Back in October 2018 (yes, 2018!), I approached begged xpn for a collaboration on an idea I had for a .NET C2 Framework. We worked on the project for about a month or so before real life got in the way and stalled development. In February 2019, cobbr released Covenant which is also a .NET C2 Framework. I subsequently spent some time contributing to, and writing about Covenant - but I’ve always wanted to get back to our original project.
I decided to re-visit SharpC2 (a very creative name on my part) over the 2019 Christmas period to try and get it into a position where we could release a proof of concept. Yet somehow I’m not writing this until May 2020! We can blame my RTO course for that.
This post is intended to provide an overview of SharpC2’s design concepts and some showcase examples of how it can be used. Code can be found on GitHub.
Back in April 2017, James Forshaw (hail) released a tool called DotNetToJScript which was capable of generating JScript, VBA and VBScript that could run an arbitrary .NET assembly (mostly) from memory. Although not its intended purpose, it was quickly picked up by tool developers, pentesters, red teamers, bad guys etc and used to deliver .NET-based payloads via methods such as HTA.
Microsoft and other AV vendors started writing signatures for DN2JS, and we all know how that makes James feel (Exhibits A and B). Microsoft even went as far as to make some under-the-hood changes from Windows 10 / 2K16 to mitigate the use of DN2JS payloads, as evidenced by these notes in Covenant:
These factors seem to have resulted in a decline in prevalence for these payloads, or at least, they’re not hyped about so much.
Enter GadgetToJScript by Mohamed El Azaar. This tool generates .NET serialized gadgets that can trigger assembly load/execution when deserialized via BinaryFormatter from JScript, VBScript or VBA. So it once again, allows for a similar tradecraft as was originally provided by DN2JS and it works on Windows 10.
Covenant is a .NET Command and Control framework that boasts a number of exciting features for red teamers. The Covenant implants are called Grunts, which are capable of executing post-exploitation “tasks” on a compromised machine. Covenant v0.1 released with a number of useful tasks, but the repository has really grown from contributions from the Covenant community.
Tasks can extend the functionality and versatility of a Grunt, such as providing new lateral movement, persistence or privilege escalation techniques and more. Contributing a Task to Covenant is an excellent way to support the project.
This post will provide an introduction for those wishing to create and contribute new Tasks.
TikiService is a new .NET Service Binary that allows you to run a TikiTorch payload via the Service Control Manager (à la PsExec). TikiTorch.cna has also been updated to create a new Cobalt Strike function: tikiexec, that automates its use. This blog post provides a brief overview and usage examples.
Covenant v0.1 was first released in February 2019 and has since received a lot of really good updates. v0.2 was released in May which added p2p comms over SMB named pipes, and v0.3 was released in August which added a brand new web interface. Even though it’s such a young project, it has really proven itself to be a capable tool for offensive operators. I’ve not taken a look at Covenant since v0.1.x but since providing some new additions to SharpSploit, it kinda got my geek going. One of my areas of interest is weaponising the Grunt stager.
FortyNorth Security recently posted an article detailing the process for leveraging MSBuild to execute unmanaged PowerShell, and automating it in Aggressor script for Cobalt Strike users. Being a native binary in the Windows OS, the use of MSBuild is a common AWL bypass technique, which is handy in relatively well locked down environments.
I’ve added a new experimental project to TikiTorch, called TikiVader. I originally thought of “vader” as a play-on for “evade”/“evader”, until I realised TikiVader was never meant to evade anything… but nevermind 😒