For years, we at Countercept have seen adversaries across the threat pyramid make use of PowerShell tool-kits for lateral movement, data exfiltration and persistence over different environments. As defenders, we have done a pretty good job – PowerShell is a fading threat in time. Mimikatz execution through PowerShell? AMSI and PowerShell logging can handle that relatively well.
However, adversaries being adversaries don’t just give up. They have migrated tool-kits to areas where visibility is still limited – such as .NET. Favoured by adversaries due to its wide range of functionalities, ease of development, and default presence on modern Windows platforms, we have seen a significant increase in exploitation toolkits leveraging .NET to perform usual activities - but in an area where they are relatively hidden.
4. IN THE NOT SO DISTANT PAST
PowerShell
VBScript
Office Macros
5. POWERSHELL, A HOT FAVOURITE
Load shellcode
into memory
Call upon
.NET API
Call upon
native API
Powerful
6. DEFENCES ARE GETTING BETTER
EDR AGENTS
Command Line Arguments Logging
CommandLine powershell write host “This is an evil command”
Parent-Child Process Relationship
7. DEFENCES ARE GETTING BETTER
AMSI assisting Anti-Virus with script-based detection
PowerShell Script Block Logging to aid with detection
8. INDUSTRY AS A WHOLE
More opportunities to
detect bad PowerShell
30. LET’S TRY TO DETECT MY ATTACK
Indicators for in-memory
assembly load
Indicators for .NET API
related to registry creation
Indicators for invoking of native API
37. DETECTION SUMMARY
Indicators for in-memory
assembly load
Indicators for .NET API
related to registry creation
Indicators for invoking
of native API
43. DETECTION SUMMARY
Indicators for in-memory
assembly load
Indicators for .NET API
related to registry creation
Indicators for invoking
of native API
48. THIS IS REALLY USEFUL
Logging of
keystrokes
Credential
extraction from
memory
Other malicious
activities
49. DETECTION SUMMARY
Indicators for in-memory
assembly load
Indicators for .NET API
related to registry creation
Indicators for invoking
of native API
50. REAL WORLD EXAMPLE, SILENTRINITY
49
Launch a .NET
assembly
Launch SafetyKatz,
a credential
extraction tool