Allows You To Download And Build C# Tools, Applying Certain Modifications In Order To Improve Their Evasion For Red Team Exercises

OfensivePipeline allows you to download and build C# tools, applying certain modifications in order to improve their evasion for Red Team exercises.
A common use of OffensivePipeline is to download a tool from a Git repository, randomise certain values in the project, build it, obfuscate the resulting binary and generate a shellcode.

• Almost complete code rewrite (new bugs?)
• Cloning from private repositories possible (authentication via GitHub authToken)
• Possibility to copy a local folder instead of cloning from a remote repository
• New module to generate shellcodes with Donut
• New module to randomize GUIDs of applications
• New module to randomize the AssemblyInfo of each application
• 60 new tools added

Examples

OffensivePipeline.exe list

OffensivePipeline.exe all

OffensivePipeline.exe t toolName

• Clean cloned and build tools

Output example

PS C:\OffensivePipeline> .\OffensivePipeline.exe t rubeus
ooo
.osooooM M
___   __  __                _           ____  _            _ _                      +y.     M M
/ _ \ / _|/ _| ___ _ __  ___(_)_   _____|  _ \(_)_ __   ___| (_)_ __   ___           :h  .yoooMoM
| | | | |_| |_ / _ \ '_ \/ __| \ \ / / _ \ |_) | | '_ \ / _ \ | | '_ \ / _ \          oo  oo
| |_| |  _|  _|  __/ | | \__ \ |\ V /  __/  __/| | |_) |  __/ | | | | |  __/          oo  oo
\___/|_| |_|  \___|_| |_|___/_| \_/ \___|_|   |_| .__/ \___|_|_|_| |_|\___|          oo  oo
|_|                            MoMoooy.  h:
M M     .y+
M Mooooso.
ooo
@aetsu
v2.0.0
[+] Loading tool: Rubeus
Clonnig repository: Rubeus into C:\OffensivePipeline\Git\Rubeus
Repository Rubeus cloned into C:\OffensivePipeline\Git\Rubeus
[+] Load RandomGuid module
Searching GUIDs...
> C:\OffensivePipeline\Git\Rubeus\Rubeus.sln
> C:\OffensivePipeline\Git\Rubeus\Rubeus\Rubeus.csproj
> C:\OffensivePipeline\Git\Rubeus\Rubeus\Properties\AssemblyInfo.cs
Replacing GUIDs...
File C:\OffensivePipeline\Git\Rubeus\Rubeus.sln:
> Replacing GUID 658C8B7F-3664-4A95-9572-A3E5871DFC06 with 3bd82351-ac9a-4403-b1e7-9660e698d286
> Replacing GUID FAE04EC0-301F-11D3-BF4B-00C04F79EFBC with 619876c2-5a8b-4c48-93c3-f87ca520ac5e
> Replacing GUID 658c8b7f-3664-4a95-9572-a3e5871dfc06 with 11e0084e-937f-46d7-83b5-38a496bf278a
[+] No errors!
File C:\OffensivePipeline\Git\Rubeus\Rubeus\Rubeus.csproj:
> Replacing GUID 658C8B7F-3664-4A95-9572-A3E5871DFC06 with 3bd82351-ac9a-4403-b1e7-9660e698d286
> Replacing GUID FAE04EC0-301F-11D3-BF4B-00C04F79EFBC with 619876c2-5a8b-4c48-93c3-f87ca520ac5e
> Replacing GUID 658c8b7f-3664-4a95-9572-a3e5871dfc06 with 11e0084e-937f-46d7-83b5-38a496bf278a
[+] No errors!
File C:\OffensivePipeline\Git\Rubeus\Rubeus\Properties\AssemblyInfo.cs:
> Replacing GUID 658C8B7F-3664-4A95-9572-A3E5871DFC06 with 3bd82351-ac9a-4403-b1e7-9660e698d286
> Replacing GUID FAE04EC0-301F-11D3-BF4B-00C04F79EFBC with 619876c2-5a8b-4c48-93c3-f87ca520ac5e
> Replacing GUID 658c8b7f-3664-4a95-9572-a3e5871dfc06 with 11e0084e-937f-46d7-83b5-38a496bf278a
[+] No errors!
[+] Load RandomAssemblyInfo module
Replacing strings in C:\OffensivePipeline\Git\Rubeus\Rubeus\Properties\AssemblyInfo.cs
[assembly: AssemblyTitle("Rubeus")] -> [assembly: AssemblyTitle("g4ef3fvphre")]
[assembly: AssemblyDescription("")] -> [assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")] -> [assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")] -> [assembly: AssemblyCompany("")]
[assembly: AssemblyProduc   t("Rubeus")] -> [assembly: AssemblyProduct("g4ef3fvphre")]
[assembly: AssemblyCopyright("Copyright ©  2018")] -> [assembly: AssemblyCopyright("Copyright ©  2018")]
[assembly: AssemblyTrademark("")] -> [assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")] -> [assembly: AssemblyCulture("")]
[+] Load BuildCsharp module
[+] Checking requirements...
[*] Downloading nuget.exe from https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
[+] Download OK - nuget.exe
[+] Path found - C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\Common7\Tools\VsDevCmd.bat
Solving dependences with nuget...
Building solution...
[+] No errors!
[+] Output folder: C:\OffensivePipeline\Output\Rubeus_vh00nc50xud
[+] Load ConfuserEx module
[+] Checking requirements...
[+] Downloading ConfuserEx from https://github.com/mkaring/ConfuserEx/releases/download/v1.6.0/ConfuserEx-CLI.zip
[+] Download OK - ConfuserEx
Confusing...
[+] No errors!
[+] Load Donut module
Generating shellcode...
Payload options:
Domain: RMM6XFC3
Runtime:v4.0.30319
Raw Payload: C:\OffensivePipeline\Output\Rubeus_vh00nc50xud\ConfuserEx\Donut\Rubeus.bin
B64 Payload: C:\OffensivePipeline\Output\Rubeus_vh00nc50xud\ConfuserEx\Donut\Rubeus.bin.b64
[+] No errors!
[+] Generating Sha256 hashes
Output file: C:\OffensivePipeline\Output\Rubeus_vh00nc50xud
-----------------------------------------------------------------
SUMMARY
- Rubeus
- RandomGuid: OK
- RandomAssemblyInfo: OK
- BuildCsharp: OK
- ConfuserEx: OK
- Donut: OK
-----------------------------------------------------------------

Plugins

• RandomGuid: randomise the GUID in .sln, .csproj and AssemblyInfo.cs files
• RandomAssemblyInfo: randomise the values defined in AssemblyInfo.cs
• BuildCsharp: build c# project
• ConfuserEx: obfuscate c# tools
• Donut: use Donut to generate shellcodes. The shellcode generated is without parameters, in future releases this may be changed.

Add a tool from a remote git

The scripts for downloading the tools are in the Tools folder in yml format. New tools can be added by creating new yml files with the following format:

tool:
- name: Rubeus
description: Rubeus is a C# toolset for raw Kerberos interaction and abuses
gitLink: https://github.com/GhostPack/Rubeus
solutionPath: Rubeus\Rubeus.sln
language: c#
plugins: RandomGuid, RandomAssemblyInfo, BuildCsharp, ConfuserEx, Donut
authUser:
authToken: 

Where:

• Name: name of the tool
• Description: tool description
• GitLink: link from git to clone
• SolutionPath: solution (sln file) path
• Language: language used (currently only c# is supported)
• Plugins: plugins to use on this tool build process
• AuthUser: user name from github (not used for public repositories)
• AuthToken: auth token from github (not used for public repositories)

Add a tool from a private git

tool:
- name: SharpHound3-Custom
description: C# Rewrite of the BloodHound Ingestor
gitLink: https://github.com/aaaaaaa/SharpHound3-Custom
solutionPath: SharpHound3-Custom\SharpHound3.sln
language: c#
plugins: RandomGuid, RandomAssemblyInfo, BuildCsharp, ConfuserEx, Donut
authUser: aaaaaaa
authToken: abcdefghijklmnopqrsthtnf

Where:

• Name: name of the tool
• Description: tool description
• GitLink: link from git to clone
• SolutionPath: solution (sln file) path
• Language: language used (currently only c# is supported)
• Plugins: plugins to user on this tool build process
• AuthUser: user name from GitHub
• AuthToken: auth token from GitHub (documented at GitHub: creating a personal access token)

Add a tool from local git folder

tool:
- name: SeatbeltLocal
description: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
gitLink: C:\Users\alpha\Desktop\SeatbeltLocal
solutionPath: SeatbeltLocal\Seatbelt.sln
language: c#
plugins: RandomGuid, RandomAssemblyInfo, BuildCsharp, ConfuserEx, Donut
authUser:
authToken: 

Where:

• Name: name of the tool
• Description: tool description
• GitLink: path where the tool is located
• SolutionPath: solution (sln file) path
• Language: language used (currently only c# is supported)
• Plugins: plugins to user on this tool build process
• AuthUser: user name from github (not used for local repositories)
• AuthToken: auth token from github (not used for local repositories)

Requirements for the release version (Visual Studio 2019/2022 is not required)

In the OffensivePipeline.dll.config file it’s possible to change the version of the build tools used.

<add key="BuildCSharpTools" value="C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\Common7\Tools\VsDevCmd.bat"/>

<add key="BuildCSharpTools" value="C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\Common7\Tools\VsDevCmd.bat"/>

Requirements for build

Credits

Supported tools

• ADCollector:
• ADCSPwn:
  • Description: A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts (Petitpotam) and relaying to the certificate service.
  • Link: https://github.com/bats3c/ADCSPwn
• ADFSDump:
• ADSearch:
• BetterSafetyKatz:
  • Description: This modified fork of SafetyKatz dynamically fetches the latest pre-compiled release of Mimikatz directly from the gentilkiwi GitHub repo, runtime patching on detected signatures and uses SharpSploit DInvoke to get it into memory.
  • Link: https://github.com/Flangvik/BetterSafetyKatz
• Certify:
• DeployPrinterNightmare:
• EDD:
  • Description: Enumerate Domain Data is designed to be similar to PowerView but in .NET. PowerView is essentially the ultimate domain enumeration tool, and we wanted a .NET implementation that we worked on ourselves. This tool was largely put together by viewing implementations of different functionality across a wide range of existing projects and combining them into EDD.
  • Link: https://github.com/FortyNorthSecurity/EDD
• ForgeCert:
• Group3r:
• KrbRelay:
• KrbRelayUp:
• LockLess:
• PassTheCert:
• PurpleSharp:
• Rubeus:
• SafetyKatz:
• SauronEye:
• SearchOutlook:
• Seatbelt:
  • Description: Seatbelt is a C# project that performs a number of security oriented host-survey “safety checks” relevant from both offensive and defensive security perspectives.
  • Link: https://github.com/GhostPack/Seatbelt
• Sharp-SMBExec:
• SharpAppLocker:
• SharpBypassUAC:
• SharpChisel:
• SharpChromium:
• SharpCloud:
• SharpCOM:
• SharpCookieMonster:
• SharpCrashEventLog:
• SharpDir:
  • Description: SharpDir is a simple code set to search both local and remote file systems for files using the same SMB process as dir.exe, which uses TCP port 445
  • Link: https://github.com/jnqpblc/SharpDir
• SharpDPAPI:
• SharpDump:
• SharpEDRChecker:
  • Description: Checks running processes, process metadata, Dlls loaded into your current process and each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV’s, EDR’s and logging tools.
  • Link: https://github.com/PwnDexter/SharpEDRChecker
• SharPersist:
• SharpExec:
• SharpGPOAbuse:
  • Description: SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user’s edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.
  • Link: https://github.com/FSecureLABS/SharpGPOAbuse
• SharpHandler:
  • Description: This project reuses open handles to lsass to parse or minidump lsass, therefore you don’t need to use your own lsass handle to interact with it. (Dinvoke-version)
  • Link: https://github.com/jfmaes/SharpHandler
• SharpHose:
• SharpHound3:
• SharpKatz:
• SharpLAPS:
  • Description: This executable is made to be executed within Cobalt Strike session using execute-assembly. It will retrieve the LAPS password from the Active Directory.
  • Link: https://github.com/swisskyrepo/SharpLAPS
• SharpMapExec:
• SharpMiniDump:
  • Description: Create a minidump of the LSASS process from memory (Windows 10 – Windows Server 2016). The entire process uses dynamic API calls, direct syscall and Native API unhooking to evade the AV / EDR detection.
  • Link: https://github.com/b4rtik/SharpMiniDump
• SharpMove:
• SharpNamedPipePTH:
• SharpNoPSExec:
• SharpPrinter:
• SharpRDP:
• SharpReg:
  • Description: SharpReg is a simple code set to interact with the Remote Registry service API using the same SMB process as reg.exe, which uses TCP port 445
  • Link: https://github.com/jnqpblc/SharpReg
• SharpSCCM:
  • Description: SharpSCCM is a post-exploitation tool designed to leverage Microsoft Endpoint Configuration Manager (a.k.a. ConfigMgr, formerly SCCM) for lateral movement and credential gathering without requiring access to the SCCM administration console GUI.
  • Link: https://github.com/Mayyhem/SharpSCCM
• SharpScribbles:
• SharpSearch:
• SharpSecDump:
• SharpShares:
• SharpSniper:
• SharpSphere:
• SharpSpray:
  • Description: SharpSpray a simple code set to perform a password spraying attack against all users of a domain using LDAP and is compatible with Cobalt Strike.
  • Link: https://github.com/jnqpblc/SharpSpray
• SharpSQLPwn:
• SharpStay:
• SharpSvc:
  • Description: SharpSvc is a simple code set to interact with the SC Manager API using the same DCERPC process as sc.exe, which open with TCP port 135 and is followed by the use of an ephemeral TCP port
  • Link: https://github.com/jnqpblc/SharpSvc
• SharpTask:
  • Description: SharpTask is a simple code set to interact with the Task Scheduler service API using the same DCERPC process as schtasks.exe, which open with TCP port 135 and is followed by the use of an ephemeral TCP port.
  • Link: https://github.com/jnqpblc/SharpTask
• SharpUp:
• SharpView:
• SharpWebServer:
• SharpWifiGrabber:
• SharpWMI:
• SharpZeroLogon:
  • Description: An exploit for CVE-2020-1472, a.k.a. Zerologon. This tool exploits a cryptographic vulnerability in Netlogon to achieve authentication bypass.
  • Link: https://github.com/nccgroup/nccfsas
• Shhmon:
  • Description: While Sysmon’s driver can be renamed at installation, it is always loaded at altitude 385201. The objective of this tool is to challenge the assumption that our defensive tools are always collecting events.
  • Link: https://github.com/matterpreter/Shhmon
• Snaffler:
  • Description: Snaffler is a tool for pentesters and red teamers to help find delicious candy needles (creds mostly, but it’s flexible) in a bunch of horrible boring haystacks (a massive Windows/AD environment).
  • Link: https://github.com/SnaffCon/Snaffler
• SqlClient:
• StandIn:
• SweetPotato:
• ThreatCheck:
• TokenStomp:
• TruffleSnout:
• Watson:
• Whisker:
  • Description: Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding “Shadow Credentials” to the target account.
  • Link: https://github.com/eladshamir/Whisker
• winPEAS:
• WMIReg:
  • Description: Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute.
  • Link: https://github.com/airzero24/WMIReg