This is the first in a new series from our offensive security experts at X-Force Red sharing research, resources and recommendations to help you harden your defenses and protect your most important assets.
Attackers and offensive security professionals have been migrating from PowerShell to C# for post-exploitation toolkits due to advances in security product configurations and features. This has caused security product vendors to now focus on detecting C# post-exploitation toolkits. An example of one of these detection improvements has been the anti-malware scan interface (AMSI) for .NET, which allows the scanning of .NET assemblies in memory. Currently, the majority of detections for these C# tools rely on static signatures, rather than the behaviors of the tools themselves.
This blog post will review various static indicators that can be used within C# toolkits for detection, and how to bypass those static signatures by making manual modifications and through automated modification methods using X-Force Red’s proof-of-concept C# obfuscation tool InvisibilityCloak. Additionally, defensive considerations will be outlined.
Static Components of C# Tools
There are several components within a C# tool that are static. These static components provide opportunities for building signature-based detections. A few of the more important static components will be discussed below.
Tool Name
The name of the tool itself is one of the components that could be used as a part of an alert. This is not reliable as a standalone detection; an attacker can simply rename a tool to get around any type of tool name-based detection.
Project GUID
When you cr ..
Support the originator by clicking the read the rest link below.
