Presented at
44CON 2019,
Sept. 12, 2019, 11 a.m.
(59 minutes)
Offensive PowerShell tradecraft is in “Zombie Mode”: it’s sorta dead, but not entirely. With all of the defenses Microsoft has implemented in the PowerShell runtime over the past few years Red Teamers / Pentesters & APT groups have started too shy away from using PowerShell based payloads/delivery mechanisms and migrate over to C#. However, C# is a compiled language, operationally this has a few major downsides: we can’t be as “flexible”, setting up a proper development environment has overhead and can be time consuming, you have to compile all the things all the time etc.. Bottom line is I’m lazy and creating your malwarez/custom payloads in C# is not as easy & straight forward as it would be in PowerShell or really any scripting language.
This raises the following quandary: can we somehow get our own scripting language interpreter on the target machine while still remaining opsec safe and use it to perform all of our post-exploitation activities?
Turns out by harnessing the sheer craziness of the .NET framework, you can embed entire interpreters inside of .NET languages allowing you to natively execute scripts written in third-party languages (like Python) on windows! Not only does this allow you to dynamically access all of the .NET API from a scripting language of your choosing, but it also allows you to still remain completely in memory and has a number of advantages over traditional C# payloads! Essentially, BYOI payloads allow you to have all the “power” of PowerShell, without going through PowerShell in anyway!
In this talk we will be covering some key .NET framework concepts in order to understand why this is possible, how to actually do the interpreter/engine/runtime embedding, the concept (that I coined) “engine inception”, differences between traditional C# payloads & BYOI payloads, demoing some examples of BYOI payloads and finally SILENTTRINITY: an open-source C2 framework that I’ve written that attempts to weaponize some of the BYOI concepts.
Presenters:
-
Marcello Salvati / byt3bl33d3r
- BlackHills Information Security
as Marcello Salvati
“Marcello Salvati (@byt3bl33d3r) is a Security Analyst at BlackHills Information Security by day and by night a tool developer who discovered a novel technique to turn tea, sushi, alcohol and dank memes into somewhat functioning code. His passions include anything Active Directory related, trolling people on GitHub and developing open-source tools for the security community at large which he’s been doing for the past several years, some of his projects include SilentTrinity, CrackMapExec, DeathStar, RedBaron and many more.
He’s also really good at writing bios. I know, at this point you’re probably asking yourself: ” Wait, how good of a bio writer is this guy? I need a quantifiable metric in order to come to a conclusion! The suspense is killing me!”. Well John Strand hired him so that he could continue to write them. Yeah… that’s how good. Checkmate Atheists! *dab* *mic drop*”
Links:
Similar Presentations: