently) if Location Services are enabled. Works on Windows 10 currently, but hoping to cover all versions 7+. | 4.0 |
| HijackHunter | Parses a target's PE header in order to find lined DLLs vulnerable to hijacking. Provides reasoning and abuse techniques for each detected hijack opportunity | 4.0 |
| HookDetector | Detects hooked Native API functions in the current process, indicating the presence of EDR | 4.0 |
| ImplantSSP | Installs a user-supplied Security Support Provider (SSP) DLL on the system, which will be loaded by LSA on system start. The DLL must export SpLsaModeInitialize. Inspired by Install-SSP by @mattifestation. |
3.5 |
| InspectAssembly | Inspect's a target .NET assembly's CIL for calls to deserializers and .NET remoting usage to aid in triaging potential privilege escalations. | 4.0 |
| JunctionFolder | Creates a junction folder in the Windows Accessories Start Up folder as described in the Vault 7 leaks. On start or when a user browses the directory, the referenced DLL will be executed by verclsid.exe in medium integrity. |
3.5 |
| MockDirUACBypass | Creates a mock trusted directory, C:\Windows \System32\, and moves an auto-elevating Windows executable into the mock directory. A user-supplied DLL which exports the appropriate functions is dropped and when the executable is run, the DLL is loaded and run as high integrity. Technique discovered by @ce2wells and outlined in this post. |
3.5 |
| PhantomService | Searches for and removes non-ASCII services that can't be easily removed by built-in Windows tools. Reference | 4.0 |
| SessionSearcher | Searches all connected drives for PuTTY private keys and RDP connection files and parses them for relevant details. Based on SessionGopher by @arvanaghi. | 4.0 |
| UnquotedPath | Outputs a list of unquoted service paths that aren't in System32/SysWow64 to plant a PE into. ATT&CK Reference | 3.5 |