Skip to content
Collection of Offensive C# Tooling
Branch: master
Clone or download
Latest commit 01dd57b Mar 5, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
AbandonedCOMKeys Minor bug fixes and enhancements Feb 25, 2019
CredPhisher Minor bug fixes and enhancements Feb 25, 2019
ImplantSSP Pre-release cleanup Feb 24, 2019
MockDirUACBypass Minor edit Feb 25, 2019
SearchSessions Pre-release cleanup Feb 24, 2019
UnqoutedPath Pre-release cleanup Feb 24, 2019


This is a collection of C# tooling and POCs I've created for use on operations. Each project is designed to use no external libraries. Open each project's .SLN in Visual Studio and compile as "Release".

Project Description .NET Version
AbandonedCOMKeys Enumerates abandoned COM keys (specifically InprocServer32). Useful for persistence as you can, in some cases, write to the missing location and call with rundll32.exe -sta {CLSID}. Technique referenced in this post by @bohops 4.0
CredPhisher Prompts the current user for their credentials using the CredUIPromptForWindowsCredentials WinAPI function. Supports an argument to provide the message text that will be shown to the user. 3.5
EncryptedZIP Compresses a directory or file and then encrypts the ZIP file with a supplied key using AES256 CFB. This assembly also clears the key out of memory using RtlZeroMemory. Use the included Decrypter progam to decrypt the archive. 3.5
GPSCoordinates Tracks the system's GPS coordinates (accurate within 1km currectly) if Location Services are enabled. Works on Windows 10 currently, but hoping to cover all versions 7+. 4.0
ImplantSSP Installs a user-supplied Security Support Provider (SSP) DLL on the system, which will be loaded by LSA on system start. The DLL must export SpLsaModeInitialize. Inspired by Install-SSP by @mattifestation. 3.5
JunctionFolder Creates a junction folder in the Windows Accessories Start Up folder as described in the Vault 7 leaks. On start or when a user browses the directory, the referenced DLL will be executed by verclsid.exe in medium integrity. 3.5
MockDirUACBypass Creates a mock trusted directory, C:\Windows \System32\, and moves an auto-elevating Windows executable into the mock directory. A user-supplied DLL which exports the appropriate functions is dropped and when the executable is run, the DLL is loaded and run as high integrity. Technique discovered by @ce2wells and outlined in this post. 3.5
SessionSearcher Searches all connected drives for PuTTY private keys and RDP connection files and parses them for relevant details. Based on SessionGopher by @arvanaghi. 4.0
UnquotedPath Outputs a list of unquoted service paths that aren't in System32/SysWow64 to plant a PE into. ATT&CK Reference 3.5
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.