Description
Downloads and reflectively executes a .NET executable hosted at the specified URL.
Overview
The purpose of this pipeline is to bypass the installed AV and establish a foothold on the target system before downloading the specified .NET executable, reflectively loading it into memory, and executing it. This will allow any .NET executable to be run without obfuscating that binary. The stager takes care of securely loading it.
Parameters
| Parameter Name | Type | Description |
|---|---|---|
| URL | string | The URL where a .NET module is loaded. Default: ‘https://www.foo.com/payload.exe’. |
| AmsiBypassTechnique | CSharpAmsiBypassTechnique | The specific AMSI bypass technique to use. Default: ‘AmsiScanBufferStringReplace’. |
| OutputType | CSharpCompilerTarget | The output type. Default: ‘Console’. |
| FrameworkVersion | CSharpCompilerFrameworkVersion | The .NET Framework version to target. Default: ‘Dotnet2’. |