https://github.com/sayan690/weaponised-dfe
Fetch a remote C# Assembly and execute it in memory using Assembly.Load
https://github.com/sayan690/weaponised-dfe
command-and-control csharp dotnet dotnet-assembly fileless-malware flask python3 ssl-certificates tls-certificate
Last synced: 14 days ago
JSON representation
Fetch a remote C# Assembly and execute it in memory using Assembly.Load
- Host: GitHub
- URL: https://github.com/sayan690/weaponised-dfe
- Owner: Sayan690
- License: mit
- Created: 2025-03-30T13:05:02.000Z (10 months ago)
- Default Branch: main
- Last Pushed: 2025-03-30T14:09:46.000Z (10 months ago)
- Last Synced: 2025-03-30T14:33:04.007Z (10 months ago)
- Topics: command-and-control, csharp, dotnet, dotnet-assembly, fileless-malware, flask, python3, ssl-certificates, tls-certificate
- Language: C#
- Homepage:
- Size: 8.79 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# DotnetFilelessExecution
## Overview
Weaponised DFE is the advanced implementation of DotnetFilelessExecution. It can fetch a remote .NET Assembly, and execute it filelessly (in memory), i.e., without having to save it on the disk, all while being more secure, and undetectable than the previous DotnetFilelessExecution.
## Watch the DEMO
[](https://www.youtube.com/watch?v=X9_8joF9UgA)
## Compilation
I have used direct command-line compilation using the `dotnet` command, but of course you can use Visual Studio.
Btw, before compiling make sure to change the attacker ip address.
For me, here are the compilation steps ...
```cmd
cd Weaponised-DFE
dotnet add package Microsoft.CodeAnalysis.CSharp.Scripting
dotnet run
```
or
```cmd
cd Weaponised-DFE
dotnet add package Microsoft.CodeAnalysis.CSharp.Scripting
dotnet publish -c Release -r win-x64 --self-contained true -o out
```
## Usage
- Create openssl keys and certs, as under the auth directory.
```bash
mkdir auth
openssl req -new -x509 -newkey rsa:4096 -nodes -keyout auth/key.pem -out auth/cert.pem -days 10000
```
- Rename the listening host, port, and the name of the .NET Assembly you want to execute in the `https.py`.
- Rename the connect back attacker ip address in the `toExec.cs`.
- Rename the connect back attacker ip address in the `Program.cs` inside the `Weaponised-DFE` directory before compilation.
- Start the https server on the attacker side
```bash
python3 https.py
```
- Run Weaponised-DFE on victim side.
```cmd
dotnet run
```
or
```cmd
.\Weaponised-DFE.exe
```
## Note
For demonstration purposes, the connect back address is hard coded inside the program, which can be changed as needed.
## Disclaimer
This project is intended for educational and security testing purposes only. The author is not responsible for any misuse of this tool.
## Author
Developed by **Sayan Ray** [@BareBones90](https://x.com/BareBones90)
## License
This project is licensed under the MIT License - see the LICENSE file for details.