Offensive .NET

Bypassing Signatures

We can use DefenderCheck to see which part of the code is getting caught

This helps us in deciding on modifying the source code and minimal obfuscation

DefenderCheck.exe SharpKatz.exe

String Manipulation

We can open the project in visual studio and make some adjustments

Press "CTRL + H"
Find and replace the string "Credentials" with "Credents" you can use any other string as an replacement. (Make sure that string is not present in the code)
Select the scope as "Entire Solution"
Press "Replace All" button.
Build and recheck the binary with DefenderCheck.
Repeat above steps if still there is detection

Obfuscation

For a tool like Rubeus, NimCrypt2 can be used to obfuscate the code. However the obfuscated tool versions must be compatible with the obfuscated Loader used with it

 ./nimcrypt -f Rubeus-original.exe -e -n -s --no-ppid-spoof -o Rubeus.exe -t csharp

-e: Encrypt strings using the strenc module
-n: Disable syscall name randomization
-s: Disable sandbox checks
--no-ppid-spoof: Disable PPID Spoofing
-t: Type of file
-o: Output filename

ProtectMyTooling can also be used

PreviousPowerShell Scripts NextPayload Delivery

Last updated 11 months ago