You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
GhostBuild is a (POC) collection of simple MSBuild launchers for various GhostPack projects (authored by @harmj0y). Other .Net project have been added as well.
As with other GhostPack projects, GhostBuild is licensed under the BSD 3-Clause license.
Instructions
These launchers include compiled/compressed/encoded versions of GhostPack utilities. However, you should inspect and compile your own versions.
Compile the target GhostPack project with the desired .NET Framework version.
Update and customize the GhostBuild XML CSharp (C#) project file -
Ensure the AssemblyFile represents the correct framework and path.
Assign GhostPack .Net assembly arguments to the args variable if required. This is a string array, so quote arguments and separate by commas (e.g. "arg1" , "arg2").
Copy the compressed .Net assembly from the Out-CompressedDll operation and assign it to the compressedBin variable.
Copy the byte length/size of the compressed .Net assembly from the Out-CompressedDll operation and assign it to the compressedBinSize variable.
Build and run with the proper version of MSBuild.exe.
*OR - Leverage the GhostBuilder.py tool to build your MSBuild payload after you compile your assembly executable.
Ethics
GhostBuild is designed to help security professionals perform ethical and legal security assessments and penetration tests. Do not use for nefarious purposes.
Defensive Considerations
MSBuild is a signed binary that can be used to execute unsigned code for Application Control and EDR bypass.
Disable MSBuild.exe (with Application Control solution) if it does not serve a business purpose.
Monitor MSBuild.exe execution events if it does serve a business purpose.
Credits
@harmj0y - security researcher and primary author of GhostPack
