You Are Not Hiding From Me .NET! — by Aden Chung
#IICSG2019 Conference Deep-Tech Track
Day 2 (20 Jun 2019)
@ Breakout Room 1
For years, we have seen adversaries across the threat pyramid make use of PowerShell toolkits for lateral movement, data exfiltration and persistence over different environments. As defenders, we have done a pretty good job – PowerShell is a fading threat in time. Mimikatz execution through PowerShell? AMSI and PowerShell logging can handle that relatively well.
However, adversaries being adversaries don’t just give up. They have migrated toolkits to areas where visibility is still limited – such as .NET. favoured by adversaries due to its wide range of functionalities, ease of development, and default presence on modern Windows platforms, we have seen a significant increase in exploitation toolkits leveraging .NET to perform usual activities - but in an area where they are relatively hidden.
First, we’ll take a look at these tools – what they do, and how they work. Techniques such as DCOM object abuse run-time code compilation and in-memory assembly loading (performed by the DotNetToJscript project) would be examined in detail. These techniques are used by exploitation toolkits such as GhostPack, SharpShooter, and SilentTrinity, and thus are very relevant to defenders. We’ll then focus on detection. We’ll examine the indicators such toolkits and techniques leave behind, and how we can detect them utilising various sources of telemetry, collected via open source toolings, such as process logging, DLLs imports and ETW tracing of JIT compilation or Interop events.
At the end of the day, attendees will walk away with an understanding of the inner workings of various .NET techniques as well as how they can be used to compromise a Windows machine stealthily. Additionally, attendees will learn how a defender can leverage open source tooling to detect and hunt for .NET attacks.