Quick Retooling with .NET Payloads.

PowerShell gave us a super-highway of convenient building blocks for offensive toolkits and operational automation. In the post offensive PowerShell world, a move in the direction of .NET implants may be a desirable option in some cases.

However, Red Teams are faced with challenges when moving automation down into managed code. Can .NET based toolkits maintain flexibility, quick in-field retooling and operational security in the face of current detection mechanisms?

We think the answer is yes.

In this talk, we will focus on quick in-field retooling and dynamic execution aspect of .NET implants as the crucial trait to overcome static defensive mechanisms.

We will dive deeper into OpSec lessons learned from dynamic code compilation. We will attempt to move beyond static nature of .NET assemblies, into reflective .NET DLR.

We will showcase on-the-fly access to native Windows API and discuss methods of hiding sensitive aspects of execution in the managed code memory.

All that, with the help of the DLRium Managed Execution toolkit we have in development.

Dimitry Snezhkov Security Consultant, IBM

Dimitry Snezhkov does not like to refer to himself in the third person :) but when he does he is a Sr. Security Consultant for X-Force Red at IBM, performing penetration testing, occasional Red Teaming and application security assessments.