OffensivePipeline : To Download And Build C# Tools, To Improve Their Evasion For Red Team Exercises
OffensivePipeline allows you to download and build C# tools, applying certain modifications in order to improve their evasion for Red Team exercises. A common use of OffensivePipeline is to download a tool from a Git repository, randomise certain values in the project, build it, obfuscate the resulting binary and generate a shellcode.
Features
Currently only supports C# (.Net Framework) projects
Allows to clone public and private (you will need credentials :D) git repositories
Allows to work with local folders
Randomizes project GUIDs
Randomizes application information contained in AssemblyInfo
Builds C# projects
Obfuscates generated binaries
Generates shellcodes from binaries
There are 79 tools parameterised in YML templates (not all of them may work :D)
New tools can be added using YML templates
It should be easy to add new plugins…
What’s new in version 2.0
Almost complete code rewrite (new bugs?)
Cloning from private repositories possible (authentication via GitHub authToken)
Possibility to copy a local folder instead of cloning from a remote repository
RandomGuid: randomise the GUID in .sln, .csproj and AssemblyInfo.cs files
RandomAssemblyInfo: randomise the values defined in AssemblyInfo.cs
BuildCsharp: build c# project
ConfuserEx: obfuscate c# tools
Donut: use Donut to generate shellcodes. The shellcode generated is without parameters, in future releases this may be changed.
Add a tool from a remote git
The scripts for downloading the tools are in the Tools folder in yml format. New tools can be added by creating new yml files with the following format:
Rubeus.yml file:
tool: - name: Rubeus
description: Rubeus is a C# toolset for raw Kerberos interaction and abuses
gitLink: https://github.com/GhostPack/Rubeus
solutionPath: Rubeus\Rubeus.sln
language: c#
plugins: RandomGuid, RandomAssemblyInfo, BuildCsharp, ConfuserEx, Donut
authUser:
authToken:
Where:
Name: name of the tool
Description: tool description
GitLink: link from git to clone
SolutionPath: solution (sln file) path
Language: language used (currently only c# is supported)
Plugins: plugins to use on this tool build process
AuthUser: user name from github (not used for public repositories)
AuthToken: auth token from github (not used for public repositories)
tool:
- name: SeatbeltLocal
description: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
gitLink: C:\Users\alpha\Desktop\SeatbeltLocal
solutionPath: SeatbeltLocal\Seatbelt.sln
language: c#
plugins: RandomGuid, RandomAssemblyInfo, BuildCsharp, ConfuserEx, Donut
authUser:
authToken:
Where:
Name: name of the tool
Description: tool description
GitLink: path where the tool is located
SolutionPath: solution (sln file) path
Language: language used (currently only c# is supported)
Plugins: plugins to user on this tool build process
AuthUser: user name from github (not used for local repositories)
AuthToken: auth token from github (not used for local repositories)
Requirements for the release version (Visual Studio 2019/2022 is not required)
Description: A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts (Petitpotam) and relaying to the certificate service.
Description: This modified fork of SafetyKatz dynamically fetches the latest pre-compiled release of Mimikatz directly from the gentilkiwi GitHub repo, runtime patching on detected signatures and uses SharpSploit DInvoke to get it into memory.
Description: Enumerate Domain Data is designed to be similar to PowerView but in .NET. PowerView is essentially the ultimate domain enumeration tool, and we wanted a .NET implementation that we worked on ourselves. This tool was largely put together by viewing implementations of different functionality across a wide range of existing projects and combining them into EDD.
Description: PurpleSharp is an open source adversary simulation tool written in C# that executes adversary techniques within Windows Active Directory environments
Description: Seatbelt is a C# project that performs a number of security oriented host-survey “safety checks” relevant from both offensive and defensive security perspectives.
Description: SharpChromium is a .NET 4.0+ CLR project to retrieve data from Google Chrome, Microsoft Edge, and Microsoft Edge Beta. Currently, it can extract
Description: SharpCloud is a simple C# utility for checking for the existence of credential files related to Amazon Web Services, Microsoft Azure, and Google Compute.
Description: SharpDir is a simple code set to search both local and remote file systems for files using the same SMB process as dir.exe, which uses TCP port 445
Description: Checks running processes, process metadata, Dlls loaded into your current process and each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV’s, EDR’s and logging tools.
Description: SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user’s edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.
Description: This project reuses open handles to lsass to parse or minidump lsass, therefore you don’t need to use your own lsass handle to interact with it. (Dinvoke-version)
Description: This executable is made to be executed within Cobalt Strike session using execute-assembly. It will retrieve the LAPS password from the Active Directory.
Description: Create a minidump of the LSASS process from memory (Windows 10 – Windows Server 2016). The entire process uses dynamic API calls, direct syscall and Native API unhooking to evade the AV / EDR detection.
Description: This project is a C# tool to use Pass-the-Hash for authentication on a local Named Pipe for user Impersonation. You need a local administrator or SEImpersonate rights to use this.
Description: SharpReg is a simple code set to interact with the Remote Registry service API using the same SMB process as reg.exe, which uses TCP port 445
Description: SharpSCCM is a post-exploitation tool designed to leverage Microsoft Endpoint Configuration Manager (a.k.a. ConfigMgr, formerly SCCM) for lateral movement and credential gathering without requiring access to the SCCM administration console GUI.
Description: SharpSpray a simple code set to perform a password spraying attack against all users of a domain using LDAP and is compatible with Cobalt Strike.
Description: SharpSvc is a simple code set to interact with the SC Manager API using the same DCERPC process as sc.exe, which open with TCP port 135 and is followed by the use of an ephemeral TCP port
Description: SharpTask is a simple code set to interact with the Task Scheduler service API using the same DCERPC process as schtasks.exe, which open with TCP port 135 and is followed by the use of an ephemeral TCP port.
Description: An exploit for CVE-2020-1472, a.k.a. Zerologon. This tool exploits a cryptographic vulnerability in Netlogon to achieve authentication bypass.
Description: While Sysmon’s driver can be renamed at installation, it is always loaded at altitude 385201. The objective of this tool is to challenge the assumption that our defensive tools are always collecting events.
Description: Snaffler is a tool for pentesters and red teamers to help find delicious candy needles (creds mostly, but it’s flexible) in a bunch of horrible boring haystacks (a massive Windows/AD environment).
Description: Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding “Shadow Credentials” to the target account.