You are not hiding from me .NET

Presented at DEF CON China 1.0 (2019), May 31, 2019, 4 p.m. (45 minutes).

For years, we at Countercept have seen adversaries across the threat pyramid make use of PowerShell tool-kits for lateral movement, data exfiltration and persistence over different environments. As defenders, we have done a pretty good job - PowerShell is a fading threat in time. Mimikatz execution through PowerShell? AMSI and PowerShell logging can handle that relatively well.

However, adversaries being adversaries don't just give up. They have migrated tool-kits to areas where visibility is still limited - such as .NET. Favoured by adversaries due to its wide range of functionalities, ease of development, and default presence on modern Windows platforms, we have seen a significant increase in exploitation toolkits leveraging .NET to perform usual activities - but in an area where they are relatively hidden.

First, we'll take a look at these tools - what they do, and how they work. Techniques such as DCOM object abuse, run-time code compilation and in-memory assembly loading (performed by the DotNetToJscript project) would be examine in detail. These techniques are used by exploitation tool-kits such as GhostPack, SharpShooter, and SilentTrinity, and thus are very relevant to defenders. We'll then focus on detection. We'll examine the indicators such toolkits and techniques leave behind, and how we can detect them utilising various sources of telemetry, collected via open-source tooling, such as process logging, DLLs imports and ETW tracing of JIT compilation or Interop events.

At the end of the day, attendees will walk away with an understanding of the inner workings of various .NET techniques as well as how they can be used to compromise a windows machine stealthily. Additionally, attendees will learn how a defender can leverage on open source tooling to detect and hunt for .NET attacks.


Presenters:

Links:

Similar Presentations: