BlueHatIL 2020: Staying # and Bringing Covert Injection Tradecraft to .NET
Authors
Ruben Boonen (@FuzzySec) - Ruben is a member of of IBM’s X-Force Red Team, providing public & private sector clients assurance around the security posture of their products and infrastructure. Before joining IBM, Ruben worked in defense, on FireEye’s Technical Operations & Reverse Engineering (TORE) team, and offence as a senior security consultant. While Ruben has previously led a wide variety of engagements, along the way he developed a special interest for all things Windows. His current areas of research include Windows internals, privilege escalation, C#/PowerShell trade-craft and memory manipulation.
The Wover (@TheRealWover) - The Wover is an adversary emulation engineer who researches adversary groups and TTPs and develops tools and methodologies for emulating them. In a previous life, he was a software developer for "normal" (i.e. not-malware) applications. Now he spends his spare time developing open-source software for non-"normal" applications (don't call it malware). He is the co-creator of the Donut shellcode generation framework, a collaborator for the SharpSploit post-exploitation library, and has contributed to or created several other open-source projects and techniques.
Abstract
As .NET has taken over as the preferred platform for development on Windows, many attackers have chosen to take advantage of its features for post-exploitation tradecraft. Legitimate APIs can be leveraged for nearly every imaginable task, managed code can be loaded and executed from memory with extraordinary ease, and scalable monitoring for suspicious usage of .NET APIs is a problem yet to be solved. However, offensive .NET tools are still hindered by a fundamental weakness: the inability to leverage unmanaged code (such as the Win32/NT APIs) safe from observation by EDR. Managed code must eventually invoke unmanaged code in order to interface with the operating system. It is here that the attacker may be caught in the hooks of any system keen on watching for fundamentally malicious behavior. To expose the depth of tradecraft still unexplored in .NET and highlight the fragility of many existing detections, we will detail the tools we have built for evading these hooks.
All of our efforts have been integrated into SharpSploit, a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers. Over the past few months we have added numerous new tools and techniques for loading and executing unmanaged code safely from .NET. Unmanaged APIs may be safely accessed and modules loaded either from memory or from disk in the new DInvoke API, a dynamic replacement for .NET's PInvoke API. It also includes manual mapping, a generic syscall wrapper, a new technique we call Module Overloading, and more. Additionally, we have added a modular process injection API that allows tool developers to build their own injection technique. Simply select an allocation and injection primitive, pass in any options, and execute the result with your preferred payload. This exposes all possible design decisions to the user, and allows for easy adaptation when existing tools fail.
In our talk we will focus on explaining the fundamental tradecraft behind these new developments, the challenges and requirements associated with them, and how they can be adapted to suit your needs. Additionally, we will discuss how SharpSploit can be combined with other open-source projects to be integrated into a red team's tooling. As much as possible, we will also discuss how to counter and detect the techniques that we have developed. Finally, we will explain the community-focused development of these projects and how you too can contribute to advance open-source .NET tradecraft.