{"id":13841003,"url":"https://github.com/klezVirus/CheeseTools","last_synced_at":"2025-07-11T10:30:43.973Z","repository":{"id":40312268,"uuid":"289798526","full_name":"klezVirus/CheeseTools","owner":"klezVirus","description":"Self-developed tools for Lateral Movement/Code Execution","archived":false,"fork":false,"pushed_at":"2021-08-17T20:22:56.000Z","size":958,"stargazers_count":692,"open_issues_count":0,"forks_count":141,"subscribers_count":23,"default_branch":"master","last_synced_at":"2024-11-20T06:36:47.255Z","etag":null,"topics":["active-directory-exploitation","lateral-movement","mssql","powershell","powershell-remoting","redteaming"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/klezVirus.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-08-24T01:28:12.000Z","updated_at":"2024-11-18T20:26:05.000Z","dependencies_parsed_at":"2022-06-29T10:29:16.428Z","dependency_job_id":null,"html_url":"https://github.com/klezVirus/CheeseTools","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klezVirus%2FCheeseTools","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klezVirus%2FCheeseTools/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klezVirus%2FCheeseTools/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/klezVirus%2FCheeseTools/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/klezVirus","download_url":"https://codeload.github.com/klezVirus/CheeseTools/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225712994,"owners_count":17512529,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["active-directory-exploitation","lateral-movement","mssql","powershell","powershell-remoting","redteaming"],"created_at":"2024-08-04T17:01:01.270Z","updated_at":"2024-11-21T10:31:15.496Z","avatar_url":"https://github.com/klezVirus.png","language":"C#","readme":"# CheeseTools\n\nThis repository has been made basing onto the already existing [MiscTool][1], so big shout-out to [rasta-mouse](https://twitter.com/rasta_mouse) for releasing them and for giving me the right motivation to work on them.\n\n## CheeseExec\nCommand Exec / Lateral movement via PsExec-like functionality. Must be running in the context of a privileged user.\nThe tool is based on [rasta-mouse](https://twitter.com/rasta_mouse) CsExec, but is designed to allow additional control over the service creation, specifically:\n- Create (Search if the service exists, if not, tries to create it)\n- Start (Search if the service exists and is stopped, if that's the case attempts to start it; if not, tries to create it and start it)\n- Stop (Search if the service exists and is running, if that's the case attempts to stop it)\n- Delete (Search if the service exists and is running, if that's the case attempts to stop it than delete it, otherwise it deletes it)\n```\nCheeseExec.exe \u003ctargetMachine\u003e \u003cserviceName\u003e \u003cbinPath\u003e \u003caction\u003e\n```\nAlso see [TikiService][2].\n\n\n## CheesePS\nCheese PS is Command Exec / Lateral Movement framework. It relies on `System.Management.Automation.PowerShell` to load and run arbitrary code via PowerShell. \nThe tool is natively capable of bypassing common restrictions creating and using PowerShell runspaces on local or remote targets.\nMust be running in the context of a privileged user (if using PowerShell Remoting).\n\nThe tool has been originally made as an enhancement of [rasta_mouse](https://twitter.com/rasta_mouse) CsPosh, but grew enough to become a framework on its own, and can now be used as a general PowerShell injector.\n\nThe idea behind this tool has been summarised in the following article:\n\n* [CheesePS: Abusing the PowerShell Remoting for lateral Movement][5]\n\nThe main functionalities implemented are:\n- BuiltIn CLM Bypass using REGINI\n- BuiltIn AmsiBypass that patches Amsi before executing any other command\n + Permits to specify an alternate PowerShell script for AMSI bypass\n- BuiltIn WldpBypass that patches WLDP before executing assemblies\n + Permits to specify an alternate PowerShell script for WLDP bypass\n- Import modules and script before execution\n + Against a local target: modules are imported via filesystem, smb, or http[s]\n + Against a remote target: modules are loaded directly from the local machine using WS-Management\n- Download binary and execute\n + Standard: Transfer -\u003e Write to disk -\u003e Execute\n + Reflective: Transfer -\u003e Execute from memory\n- Supports AES Encryption of PS modules, C# assemblies and other executables to evade detection\n + All imported Modules/Assemblies can be encrypted in transit or at rest, and are decrypted just before usage\n\nThe following screenshot is a decently accurate schema to describe the tool's workflow:\n\n![CheesePS Workflow](./assets/CheesePS.png)\n\n```\nUsage:\n -t, --target=VALUE Target machine\n -c, --code=VALUE Code to execute\n -e, --encoded Indicates that provided code is base64 encoded\n -a, --am-si-bypass=VALUE Uses the given PowerShell script to bypass A-M-S-\n I (fs, smb o http[s])\n --aX, --encrypted-am-si\n Indicates that provided A.M.S.I. bypass is\n encrypted\n -i, --import=VALUE Imports additional PowerShell modules (fs, smb o\n http[s])\n --iX, --encrypted-imports\n Indicates that provided PowerShell modules are\n encrypted\n -o, --outstring Append Out-String to code\n -r, --redirect Redirect stderr to stdout\n -d, --domain=VALUE Domain for alternate credentials\n -u, --username=VALUE Username for alternate credentials\n -p, --password=VALUE Password for alternate credentials\n -X, --encrypt=VALUE Encrypt a script with an hardcoded key\n -D, --decrypt=VALUE Test decryption of a script with an hardcoded key\n -n, --skip-bypass=VALUE Skip A.M.S.I (A), WLDP (W) or ALL (*) Bypass\n techniques\n -l, --lockdown-escape Try to enable PowerShell FullLanguage mode using\n REGINI\n -w, --wldp-bypass=VALUE Uses the given PowerShell script to bypass WLDP\n (fs, smb o http[s])\n --wX, --encrypted-wldp Indicates that provided WLDP bypass is encrypted\n -x, --executable=VALUE [Download and] Execute given executable\n --xX, --encrypted-executable\n Indicates that provided Exe/DLL is encrypted\n --xCS, --executable-csharp\n Indicates that the executable provided is C# -\n (.NET)\n -R, --reflective-injection Uses Invoke-ReflectivePEInjection to load the\n assmebly from memory (requires Invoke-\n ReflectivePEInjection to be imported!)\n -P, --powershell-decrypt Force use of PowerShell-based decryption\n -k, --encryption-key=VALUE Uses the provided key for encryption/decryption\n --ssl Force use of SSL\n -h, -?, --help Show Help\n```\n\n_Note: If executed without a target, the script will execute against the local machine_\n\n#### Advantages of using the tool against raw PowerShell:\n\n* Cleaner, more intuitive command line\n* Automatic bypasses (CLM, AMSI, WLDP)\n* Avoids to perform outbound connections from the remote target (everything is transfered through WS-Management)\n* Supports full encryption in transit\n\nAlso see [AmsiBypass][3].\n\n## CheeseDCOM\nCommand Exec / Lateral Movement via DCOM. Must be running in the context of a privileged user. \nThis tool is based on [rasta-mouse](https://twitter.com/rasta_mouse) CsDCOM, but it's been improved to add additional methods, adapting to the new research made by Philip Tsukerman. \nThere is also an experimental method to \"fix\" eventual attempts to disable affected DCOM objects via dcomcfg, but it requires some preconditions in order to work properly.\n\nThe idea behind this tool has been summarised in the following article:\n\n* [CheeseDCOM: Abusing DCOM for lateral Movement][4]\n\n\nCurrent Methods: `MMC20.Application`, `ShellWindows`, `ShellBrowserWindow`, `ExcelDDE`, `VisioAddonEx`,\n `OutlookShellEx`, `ExcelXLL`, `VisioExecLine`, `OfficeMacro`.\n\n```\nUsage:\n -t, --target=VALUE Target Machine\n -b, --binary=VALUE Binary: powershell.exe\n -a, --args=VALUE Arguments: -enc \u003cblah\u003e\n -m, --method=VALUE Methods: MMC20Application, ShellWindows,\n ShellBrowserWindow, ExcelDDE, VisioAddonEx,\n OutlookShellEx, ExcelXLL, VisioExecLine, \n OfficeMacro\n -r, --reg, --registry Enable registry manipulation\n -h, -?, --help Show Help\n```\n\n_Note: If executed with `-t .`, the script will execute against the local machine_\n\nAlso see [Lateral Movement Using DCOM Objects and C#][4]\n\n## CheeseRDP\nRDP credentials stealer via RDI (reflective DLL injection). Must be running in the context of a privileged user, or a user with SeImpersonatePrivilege. \nThis tool is built on top of RdpThief by MDSec, but it's been fully wrapped in a single C# to enable it to be run via .NET Reflection (`Assembly.Load` and similar). In this way, it's \npossible to run it via Covenant, without the struggle of uploading a DLL on the target system. \n\n```\nUsage:\n CheeseRDP [actions]\nActions:\n wait: keep listening for any new mstsc.exe process indefinitely (stop with ctrl-C)\n clean: delete the credentials dump file if present\n dump: dump the content of the file if present, parsing the credentials in a compact format\n```\n\n_Note: If executed without options, the program will try to inject in an active mstsc.exe process (the default wait time is 10 seconds)_\n\n## CheeseSQL\nCommand Exec / Lateral Movement via MSSQL Trust. \nThis tool has been developed to overcome some of the limitations given by already existing tools like [esc](https://github.com/NetSPI/ESC), mostly regarding MSSQL impersonation.\nMoreover, CheeseSQL has been specifically modified to run from Covenant (via reflective loading), and to automate the most important phases of MSSQL trust abuse.\nParticuarly funny is the implementation of the CLR abuse, which allow a user to compile and upload a MSSQL extension on the fly with Roslyn to achieve command execution.\nA very little demo is shown below, the command executed is an encoded PowerShell Covenant downloader):\n\n![CheeseSQL CLR Attack](./assets/cheesesql-clr.gif)\n\nFollowing my rule of \"always give credit when credit is due\", this tool has been developed starting from an already existing project \nby [Jb05s](https://github.com/Jb05s), called [SharpSQL](https://github.com/Jb05s/SharpCollection/tree/master/SharpSQL), so big shout out to Jeremy for his work.\n\nAlso, I really recommend to see all the tools from [NetSPI](https://twitter.com/netspi) regarding MSSQL auditing and exploitation, as they are really amazing:\n\n- [esc](https://github.com/NetSPI/ESC): interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features\n- [DAFT](https://github.com/NetSPI/DAFT): database auditing and assessment toolkit written in C#\n- [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL): PowerSHell module for SQL Server discovery, auditing, and exploitation\n\n```\n[*] List of available commands:\n - findspn : Find MSSQL Instances, using Domain SPNs\n - listdb : List available Databases on the server\n - gethash : Send Service Account Net-NTLM Hash to an Arbitrary IP\n - getlogin : Retrieve SQL Logins Available for Impersonation\n - getdbuser : Retrieve Information on the SQL Login, Currently Mapped User, and Available User Roles\n - getlinked : Retrieve Information about Linked Servers\n - getserverinfo : Retrieve current values of 'xp_cmdshell', 'ole automation procedures' and 'clr enabled'\n - xp : Execute Encoded PowerShell Command via 'xp_cmdshell'\n - ole : Execute Encoded PowerShell Command via 'sp_OACreate' and 'sp_OAMethod'\n - clr : Execute Encoded PowerShell Command via custom .NET assemblies\n - rpc : Configure Linked SQL Server to Allow RPC connections\n - linkedquery : Execute Encoded PowerShell Command on Linked SQL Server via 'OPENQUERY'\n - openquery : Execute an arbitrary query using 'OPENQUERY'\n\n[*] For detailed usage, type:\n - CheeseSQL \u003ccommand\u003e /help\n```\n\n## Credits\n- [MiscTool][1] by [rasta-mouse](https://github.com/rasta-mouse)\n- [AmsiBypass][6] by [0xB455](https://github.com/0xB455)\n- [RdpThief][8] by [0x90AL](https://github.com/0x09AL)\n- [SharpRDPThief][9] by [passthehashbrowns](https://github.com/passthehashbrowns)\n- [SharpSQL](https://github.com/Jb05s/SharpCollection/tree/master/SharpSQL) by [Jb05s](https://github.com/Jb05s)\n\n[1]: https://github.com/rasta-mouse/MiscTools\n[2]: https://rastamouse.me/2018/10/amsiscanbuffer-bypass---part-1/\n[3]: https://rastamouse.me/2019/08/tikiservice/\n[4]: https://klezvirus.github.io/RedTeaming/LateralMovement/LateralMovementDCOM/\n[5]: https://klezvirus.github.io/RedTeaming/LateralMovement/LateralMovementPSRemoting/\n[6]: https://github.com/0xB455/AmsiBypass\n[7]: https://klezvirus.github.io/RedTeaming/LateralMovement/LateralMovementRDPThief/\n[8]: https://github.com/0x09AL/RdpThief\n[9]: https://github.com/passthehashbrowns/SharpRDPThief","funding_links":[],"categories":["Operating Systems","C# #"],"sub_categories":["Windows"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FklezVirus%2FCheeseTools","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FklezVirus%2FCheeseTools","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FklezVirus%2FCheeseTools/lists"}