Presented at
ShellCon 2021 Virtual,
Oct. 9, 2021, 10 a.m.
(55 minutes).
With the advent of detections for PowerShell and script-based attacks, threat actors have shifted to .NET as a preferred method to perform post-exploitation tradecraft. As .NET framework is available by default on all Windows-based environments, the success rate of executing .NET assemblies is very high. .NET allows to interact with the Win32 APIs which are abused by attackers in various ways such as load assemblies directly into memory and inject into processes using a ton of process injection techniques. However, EDR vendors have upped their game to look or hook into how the unmanaged code is invoked from managed code. An attacker may get caught upon execution of suspicious Win32 APIs. Hence in this talk, we will explore tradecraft that would help evade detections that depend on such mechanisms.
Presenters:
-
Suraj Khetani
An Offensive Security Specialist currently focusing on performing Adversary Simulations and Purple team assessments. He has previously spoken at HITB - Abu Dhabi in 2019 and is also an active member presenting at NullDubai. He has also discovered multiple vulnerabilities on products such as Oracle, Netgear, EdgeCore, and Pulse Secure.
-
Abhineeti Singh
Abhineeti Singh is a security researcher working with one of the leading security companies in UAE. Her expertise lies in application security, software development & source code reviews.
She is acknowledged by Oracle, Microsoft, Intel, Honeywell, Shopclues, Netherlands CERT etc. for reporting security vulnerabilities in their applications.
Links:
Similar Presentations: