Skip to content
/ RedCsharp Public

Collection of C# projects. Useful for pentesting and redteaming.

297 stars 49 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

boh/RedCsharp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

92 Commits
.github/workflows
.github/workflows
 
 
CSExec @ b666638
CSExec @ b666638
 
 
CSharpCreateThreadExample @ 3d8c3d6
CSharpCreateThreadExample @ 3d8c3d6
 
 
CSharpScripts @ 51ba2a7
CSharpScripts @ 51ba2a7
 
 
CSharpSetThreadContext @ 18f1c69
CSharpSetThreadContext @ 18f1c69
 
 
CSharpWinRM @ 285e652
CSharpWinRM @ 285e652
 
 
CVE-2021-1675 @ d2e96c1
CVE-2021-1675 @ d2e96c1
 
 
CasperStager @ ecc66a3
CasperStager @ ecc66a3
 
 
DnsCache @ 5f0efdd
DnsCache @ 5f0efdd
 
 
EDD @ ce38301
EDD @ ce38301
 
 
Farmer @ d0827b9
Farmer @ d0827b9
 
 
FreshCookees @ 062e8c0
FreshCookees @ 062e8c0
 
 
GetInjectedThreads @ de713c0
GetInjectedThreads @ de713c0
 
 
GoldenTicket @ 9e2b23d
GoldenTicket @ 9e2b23d
 
 
Grouper2 @ 1fd8183
Grouper2 @ 1fd8183
 
 
HTTPS_CSharp_Server @ 4762d67
HTTPS_CSharp_Server @ 4762d67
 
 
Inception @ a75a483
Inception @ a75a483
 
 
InveighZero @ 436c2dc
InveighZero @ 436c2dc
 
 
KRBUACBypass @ 278c715
KRBUACBypass @ 278c715
 
 
KittyLitter @ 1dd6470
KittyLitter @ 1dd6470
 
 
LittleCorporal @ c93d570
LittleCorporal @ c93d570
 
 
Lockless @ 5e472ab
Lockless @ 5e472ab
 
 
MaliciousClickOnceMSBuild @ 9c8ab27
MaliciousClickOnceMSBuild @ 9c8ab27
 
 
Minidump @ cc4be10
Minidump @ cc4be10
 
 
MiscTools @ 1127f4e
MiscTools @ 1127f4e
 
 
NamedPipes @ c09c105
NamedPipes @ c09c105
 
 
OffensiveCSharp @ 9550a38
OffensiveCSharp @ 9550a38
 
 
Ps-Tools @ 81c83eb
Ps-Tools @ 81c83eb
 
 
PurpleSharp @ 90fc0a6
PurpleSharp @ 90fc0a6
 
 
Reg_Built @ 64c1eb9
Reg_Built @ 64c1eb9
 
 
RemoteProcessInjection @ 93cc9be
RemoteProcessInjection @ 93cc9be
 
 
Rubeus @ 1ff1306
Rubeus @ 1ff1306
 
 
RunSharp @ 054f918
RunSharp @ 054f918
 
 
RunasCs @ 5e8c074
RunasCs @ 5e8c074
 
 
SafetyDump @ d830633
SafetyDump @ d830633
 
 
SafetyKatz @ 715b311
SafetyKatz @ 715b311
 
 
Seatbelt @ fba4682
Seatbelt @ fba4682
 
 
SharPersist @ 8c35f25
SharPersist @ 8c35f25
 
 
SharPyShell @ 5a2a242
SharPyShell @ 5a2a242
 
 
Sharp-InvokeWMIExec @ 5aca85e
Sharp-InvokeWMIExec @ 5aca85e
 
 
Sharp-SMBExec @ 466ca40
Sharp-SMBExec @ 466ca40
 
 
Sharp-Suite @ 2ccf56d
Sharp-Suite @ 2ccf56d
 
 
SharpAdidnsdump @ 7c93106
SharpAdidnsdump @ 7c93106
 
 
SharpAppLocker @ 2084bec
SharpAppLocker @ 2084bec
 
 
SharpAttack @ 0efff0e
SharpAttack @ 0efff0e
 
 
SharpBlock @ 0d9ca94
SharpBlock @ 0d9ca94
 
 
SharpCOM @ b8c2bfa
SharpCOM @ b8c2bfa
 
 
SharpCat @ 9faa152
SharpCat @ 9faa152
 
 
SharpChisel @ ad6298a
SharpChisel @ ad6298a
 
 
SharpClipHistory @ 881cfd0
SharpClipHistory @ 881cfd0
 
 
SharpClipboard @ 8d74f08
SharpClipboard @ 8d74f08
 
 
SharpCloud @ 58a3e7a
SharpCloud @ 58a3e7a
 
 
SharpCompile @ 068d372
SharpCompile @ 068d372
 
 
SharpCradle @ 9243719
SharpCradle @ 9243719
 
 
SharpDPAPI @ dd34271
SharpDPAPI @ dd34271
 
 
SharpDXWebcam @ 6d70fb4
SharpDXWebcam @ 6d70fb4
 
 
SharpDomainSpray @ 87afceb
SharpDomainSpray @ 87afceb
 
 
SharpDoor @ b5a98dd
SharpDoor @ b5a98dd
 
 
SharpDump @ 41cfcf9
SharpDump @ 41cfcf9
 
 
SharpEdge @ a5c5ad6
SharpEdge @ a5c5ad6
 
 
SharpExcelibur @ 3d07c59
SharpExcelibur @ 3d07c59
 
 
SharpExec @ db8717c
SharpExec @ db8717c
 
 
SharpFiles @ 2861b5d
SharpFiles @ 2861b5d
 
 
SharpFinder @ e33caed
SharpFinder @ e33caed
 
 
SharpFruit @ 145b580
SharpFruit @ 145b580
 
 
SharpGPOAbuse @ 8ff1175
SharpGPOAbuse @ 8ff1175
 
 
SharpHide @ 9a4bca0
SharpHide @ 9a4bca0
 
 
SharpHook @ b4c697d
SharpHook @ b4c697d
 
 
SharpHound3 @ 2eac106
SharpHound3 @ 2eac106
 
 
SharpLoadImage @ ddc036a
SharpLoadImage @ ddc036a
 
 
SharpLocker @ 71779c7
SharpLocker @ 71779c7
 
 
SharpLogger @ 69f7400
SharpLogger @ 69f7400
 
 
SharpLoginPrompt @ ece52a8
SharpLoginPrompt @ ece52a8
 
 
SharpMapExec @ 089005a
SharpMapExec @ 089005a
 
 
SharpMove @ 0380615
SharpMove @ 0380615
 
 
SharpNeedle @ b0f7432
SharpNeedle @ b0f7432
 
 
SharpPack @ da27528
SharpPack @ da27528
 
 
SharpPrinter @ c524e44
SharpPrinter @ c524e44
 
 
SharpRelay @ a1f0d13
SharpRelay @ a1f0d13
 
 
SharpRoast @ 348ba15
SharpRoast @ 348ba15
 
 
SharpRoast-Parser @ d69002f
SharpRoast-Parser @ d69002f
 
 
SharpSC @ adbbc7f
SharpSC @ adbbc7f
 
 
SharpSCADA @ 68dd32f
SharpSCADA @ 68dd32f
 
 
SharpSQL @ e258136
SharpSQL @ e258136
 
 
SharpSSDP @ 045e3c4
SharpSSDP @ 045e3c4
 
 
SharpShares @ 21c883a
SharpShares @ 21c883a
 
 
SharpSniper @ 79aaf14
SharpSniper @ 79aaf14
 
 
SharpSocks @ 132d91e
SharpSocks @ 132d91e
 
 
SharpSphere @ b6be03e
SharpSphere @ b6be03e
 
 
SharpSploit @ adfef11
SharpSploit @ adfef11
 
 
SharpSpray @ d063049
SharpSpray @ d063049
 
 
SharpSword @ 09c2e8e
SharpSword @ 09c2e8e
 
 
SharpSystemTriggers @ 1c71a83
SharpSystemTriggers @ 1c71a83
 
 
SharpTask @ 35de5bb
SharpTask @ 35de5bb
 
 
SharpTerminator @ a1a83cc
SharpTerminator @ a1a83cc
 
 
SharpView @ b604562
SharpView @ b604562
 
 
SharpWMI @ 24fb114
SharpWMI @ 24fb114
 
 
SharpWeb @ 6d7a564
SharpWeb @ 6d7a564
 
 
SilkETW @ 6a2ad75
SilkETW @ 6a2ad75
 
 
SneakyService @ cf509ef
SneakyService @ cf509ef
 
 

Repository files navigation

RedCsharp

Build

Offensive C# tools

  • CasperStager
    • PoC for persisting .NET payloads in Windows Notification Facility (WNF) state names using low-level Windows Kernel API calls.
  • CSExec
    • An implementation of PSExec in C#
  • CSharpCreateThreadExample
    • C# code to run PIC using CreateThread
  • CSharpScripts
    • Collection of C# scripts
  • CSharpSetThreadContext
    • C# Shellcode Runner to execute shellcode via CreateRemoteThread and SetThread Context to evade Get-InjectedThread
  • CSharpWinRM
    • .NET 4.0 WinRM API Command Execution
  • PrintNightmare in CSharp
    • C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527
  • DnsCache
    • This is a reference example for how to call the Windows API to enumerate cached DNS records in the Windows resolver. Proof of concept or pattern only.
  • EDD
    • Enumerate Domain Data is designed to be similar to PowerView but in .NET.
  • Farmer
    • Farmer is a project for collecting NetNTLM hashes in a Windows domain. Farmer achieves this by creating a local WebDAV server that causes the WebDAV Mini Redirector to authenticate from any connecting clients.
  • FreshCookees
    • C# .NET 3.5 tool that keeps proxy auth cookies fresh by maintaining a hidden IE process that navs to your hosted auto refresh page. Uses WMI event listeners to monitor for InstanceDeletionEvents of the Internet Explorer process, and starts a hidden IE process via COM object if no other IE processes are running.
    • C# Implementation of Jared Atkinson's Get-InjectedThread.ps1
  • GoldenTicket
    • This .NET assembly is specifically designed for creating Golden Tickets. It has been built with a custom version of SharpSploit and an old 2.0 alpha (x64) version of Powerkatz.
  • Grouper2
    • Find vulnerabilities in AD Group Policy
  • HTTPS_CSharp_Server
    • Implementing a Multithreaded HTTP/HTTPS Debugging Proxy Server in C# xref.
  • Inception
    • Provides In-memory compilation and reflective loading of C# apps for AV evasion.
  • InveighZero
    • Windows C# LLMNR/mDNS/NBNS/DNS/DHCPv6 spoofer/man-in-the-middle tool
  • KittyLitter
    • Credential Dumper. It is comprised of two components, KittyLitter.exe and KittyScooper.exe. This will bind across TCP, SMB, and MailSlot channels to communicate credential material to lowest privilege attackers.
  • KRBUACBypass
    • UAC Bypass By Abusing Kerberos Tickets
  • LittleCorporal
    • LittleCorporal: A C# Automated Maldoc Generator
  • Lockless
    • Lockless allows for the copying of locked files.
  • MaliciousClickOnceMSBuild
    • Basic C# Project that will take an MSBuild payload and run it with MSBuild via ClickOnce.
  • Minidump
    • The program is designed to dump full memory of the process by specifing process name or process id.
  • MiscTools
    • Miscellaneous Tools
  • NamedPipes
    • A pattern for client/server communication via Named Pipes via C#
  • nopowershell
    • PowerShell rebuilt in C# for Red Teaming purposes
  • OffensiveCSharp
    • Collection of Offensive C# Tooling
  • PurpleSharp
    • PurpleSharp is a C# adversary simulation tool that executes adversary techniques with the purpose of generating attack telemetry in monitored Windows environments.
  • Reg_Built
    • C# Userland Registry RunKey persistence
  • RemoteProcessInjection
    • C# remote process injection utility for Cobalt Strike
  • Rubeus
    • Rubeus is a C# toolset for raw Kerberos interaction and abuses.
  • RunProcessAsTask
  • RunasCs
    • RunasCs - Csharp and open version of windows builtin runas.exe
  • RunSharp
    • Simple program that allows you to run commands as another user without being prompted for their password. This is useful in cases where you don't always get feedback from a prompt, such as the case with some remote shells.
  • SafetyDump
    • SafetyDump is an in-memory process memory dumper.
  • SafetyKatz
    • SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subTee's .NET PE Loader
  • Seatbelt
    • Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
  • self-morphing-csharp-binary
    • C# binary that mutates its own code, encrypts and obfuscates itself on runtime
  • Sharp-InvokeWMIExec
    • A native C# conversion of Kevin Robertsons Invoke-WMIExec powershell script
  • Sharp-Suite
    • fork of FuzzySecurity/Sharp-Suite
  • SharpAdidnsdump
    • c# implementation of Active Directory Integrated DNS dumping (authenticated user)
  • SharpAppLocker
    • C# port of the Get-AppLockerPolicy PS cmdlet
  • SharpAttack
    • SharpAttack is a console for certain things I use often during security assessments. It leverages .NET and the Windows API to perform its work. It contains commands for domain enumeration, code execution, and other fun things.
  • SharpBlock
    • A method of bypassing EDR's active projection DLL's by preventing entry point exection
  • SharpCat
    • C# alternative to the linux "cat" command... Prints file contents to console. For use with Cobalt Strike's Execute-Assembly
  • SharpClipboard
    • C# Clipboard Monitor
  • SharpClipHistory
    • SharpClipHistory is a .NET application written in C# that can be used to read the contents of a user's clipboard history in Windows 10 starting from the 1809 Build.
  • SharpCloud
    • Simple C# for checking for the existence of credential files related to AWS, Microsoft Azure, and Google Compute.
  • SharpCOM
    • CSHARP DCOM Fun
  • SharpCompile
    • SharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in realtime. This is a more slick approach than manually compiling an .NET assembly and loading it into Cobalt Strike.
  • SharpCradle
    • SharpCradle is a tool designed to help penetration testers or red teams download and execute .NET binaries into memory.
  • SharpDomainSpray
    • Basic password spraying tool for internal tests and red teaming
  • SharpDoor
    • SharpDoor is alternative RDPWrap written in C# to allowed multiple RDP (Remote Desktop) sessions by patching termsrv.dll file.
  • SharpDPAPI
    • SharpDPAPI is a C# port of some Mimikatz DPAPI functionality.
  • SharpDump
    • SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality.
  • SharpDXWebcam
    • The DirectX and DShowNET assemblies to record video from the host's webcam
  • SharpEdge
    • C# Implementation of Get-VaultCredential
  • SharpHook
    • SharpHook is inspired by the SharpRDPThief project, It uses various API hooks in order to give us the desired credentials.
  • SharpChisel
  • SharPersist
    • Windows persistence toolkit written in C#.
  • SharpExcelibur
    • Read Excel Spreadsheets (XLS/XLSX) using Cobalt Strike's Execute-Assembly
  • SharpExec
    • SharpExec is an offensive security C# tool designed to aid with lateral movement. WMIExec. SMBExec. PSExec. WMI.
  • SharpFiles
    • C# program that takes in the file output from PowerView's Invoke-ShareFinder and will search through the network shares for files containing terms that you specify.
  • SharpFinder
    • Searches for files matching specific criteria on readable shares within the domain.
  • SharpFruit
    • A C# penetration testing tool to discover low-haning web fruit via web requests.
  • SharpGPOAbuse
    • application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.
  • SharpHide
    • Tool to create hidden registry keys.
  • SharpInvoke-SMBExec
    • SMBExec C# module
  • SharpLoadImage
    • Hide .Net assembly into png images
  • SharpLocker
    • SharpLocker helps get current user credentials by popping a fake Windows lock screen, all output is sent to Console which works perfect for Cobalt Strike.
  • SharpLoginPrompt
    • This Program creates a login prompt to gather username and password of the current user.
  • SharpLogger
    • Keylogger written in C#
  • SharpMapExec
    • A sharpen version of CrackMapExec. This tool is made to simplify penetration testing of networks and to create a swiss army knife that is made for running on Windows which is often a requirement during insider threat simulation engagements.
  • SharpNeedle
    • Inject C# code into a running process. Note: SharpNeedle currently only supports 32-bit processes.
  • SharpMove
    • .NET Project for performing Authenticated Remote Execution (WMI, SCM, DCOM, Task Scheduler, Service DLL Hijack, DCOM Server Hijack, Modify Scheduled Task, Modify Service binpath)
  • SharpPack
    • An Insider Threat Toolkit. SharpPack is a toolkit for insider threat assessments that lets you defeat application whitelisting to execute arbitrary DotNet and PowerShell tools.
  • sharppcap
    • Official repository - Fully managed, cross platform (Windows, Mac, Linux) .NET library for capturing packets
  • SharpPrinter
    • Discover Printers
  • SharpRelay
    • Relay hashes over CobaltStrike beacon and impacket ntlmrelayx.py.
  • SharpRoast
    • SharpRoast is a C# port of various PowerView's Kerberoasting functionality.
  • SharpShares
    • Enumerate all network shares in the current domain. Also, can resolve names to IP addresses.
  • SharpSC
    • Simple .NET assembly to interact with services.
  • SharpSniper
    • Find specific users in active directory via their username and logon IP address
  • SharpSocks
    • Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
  • SharpSphere
    • .NET Project for Attacking vCenter
  • SharpSploit
  • SharpSpray
    • SharpSpray a simple code set to perform a password spraying attack against all users of a domain using LDAP and is compatible with Cobalt Strike.
  • SharpSSDP
    • SSDP Service Discovery
  • SharpSQL
    • Simple C# implementation of PowerUpSQL.
  • SharpSystemTriggers
    • Collection of remote authentication triggers in C#
  • SharpSword
    • Read the contents of DOCX files using Cobalt Strike's Execute-Assembly
  • SharpTask
    • SharpTask is a simple code set to interact with the Task Scheduler service api and is compatible with Cobalt Strike.
  • SharpTerminator
    • Terminate AV/EDR Processes using kernel driver
  • SharpView
    • C# implementation of harmj0y's PowerView
  • SharpWeb
    • .NET 2.0 CLR project to retrieve saved browser credentials from Google Chrome, Mozilla Firefox and Microsoft Internet Explorer/Edge.
  • SharpWMI
    • SharpWMI is a C# implementation of various WMI functionality.
  • SharPyShell
    • SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications
  • SharpZeroLogon
    • This is an exploit for CVE-2020-1472, a.k.a. Zerologon.
  • SilkETW
    • SilkETW & SilkService are flexible C# wrappers for ETW, they are meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection. While both projects have obvious defensive (and offensive) applications they should primarily be considered as research tools.
  • SneakyService
    • A simple, minimal C# windows service implementation that can be used to demonstrate privilege escalation from misconfigured windows services.
  • SpaceRunner
    • This tool enables the compilation of a C# program that will execute arbitrary PowerShell code, without launching PowerShell processes through the use of runspace.
  • Stracciatella
    • OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI and Script Block Logging disabled at startup
  • taskkill
    • This is a reference example for how to call the Windows API to enumerate and kill a process similar to taskkill.exe. This is based on (incomplete) MSDN example code. Proof of concept or pattern only.
  • TCPRelayInjecter2
    • Tool for injecting a "TCP Relay" managed assembly into an unmanaged process.
  • TikiTorch
    • Process Injection. The basic concept of CACTUSTORCH is that it spawns a new process, allocates a region of memory, then uses CreateRemoteThread to run the desired shellcode within that target process. Both the process and shellcode are specified by the user.
  • TrustJack
  • Watson
    • Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities

About

Collection of C# projects. Useful for pentesting and redteaming.

Resources

Readme
Activity

Stars

297 stars

Watchers

8 watching

Forks

49 forks
Report repository

Releases

No releases published

Packages

No packages published