GhostPack was recently released by Will Shroeder. This is a great package of C# offensive tools. C# is a relatively untapped part of the offensive toolkit with some unique opportunities and challenges. It is great because it gives you a great API that you can live off of, it is sometimes a challenge as different versions aren’t always consistently installed across different organizations. In this post we are going to talk about applying a concept that I developed to one of these tools to reduce detection surface as much as possible. The tool we are going to look at is SafetyKatz which wraps normal mimikatz in C# which in turn wraps some unmanaged code using a PELoader technique created by Casey Smith. Essentially what this post boils down to is shrinking the on-disk footprint of SafetyKatz from about ~700KB to about 5KB and loading the rest over http or https using a technique I call .Net over .net.