SharpCompile: compile and execute C# in realtime
SharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in real-time. This is a more slick approach than manually compiling an .NET assembly and loading it into Cobalt Strike. The project aims to make it easier to move away from adhoc PowerShell execution instead creating a temporary assembly and executing using beacon’s ‘execute-assembly’ in seconds.
git clone https://github.com/SpiderLabs/SharpCompile.git
Run server component elevated on a Windows machine (Your builder box) to listen on 0.0.0.0. This web server is intended to only be visible to operator systems (running the Cobalt Strike client) so is unauthenticated. Firewall this off and take advantage of SSL by providing ‘cert.cer’ alongside the server binary.
Your Cobalt Strike client then tasks the server component to build an assembly when required. This simply requires ‘curl’ by default so should work out the box on OS X and Linux. You will likely need to tweak the .cna to make it work on Windows calling a ‘curl.exe’ etc.
Modify the config section at the top of ‘SharpCompile.cna’ and load into Cobalt Strike. This exposes SharpCompile in the following ways:
SharpCompile beacon menu:
Right hand click a beacon:Select the .cs you want to compile and execute:
In the below example we compile SharpUp and run it with an ‘audit’ argument:
Note: The version of .NET Framework csc.exe you specify for server component matters when compiling code that needs a specific version. This process does not give any feedback on a compilation, so if the code does not compile you will likely get an error in Cobalt Strike saying invalid assembly.
- David Middlehurst – Twitter- @dtmsecurity
Copyright (C) 2018 Trustwave Holdings, Inc.