Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Microsoft

Why Attackers Are Using C# For Post-PowerShell Attacks (forcepoint.com) 92

An anonymous Slashdot reader summarizes an article by a senior security researcher at Forecepoint Security Labs: Among cyber criminals, there has been a trend in recent years for using more so called 'fileless' attacks. The driver for this is to avoid detection by anti-virus. PowerShell is often used in these attacks. Part of the strategy behind fileless attacks is related to the concept of 'living off the land', meaning that to blend in and avoid detection, attackers strive for only using the tools that are natively available on the target system, and preferably avoiding dropping executable files on the file system.

Recently, C# has received some attention in the security community, since it has some features that may make it more appealing to criminals than PowerShell. [Both C# and Powershell use the .NET runtime.] A Forcepoint researcher has summarized the evolvement of attack techniques in recent years, particularly looking at a recent security issue related to C# in a .NET utility in terms of fileless attacks.

From the article: A recent example of C# being used for offensive purposes is the PowerShell/C# 'combo attack' noted by Xavier Mertens earlier this month in which a malware sample used PowerShell to compile C# code on the fly. Also, a collection of adversary tools implemented in C# was released. Further, an improved way was published for injecting shellcode (.NET assembly) into memory via a C# application.... Given recent trends it seems likely that we'll start to see an increased number of attacks that utilize C# -- or combinations of C# and PowerShell such as that featured in Xavier Mertens' SANS blog -- in the coming months.
This discussion has been archived. No new comments can be posted.

Why Attackers Are Using C# For Post-PowerShell Attacks

Comments Filter:
  • by Anonymous Coward

    Is it true that Linux doesn't use either C# nor Powershell?

    On the other hand, is there a way to disable C# / Powershell in windoze?

    Thanks !

  • There has never been a single attack using VB.net.

  • Powershell itself can curl anything and execute anything. Or run Node, most systems have it because most apps need it. Or just download python and hack the planet with __pythonicpower__

    It has the same power as any basic Linux shell. So singling out C# is entirely moot, and I question the motivation behind doing so.

  • Shell, even the dumbed-down "Power"-shell seems to be to hard for them to code in....

  • by Anonymous Coward

    Installing powershell implies installing a ceehash compiler?

    Next you're gonna tell me there's a complete IDE hidden in the dotnet runtime crapolade. Which of the runtimes adds a hidden mail client, and which a hidden html browser?

  • Comment removed based on user account deletion
  • When in Rome, do as the Romans do.

    It is advisable to follow the conventions of the area you are in lest you draw attention to yourself... like from an antivirus application. This is an infiltration game on the binary level so it's best to look the part of an innocuous application.

  • by Anonymous Coward on Sunday September 23, 2018 @04:02AM (#57363180)

    Fileless my ass. Fileless means the browser downloads the thing and puts it somewhere (RAM, possibly cache) and then executes it. This somehow becomes "magic" to the so-called "experts" -- "fileless". Wow.

    Ever more often, I find it difficult to be proud of my trade. I then tell people I'm "shepherd", or "cook" or "carpenter". Or perhaps "fisher".

    • When you start claiming to be a realtor or a lawyer it's definitely time to quit.

    • by Anonymous Coward

      Fileless my ass. Fileless means the browser downloads the thing and puts it somewhere (RAM, possibly cache) and then executes it. This somehow becomes "magic" to the so-called "experts" -- "fileless". Wow.

      Technically, you're right, it's not "fileless" -- there's always a file of some sort, somewhere.

      In this particular context, fileless means "not dropping executable files on the victim's system", e.g., pulling in some source code from somewhere (the Internet, a network share, etc.) and then compiling it and executing it.

    • Are you saying fileless / in-memory only exploitation, post-exploitation donâ(TM)t exist?

      Welcome to 2002, go read about any exploit kit from the past decade.

    • If malicious content isn't written to disk[1], it's much less likely to be picked up by AV/antimalware components, because most of those hook into file read/write operations within the OS for their real-time protection. Additionally, this technique can sometimes be used to bypass application-whitelisting tools, if it's a tool already on the whitelist which is injecting the malicious code into process memory. That's why it's treated as something special/"magic".

      Post-exploitation tools that avoid writing mali

  • This must literally be THE FIRST TIME EVER we realized admin privileges can allow the user to execute arbitrary scripts.

    Oh noes!

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...