Skip to content
/ SharpAwareness Public

Light and more OPSEC friendly way for red teamers to gain quick situational awareness of both the host and the user.

9 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

CodeXTF2/SharpAwareness

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
sharpawareness.cs
sharpawareness.cs
 
 
sharpawareness.exe
sharpawareness.exe
 
 

Repository files navigation

SharpAwareness

In Development

This project is still in development. Feel free to send pull requeests or report issues. Development roadmap (in order):

  1. Add user awareness
    • Foreground window
    • Logon logoff times
    • Screenshot of desktop
  2. Host enum
    • RDP check
    • Network shares
    • EDRs installed
    • Local admins and groups
    • Remake process list - add parent child relationships
  3. Add basic active directory recon - very minimal to avoid noise
    • Domain name
    • Domain Admins
    • Domain controller name

Overview

This is intended to be a light and more opsec friendly way for red teamers to gain quick situational awareness of both the host and the user. This is more oriented towards red team engagements than privilege escalation challenges, as it has a focus on the user and situational aspects of the system.
The goals of executing this tool are to understand:

  • What is this host used for?
  • What is the current user doing on this host?
  • What kind of user is the current user?
  • What kind of environment is this? (in general)

This .NET assembly is intended to be compatible with Beacon's execute-assembly builtin command as well as other .NET execution BOFs, such as inlineExecute-Assembly. I try to handle as much errors as I can, to avoid killing your beacons :)

Things to note

  • This is NOT a privesc/enum tool, it just lets you get a rough idea of what goes on in the host.
  • There is NO built in evasion/obfuscation techniques. I believe that evasion should be left to the operator, as it changes on a per-target basis. You are advised to be aware of things like AMSI, ETW, API hooks etc.
  • This avoids things that require the use of commands, for OPSEC reasons. Everything here should be done via C# builtins or kernel32 API.

Known visible events produced

  • Registry queries
  • Directory listing

I try not to be too noisy, but consider patching ETW.

Information checked for

What is this host used for?

- Installed programs
- Drives

What is the current user doing on this host?

- Open windows
- Foreground window
- Logon logoff times

What kind of user is the current user?

- Privileges (TBA)
- Network resources they have access to (TBA)

What kind of environment is this? (in general)

- Active Directory info (TBA)
- Running processes
- Services (TBA)
- Autoruns (TBA)
- Proxy settings
- Security products installed

Credits

This was made as a quick utility while learning endpoint recon tradecraft.

About

Light and more OPSEC friendly way for red teamers to gain quick situational awareness of both the host and the user.

Topics

dotnet enum enumeration recon cobalt-strike reconnaissance redteam cobaltstrike redteam-tools

Resources

Readme
Activity

Stars

9 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages