- Joined
- May 15, 2017
- Messages
- 982
- Likes
- 760
- Points
- 1,045
RedPeanut is a small RAT developed in .Net Core 2 and its agent in .Net 3.5 / 4.0. RedPeanut code execution is based on shellcode generated with DonutCS. It is therefore a hybrid, although developed in .Net it does not rely solely on the Assembly.Load. This increases the detection surface, but allows us to practice and experiment with various evasion techniques related to the dotnet environment, process management and injection. This behavior can be changed at rutime with the "managed" and "unmanaged" commands. If you are interested in a .Net C2 Framework that is consistent and can be used in an enagement, I suggest Covenant.
RedPeanut is weaponized with:
- GhostPack
- SharpGPOAbuse
- SharpCOM
- EvilClippy
- DotNetToJS
- SharpWeb
- Modified version of PsExec
- SharpSploit
- TikiTorch
The RedPeanut agent can be compiled in .Net 3.5 and 4.0 and has pivoting capabilities via NamedPipe. The agent, when executed in an unmanaged mode, performs its own critical tasks in a separate process to prevent the AV response to detection or error during execution make you lose the whole agent.
The execution flow is as follow:
- Process creation
- Inject static shellcode generated with DonutCS
- The loader loads and executes the stager or module
Download RedPeanut