.NET injection PoC

Repository contains code samples weaponized for use with Covenant (https://github.com/cobbr/Covenant) and donut (https://github.com/TheWover/donut) and TikiTorch (https://github.com/rasta-mouse/TikiTorch).

Techniques are partially described under this writing: https://medium.com/@ditrizna/red-team-use-case-of-open-source-weaponization-5b22b0e287a5

Injection that does not relies on RWX right permissions is located under PAYLOAD_INJECT/inject_rw_rx.cs.
Delivery that uses mshta.exe instead of WebDav is located under download_compile_and_exec.hta.

Potential improvements:
* adding an execution methods to PAYLOAD_INJECT samples in order to launch using installutil.exe, regsvr.exe
* adding a persistence already in PAYLOAD EXEC stage

Name		Name	Last commit message	Last commit date
Latest commit History 39 Commits
PAYLOAD_CORE		PAYLOAD_CORE
PAYLOAD_EXEC		PAYLOAD_EXEC
PAYLOAD_INJECT		PAYLOAD_INJECT
Get-CompressedShellcode.ps1		Get-CompressedShellcode.ps1
README.md		README.md
generate_sc.py		generate_sc.py
obfuscate.py		obfuscate.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

.NET injection PoC

About

Uh oh!

Releases

Packages

Languages

dtrizna/DotNetInject

Folders and files

Latest commit

History

Repository files navigation

.NET injection PoC

About

Topics

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages