whatisgithub

What is clr-stomp?

nettitude/clr-stomp — explained in plain English

Analysis updated 2026-05-18

72CAudience · ops devopsComplexity · 5/5Setup · hard

In one sentence

A Cobalt Strike plugin for authorized red team testing that loads a payload while disguising it as a legitimate Windows .NET library, with documented detection indicators.

Mindmap

mindmap
  root((CLR-Stomp))
    What it does
      CLR module stomping
      Payload disguised as library
      Cobalt Strike plugin
    Tech stack
      C
      dotNET CLR
      Cobalt Strike
    Use cases
      Authorized red team testing
      Build detection rules
      Study CLR loading
    Notes
      Detection indicators published
      Published by Nettitude

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Simulate CLR module stomping during an authorized penetration test or red team engagement.

USE CASE 2

Use the published detection indicators to build defensive alerts against this technique.

USE CASE 3

Study how the .NET Common Language Runtime loads libraries from the Windows GAC.

What is it built with?

C.NET CLRCobalt Strike

How does it compare?

nettitude/clr-stompmitchellh/tree-sitter-protofreertos/freertos-smp-demos
Stars727568
LanguageCCC
Last pushed2024-06-212025-02-16
MaintenanceDormantStale
Setup difficultyhardmoderatemoderate
Complexity5/52/53/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Requires a Cobalt Strike license and an authorized penetration testing engagement to use as intended.

The README does not state a license, so usage rights are unclear.

So what is it?

This is a security testing tool intended for authorized penetration testing and red team exercises. It is designed to execute a custom software payload inside a Windows process while making the process appear to have loaded a legitimate Windows system library. The technique involved is called CLR module stomping, where CLR refers to the .NET Common Language Runtime, the part of Windows that runs .NET programs. The tool works as a plugin called a Beacon Object File for Cobalt Strike, a commercial penetration testing platform. To run a payload, the tool tells the .NET runtime to load a real library from a Windows system directory called the GAC. Before the runtime has a chance to read the library's contents from memory, the tool quietly overwrites that memory region with the actual payload. From the operating system's point of view, the recorded library path still points to the legitimate file. This matters in security testing because some monitoring tools judge whether a loaded library is suspicious based on the file path it reports. The repository includes the source code for the plugin, a Cobalt Strike script for loading it, and a detailed table of detection indicators: environment variables the tool sets, named pipe patterns it uses, strings that appear in operator output, and the default library names it substitutes. Including this information is described as responsible disclosure, since defenders benefit from knowing exactly what signatures to look for. The README notes that the project builds on ideas from two earlier open-source projects that explored related approaches to hosting the .NET runtime from within a Beacon Object File. Development involved collaboration between human researchers and AI-assisted tooling. The project is published by Nettitude, a security consultancy.

Copy-paste prompts

Prompt 1
Explain what CLR module stomping is and why it can evade file-path-based security monitoring.
Prompt 2
What defensive detections could a blue team build from the indicators listed in this project's README?
Prompt 3
How does a Beacon Object File plug into Cobalt Strike, and what is it used for in red team testing?
Prompt 4
Summarize the responsible disclosure approach this project takes toward publishing an offensive security technique.

Frequently asked questions

What is clr-stomp?

A Cobalt Strike plugin for authorized red team testing that loads a payload while disguising it as a legitimate Windows .NET library, with documented detection indicators.

What language is clr-stomp written in?

Mainly C. The stack also includes C, .NET CLR, Cobalt Strike.

What license does clr-stomp use?

The README does not state a license, so usage rights are unclear.

How hard is clr-stomp to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is clr-stomp for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.