Simulate CLR module stomping during an authorized penetration test or red team engagement.
Use the published detection indicators to build defensive alerts against this technique.
Study how the .NET Common Language Runtime loads libraries from the Windows GAC.
| nettitude/clr-stomp | mitchellh/tree-sitter-proto | freertos/freertos-smp-demos | |
|---|---|---|---|
| Stars | 72 | 75 | 68 |
| Language | C | C | C |
| Last pushed | — | 2024-06-21 | 2025-02-16 |
| Maintenance | — | Dormant | Stale |
| Setup difficulty | hard | moderate | moderate |
| Complexity | 5/5 | 2/5 | 3/5 |
| Audience | ops devops | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires a Cobalt Strike license and an authorized penetration testing engagement to use as intended.
This is a security testing tool intended for authorized penetration testing and red team exercises. It is designed to execute a custom software payload inside a Windows process while making the process appear to have loaded a legitimate Windows system library. The technique involved is called CLR module stomping, where CLR refers to the .NET Common Language Runtime, the part of Windows that runs .NET programs. The tool works as a plugin called a Beacon Object File for Cobalt Strike, a commercial penetration testing platform. To run a payload, the tool tells the .NET runtime to load a real library from a Windows system directory called the GAC. Before the runtime has a chance to read the library's contents from memory, the tool quietly overwrites that memory region with the actual payload. From the operating system's point of view, the recorded library path still points to the legitimate file. This matters in security testing because some monitoring tools judge whether a loaded library is suspicious based on the file path it reports. The repository includes the source code for the plugin, a Cobalt Strike script for loading it, and a detailed table of detection indicators: environment variables the tool sets, named pipe patterns it uses, strings that appear in operator output, and the default library names it substitutes. Including this information is described as responsible disclosure, since defenders benefit from knowing exactly what signatures to look for. The README notes that the project builds on ideas from two earlier open-source projects that explored related approaches to hosting the .NET runtime from within a Beacon Object File. Development involved collaboration between human researchers and AI-assisted tooling. The project is published by Nettitude, a security consultancy.
A Cobalt Strike plugin for authorized red team testing that loads a payload while disguising it as a legitimate Windows .NET library, with documented detection indicators.
Mainly C. The stack also includes C, .NET CLR, Cobalt Strike.
The README does not state a license, so usage rights are unclear.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.