Rasta Mouse Brain Farts
Blog / January 2, 2023 / Rasta Mouse
tl;dr Since .NET Core 3, the dotnet runtime has provided a low-level hook that allows injecting managed code that will run before an application’s entry point. This hook makes it possible to effectively backdoor any .NET application on a host (Windows, Linux, and macOS). You may ask why such a feature exists. It’s used in
Blog / December 16, 2022 / Rasta Mouse
This post was inspired by a question posted by kevin in my Discord server, about how token impersonation can be applied to threads in C#. Before delving into that particular facet, let’s do a quick recap of token impersonation as a whole. What is Token Impersonation? This is a practice by which a calling thread
Blog / October 27, 2022 / Rasta Mouse
Many Active Directory enumeration and post-exploitation tools need to figure out which domain they’re in or which domain they need to target. For convenience, PowerShell and C# tools can use the .NET Domain class from the System.DirectoryService.ActiveDirectory namespace. This class has several methods that can return a relevant Domain object, including GetComputerDomain() and GetCurrentDomain(). This
Blog / March 28, 2022 / Rasta Mouse
Some time ago, I tweeted a teaser about implementing a SOCKS4 proxy in .NET. This post will finally provide a basic run-down of how I implemented it. There are some short-comings, which I’ll try and callout as they come up. We start off by creating a class that will bring a bind address and port
Blog / February 21, 2022 / Rasta Mouse
In Command & Control (C2) parlance, there are two main types of implant: egress and (peer-to-peer) P2P. An egress implant will talk directly to attacker-controlled infrastructure over a protocol such as HTTP. A P2P implant does not talk directly to an attacker, but has their communications (SMB, TCP, or whatever) relayed through one or more
Blog / December 27, 2021 / Rasta Mouse
In the previous blog post, we looked at how to enumerate and duplicate open process handles in C#. The use case that was outlined involved stealing a handle to LSASS, as this is potentially more OPSEC safe (from AV and EDRs) than obtaining a handle directly. This post will demonstrate how to use such a
Blog / November 27, 2021 / Rasta Mouse
Introduction Applications can open and maintain handles to Windows objects such as access tokens, processes, threads, files, named pipes and more. As a local admin (or with SeDebug privs), it’s possible to enumerate open handles across the entire OS and duplicate them for our own use. This is particularly useful when you want to obtain
Blog / November 12, 2021 / Rasta Mouse
Introduction This post will walk through how I created a library which implements Cobalt Strike’s External C2 Specification, introduces the ExternalC2.NET NuGet packages, and demonstrates how to use them in a custom third-party controller and client. External C2 Cobalt Strike has the ability to accept third-party command & control, allowing operators to go far beyond
Blog / October 4, 2021 / Rasta Mouse
Placing backdoors in legitimate applications is a good way to achieve persistence, data exfiltration, and if circumstances allow, privilege escalation. Backdooring .NET assemblies is surprisingly easy using an editor such as dnSpy. This post will run through a simplistic scenario where we backdoor a DLL used by a Blazor Server App. I thought this was
Blog / September 6, 2021 / Rasta Mouse
I’m sure the subject of combining D/Invoke with GadgetToJScript has been written about multiple times; but I wanted to throw my hat into the ring with this post. For those who don’t already know, D/Invoke provides (among other things) a means for dynamically invoking unmanaged APIs without using P/Invoke. GadgetToJScript is a spiritual successor to