you are not hiding from me .net! - def con con china 1/def con... · office macros. powershell, a...
TRANSCRIPT
YOU ARE NOT HIDING
FROM ME .NET!
FOUR THINGS ABOUT MYSELF
Netflix addict
Attack detection blogger Threat Hunter @ Countercept
Code junkie
THE AGENDA
Detect
Why .NET ?
IN THE NOT SO DISTANT PAST
PowerShell
VBScript
Office Macros
POWERSHELL, A HOT FAVOURITE
Load shellcode
into memory
Call upon
.NET API
Call upon
native API
Powerful
DEFENCES ARE GETTING BETTER
EDR AGENTS
Command Line Arguments Logging
CommandLine powershell write host “This is an evil command”
Parent-Child Process Relationship
DEFENCES ARE GETTING BETTER
AMSI assisting Anti-Virus with script-based detection
PowerShell Script Block Logging to aid with detection
INDUSTRY AS A WHOLE
More opportunities to
detect bad PowerShell
ADVERSARIES JUST DON’T GIVE UP
Invoke .NET directly
instead of via PowerShell
WHY .NET THOUGH?
Powerful
functions
Installed by
default
Lack of
telemetry
10
LET’S COMPARE POWERSHELL AND .NET
Write a registry key
through a .NET API
Pop a Message box
with a native API
11
POWERSHELL VS .NET DEMO
POWERSHELL VS .NET
HOW DID I EXECUTE MY .NET PAYLOAD?
In-memory
assembly loading
IN MEMORY .NET ASSEMBLY LOADING
Compile
Serialize
Load into memory
De-serialize
Instantiate
A FUN FACT
This does exactly the same thing
WHAT CAN THE LOADED OBJECT DO?
Load shellcode
into memory
Call upon .NET API
Call upon native API
Similar to
PowerShell
MID-POINT CHECK
Challenge: Can we detect this?
Similar to PowerShell
Lack of telemetry
THE AGENDA
Detect
Why .NET ?
…… WITH PROCESS HACKER
Process Hacker
Mshta.exe
Analyze
DETECTING .NET LOADED DLLS
Loading of .NET runtime DLLs can be observed
DEFINITELY DODGY
MSHTA typically
only runs HTML or
JavaScript code!
HOLDS TRUE FOR OTHER BINARIES
WHAT IF A BINARY RELATED TO .NET WAS USED
Msbuild.exe
3rd Party Application
Not uncommon to have .NET
runtime DLL
WE NEED SOMETHING BETTER
And the answer lies deep
within Process Hacker
.NET ASSEMBLIES
Events of assembly loads
.NET ASSEMBLIES
Lack of a path indicates potential in-memory
assembly loads
.NET ASSEMBLIES
How did Process
Hacker achieve this?
DEEP WITHIN PROCESS HACKER
A set of .NET ETW providers
Microsoft-Windows-DotNETRuntime
Microsoft-Windows-DotNETRuntimeRundown
PROOF-OF-CONCEPT
.NET ETWConsumes
LET’S TRY TO DETECT MY ATTACK
Indicators for in-memory
assembly load
Indicators for .NET API
related to registry creation
Indicators for invoking of native API
IN-MEMORY ASSEMBLY LOAD
Events
related to
in-memory
assembly
load
Loading of .NET
assemblies
Just In Time
compilation
.NET CODE COMPILATION ARCHITECTURE
CompileCLR
Compile Native code
Upon
executionJIT
Compiler
Compilation time Runtime
JIT COMPILATION
Events generated
whenever a .NET
method is first utilized
IN-MEMORY ASSEMBLY LOAD INDICATORS
Loading of .NET
assemblies
Just In Time
compilation
IN-MEMORY ASSEMBLY LOAD INDICATORS
Detect execution of the MyAssembly
constructor
REMEMBER THIS?
In-memory loading of assembly attempts
to replicate the above behavior
DETECTION SUMMARY
Indicators for in-memory
assembly load
Indicators for .NET API
related to registry creation
Indicators for invoking
of native API
JIT ETW
Just In Time compilation
Can we use this?
UNFORTUNATELY….
JIT compilation
doesn’t occur for
native .NET assemblies
NATIVE .NET ASSEMBLIES?
System.text
Console.writeLine()
WHY THOUGH?
Compile
Native Image Generator (NGEN)
compiles .NET assemblies to native
images, and caches them
Cache
WHY THOUGH?
Compile
JIT compilation would not occur
Cache
DETECTION SUMMARY
Indicators for in-memory
assembly load
Indicators for .NET API
related to registry creation
Indicators for invoking
of native API
.NET ETW EVENTS
Interop events
INTEROP EVENTS
Events generated
during calls made to
Window’s native API
NATIVE CODE
Native function imported from User32.dll
INTEROP EVENTS
Detected a call towards MessageBox
THIS IS REALLY USEFUL
Logging of
keystrokes
Credential
extraction from
memory
Other malicious
activities
DETECTION SUMMARY
Indicators for in-memory
assembly load
Indicators for .NET API
related to registry creation
Indicators for invoking
of native API
REAL WORLD EXAMPLE, SILENTRINITY
51
Launch a .NET
assembly
Launch SafetyKatz,
a credential
extraction tool
52
SILENTRINITY DEMO
53
.NET TELEMETRIES
.NET runtime
DLLS
.NET ETW
events
HOW ABOUT OTHER TELEMETRY?
ObjectiveLateral
Movement
Control
Persistence
Execution
Delivery
Recon
Attacker
TO WRAP IT UP
1.NET isn’t that invisible
2
PowerShell, still
deadly but…..
3
Try it yourself!