A place for me to store some C# tooling for red team/pentesting efforts.
Execute process under a different PID and retrieve the output.
Usage: ExecutionTesting.exe <pid>
I've been using this for a while now within a C2 framework with some minor changes and has been pretty stable. This PoC will execute a command under a specified PID. You will need proper permissions on the process to launch a child under it. Sound familiar? Cobalt Strike introduced this feature here which also referenced Didier Stevens' blog who found this back in 2009!
I believe this is the first public example of actually retrieving output from a process executed with another PID (Cobalt Strike can do it also). To achieve this I had to create a pipe with CreatePipe(), then use DuplicateHandle() to send a handle to the selected parent PID, then the new process should inherit that handle (due to STARTF_USESTDHANDLES) for the pipe and send stdout to the pipe. Our original process will then poll and read from that pipe. Would love to hear of any alternatives or better ways to achieve!
Update 11-14-2019: Added mitigation policy to block non-Microsoft signed DLLs. This is similar to Cobalt Strike's blockdlls feature and was ported in from referencing @xpn's great work which can be found here.
Usage: LogonSessionEnum.exe
Wanted to pull similar logon data, including LUIDs, to relate with @harmj0y's Rubeus project. I noticed afterwards that a lot of similar code is in the Rubeus project. This code will also tell you which logon session your current process belongs to, useful when you're trying to understand which logon session you need to inject tickets into.