GhostPack was recently released by Will Shroeder. This is a great package of C# offensive tools. C# is a relatively untapped part of the offensive toolkit with some unique opportunities and challenges. It is great because it gives you a great API that you can live off of, it is sometimes a challenge as different versions aren’t always consistently installed across different organizations. In this post we are going to talk about applying a concept that I developed to one of these tools to reduce detection surface as much as possible. The tool we are going to look at is SafetyKatz which wraps normal mimikatz in C# which in turn wraps some unmanaged code using a PELoader technique created by Casey Smith. Essentially what this post boils down to is shrinking the on-disk footprint of SafetyKatz from about ~700KB to about 5KB and loading the rest over http or https using a technique I call .Net over .net.
TLDR:If you aren’t interested in the details and you have always wanted to run python on top of .Net in 5 lines of powershell or less, skip to the bottom for code snippets. If you want to figure out how that is possible read on…
I have been digging into .Net recently, trying to stretch the bounds of the .Net Framework and have a very cool discovery to share. Anyone who is interested in the offensive side of security is always looking to limit the amount of attack surface that is available to various security controls, when trying to get shells on boxes. This article will hopefully teach you a bit about the .Net framework, as well as about how to pull and load .Net assemblies over the Internet into a C# application or even more interestingly… PowerShell. The resulting C# applications are around 6KB. The resulting PowerShell applications are just a handful of lines of code. Imagine having all the power, benefits and extensibility of managed .Net code without the footprint. As an example, we are going to run (Iron)Python on top of .Net, over the internet. Here is how.