5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.451 Medium
EPSS
Percentile
97.4%
OfensivePipeline allows you to download and build C# tools, applying certain modifications in order to improve their evasion for Red Team exercises.
A common use of OffensivePipeline is to download a tool from a Git repository, randomise certain values in the project, build it, obfuscate the resulting binary and generate a shellcode.
List all tools:
OffensivePipeline.exe list
Build all tools:
OffensivePipeline.exe all
Build a tool
OffensivePipeline.exe t toolName
Clean cloned and build tools
OffensivePipeline.exe
PS C:\OffensivePipeline> .\OffensivePipeline.exe t rubeus
ooo
.osooooM M
___ __ __ _ ____ _ _ _ +y. M M
/ _ \ / _|/ _| ___ _ __ ___(_)_ _____| _ \(_)_ __ ___| (_)_ __ ___ :h .yoooMoM
| | | | |_| |_ / _ \ '_ \/ __| \ \ / / _ \ |_) | | '_ \ / _ \ | | '_ \ / _ \ oo oo
| |_| | _| _| __/ | | \__ \ |\ V / __/ __/| | |_) | __/ | | | | | __/ oo oo
\___/|_| |_| \___|_| |_|___/_| \_/ \___|_| |_| .__/ \___|_|_|_| |_|\___| oo oo
|_| MoMoooy. h:
M M .y+
M Mooooso.
ooo
@aetsu
v2.0.0
[+] Loading tool: Rubeus
Clonnig repository: Rubeus into C:\OffensivePipeline\Git\Rubeus
Repository Rubeus cloned into C:\OffensivePipeline\Git\Rubeus
[+] Load RandomGuid module
Searching GUIDs...
> C:\OffensivePipeline\Git\Rubeus\Rubeus.sln
> C:\OffensivePipeline\Git\Rubeus\Rubeus\Rubeus.csproj
> C:\OffensivePipeline\Git\Rubeus\Rubeus\Properties\AssemblyInfo.cs
Replacing GUIDs...
File C:\OffensivePipeline\Git\Rubeus\Rubeus.sln:
> Replacing GUID 658C8B7F-3664-4A95-9572-A3E5871DFC06 with 3bd82351-ac9a-4403-b1e7-9660e698d286
> Replacing GUID FAE04EC0-301F-11D3-BF4B-00C04F79EFBC with 619876c2-5a8b-4c48-93c3-f87ca520ac5e
> Replacing GUID 658c8b7f-3664-4a95-9572-a3e5871dfc06 with 11e0084e-937f-46d7-83b5-38a496bf278a
[+] No errors!
File C:\OffensivePipeline\Git\Rubeus\Rubeus\Rubeus.csproj:
> Replacing GUID 658C8B7F-3664-4A95-9572-A3E5871DFC06 with 3bd82351-ac9a-4403-b1e7-9660e698d286
> Replacing GUID FAE04EC0-301F-11D3-BF4B-00C04F79EFBC with 619876c2-5a8b-4c48-93c3-f87ca520ac5e
> Replacing GUID 658c8b7f-3664-4a95-9572-a3e5871dfc06 with 11e0084e-937f-46d7-83b5-38a496bf278a
[+] No errors!
File C:\OffensivePipeline\Git\Rubeus\Rubeus\Properties\AssemblyInfo.cs:
> Replacing GUID 658C8B7F-3664-4A95-9572-A3E5871DFC06 with 3bd82351-ac9a-4403-b1e7-9660e698d286
> Replacing GUID FAE04EC0-301F-11D3-BF4B-00C04F79EFBC with 619876c2-5a8b-4c48-93c3-f87ca520ac5e
> Replacing GUID 658c8b7f-3664-4a95-9572-a3e5871dfc06 with 11e0084e-937f-46d7-83b5-38a496bf278a
[+] No errors!
[+] Load RandomAssemblyInfo module
Replacing strings in C:\OffensivePipeline\Git\Rubeus\Rubeus\Properties\AssemblyInfo.cs
[assembly: AssemblyTitle("Rubeus")] -> [assembly: AssemblyTitle("g4ef3fvphre")]
[assembly: AssemblyDescription("")] -> [assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")] -> [assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")] -> [assembly: AssemblyCompany("")]
[assembly: AssemblyProduc t("Rubeus")] -> [assembly: AssemblyProduct("g4ef3fvphre")]
[assembly: AssemblyCopyright("Copyright © 2018")] -> [assembly: AssemblyCopyright("Copyright © 2018")]
[assembly: AssemblyTrademark("")] -> [assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")] -> [assembly: AssemblyCulture("")]
[+] Load BuildCsharp module
[+] Checking requirements...
[*] Downloading nuget.exe from https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
[+] Download OK - nuget.exe
[+] Path found - C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\Common7\Tools\VsDevCmd.bat
Solving dependences with nuget...
Building solution...
[+] No errors!
[+] Output folder: C:\OffensivePipeline\Output\Rubeus_vh00nc50xud
[+] Load ConfuserEx module
[+] Checking requirements...
[+] Downloading ConfuserEx from https://github.com/mkaring/ConfuserEx/releases/download/v1.6.0/ConfuserEx-CLI.zip
[+] Download OK - ConfuserEx
Confusing...
[+] No errors!
[+] Load Donut module
Generating shellcode...
Payload options:
Domain: RMM6XFC3
Runtime:v4.0.30319
Raw Payload: C:\OffensivePipeline\Output\Rubeus_vh00nc50xud\ConfuserEx\Donut\Rubeus.bin
B64 Payload: C:\OffensivePipeline\Output\Rubeus_vh00nc50xud\ConfuserEx\Donut\Rubeus.bin.b64
[+] No errors!
[+] Generating Sha256 hashes
Output file: C:\OffensivePipeline\Output\Rubeus_vh00nc50xud
-----------------------------------------------------------------
SUMMARY
- Rubeus
- RandomGuid: OK
- RandomAssemblyInfo: OK
- BuildCsharp: OK
- ConfuserEx: OK
- Donut: OK
-----------------------------------------------------------------
The scripts for downloading the tools are in the Tools folder in yml format. New tools can be added by creating new yml files with the following format:
Rubeus.yml file:
tool:
Where:
tool:
- name: SharpHound3-Custom
description: C# Rewrite of the BloodHound Ingestor
gitLink: https://github.com/aaaaaaa/SharpHound3-Custom
solutionPath: SharpHound3-Custom\SharpHound3.sln
language: c#
plugins: RandomGuid, RandomAssemblyInfo, BuildCsharp, ConfuserEx, Donut
authUser: aaaaaaa
authToken: abcdefghijklmnopqrsthtnf
Where:
tool:
- name: SeatbeltLocal
description: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
gitLink: C:\Users\alpha\Desktop\SeatbeltLocal
solutionPath: SeatbeltLocal\Seatbelt.sln
language: c#
plugins: RandomGuid, RandomAssemblyInfo, BuildCsharp, ConfuserEx, Donut
authUser:
authToken:
Where:
In the OffensivePipeline.dll.config file it’s possible to change the version of the build tools used.
Build Tools 2019:
<add key=“BuildCSharpTools” value=“C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\Common7\Tools\VsDevCmd.bat”/>
Build Tools 2022:
<add key=“BuildCSharpTools” value=“C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\Common7\Tools\VsDevCmd.bat”/>
docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token
github.com/0xthirteen/SharpMove
github.com/0xthirteen/SharpRDP
github.com/0xthirteen/SharpStay
github.com/Aetsu/OffensivePipeline
github.com/Aetsu/OffensivePipeline/blob/main/img/2023-01-15-18-17-14.png
github.com/Aetsu/OffensivePipeline/blob/main/SharpCollection
github.com/airzero24/WMIReg
github.com/AlmondOffSec/PassTheCert
github.com/anthemtotheego/SharpExec
github.com/b4rtik/SharpKatz
github.com/b4rtik/SharpMiniDump
github.com/bats3c/ADCSPwn
github.com/BloodHoundAD/SharpHound3
github.com/carlospolop/privilege-escalation-awesome-scripts-suite
github.com/CCob/SweetPotato
github.com/checkymander/Sharp-SMBExec
github.com/chrismaddalena/SharpCloud
github.com/cube0x0/KrbRelay
github.com/cube0x0/SharpMapExec
github.com/Dec0ne/KrbRelayUp
github.com/dev-2null/ADCollector
github.com/djhohnstein/SharpChromium
github.com/djhohnstein/SharpSearch
github.com/djhohnstein/SharpShares
github.com/dsnezhkov/TruffleSnout
github.com/eladshamir/Whisker
github.com/FatRodzianko/SharpBypassUAC
github.com/Flangvik/BetterSafetyKatz
github.com/Flangvik/DeployPrinterNightmare
github.com/Flangvik/SharpAppLocker
github.com/FortyNorthSecurity/EDD
github.com/FortyNorthSecurity/SqlClient
github.com/FSecureLABS/SharpGPOAbuse
github.com/FuzzySecurity/StandIn
github.com/G0ldenGunSec/SharpSecDump
github.com/GhostPack/Certify
github.com/GhostPack/ForgeCert
github.com/GhostPack/LockLess
github.com/GhostPack/Rubeus
github.com/GhostPack/SafetyKatz
github.com/GhostPack/Seatbelt
github.com/GhostPack/SharpDPAPI
github.com/GhostPack/SharpDump
github.com/GhostPack/SharpUp
github.com/GhostPack/SharpWMI
github.com/Group3r/Group3r
github.com/HunnicCyber/SharpSniper
github.com/JamesCooteUK/SharpSphere
github.com/jfmaes/SharpHandler
github.com/jnqpblc/SharpDir
github.com/jnqpblc/SharpReg
github.com/jnqpblc/SharpSpray
github.com/jnqpblc/SharpSvc
github.com/jnqpblc/SharpTask
github.com/jpillora/chisel
github.com/juliourena/SharpNoPSExec
github.com/lefayjey/SharpSQLPwn
github.com/m0rv4i/SharpCookieMonster
github.com/mandiant/ADFSDump
github.com/mandiant/SharPersist
github.com/MartinIngesen/TokenStomp
github.com/matterpreter/Shhmon
github.com/Mayyhem/SharpSCCM
github.com/mgeeky/SharpWebServer
github.com/mkaring/ConfuserEx
github.com/mvelazc0/PurpleSharp
github.com/n1xbyte/donutCS
github.com/nccgroup/nccfsas
github.com/PwnDexter/SharpEDRChecker
github.com/r3nhat/SharpWifiGrabber
github.com/rasta-mouse/ThreatCheck
github.com/rasta-mouse/Watson
github.com/RedLectroid/SearchOutlook
github.com/rvrsh3ll/SharpCOM
github.com/rvrsh3ll/SharpPrinter
github.com/S3cur3Th1sSh1t/SharpNamedPipePTH
github.com/shantanu561993/SharpChisel
github.com/slyd0g/SharpCrashEventLog
github.com/SnaffCon/Snaffler
github.com/swisskyrepo/SharpLAPS
github.com/tevora-threat/SharpView
github.com/TheWover/donut
github.com/tomcarver16/ADSearch
github.com/ustayready/SharpHose
github.com/V1V1/SharpScribbles
github.com/vivami/SauronEye
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.451 Medium
EPSS
Percentile
97.4%