Manually confusing .NET Assmeblies
An example set of commands to run ConfuserEx on the Apollo C2 agent
mkdir empty
cd empty
mv ~/Downloads/apollo_20220504.exe ./Apollo.exe
wget https://github.com/mkaring/ConfuserEx/releases/download/v1.6.0/ConfuserEx-CLI.zip
unzip ConfuserEx-CLI.zip
wget https://gist.github.com/stephenbradshaw/25fce028729d22b0f997cd3007a39748/raw/90a8c1041abc48d0f41a3f94b9b3ffa23f336f4b/extractor.cs
csc extractor.cs
mono extractor.exe Apollo.exe
mono Confuser.CLI.exe -n Apollo.crproj -o ./confused/
The extractor.exe tool can be used to extract Costura embedded resources before confusing.
A specific ConfuserEx project file (Apollo.crproj) to configure ConfuserEx operations
<project outputDir="./confused" baseDir="." xmlns="http://confuser.codeplex.com" >
<module path="Apollo/bin/Release/Apollo.exe">
<rule pattern="true" preset="aggressive" inherit="false" />
</module>
<probePath>PlaintextCrypto/bin/Release</probePath>
<probePath>Tasks/bin/Release</probePath>
<probePath>DInvokeResolver/bin/Release</probePath>
<probePath>Process/bin/Release</probePath>
<probePath>TcpProfile/bin/Release</probePath>
<probePath>ApolloInterop/bin/Release</probePath>
<probePath>PSKCrypto/bin/Release</probePath>
<probePath>SimpleResolver/bin/Release</probePath>
<probePath>Injection/bin/Release</probePath>
<probePath>EncryptedFileStore/bin/Release</probePath>
<probePath>NamedPipeProfile/bin/Release</probePath>
<probePath>HttpProfile/bin/Release</probePath>
</project>
A simpler ConfuserEx project file for simpler assembles
<project outputDir="./confused" baseDir="." xmlns="http://confuser.codeplex.com" >
<module path="Assembly.exe">
<rule pattern="true" preset="aggressive" inherit="false" />
</module>
</project>
Running mono build operations using the C Sharp payload docker container from Mythic
docker run -it --rm --name MonoCompile --entrypoint "/bin/bash" -v "$(pwd)":/usr/src/code -w /usr/src/code itsafeaturemythic/csharp_payload:0.1.2 -c "mono Confuser/Confuser.CLI.exe -n Apollo.crproj -o ./confused/"