Attackers are continuously evolving their tool sets to keep ahead of defenders. In this blog, we highlight and discuss one major transition occurring in the attack and penetration space: the move from PowerShell to C# as an attack framework.
The History
PowerShell has been an asset to penetration testers for years. Unrestricted access to PowerShell allows penetration testers — and threat actors — access to a powerful language built directly into most Microsoft Windows operating systems (OS). In particular, PowerShell gives direct access to the .NET framework, which allows access to a large suite of built-in functions, as well as integration with Microsoft’s C# platform. PowerShell’s integration with the Windows operating system also allows a threat actor access to an environment that does not require any information to be written to the disk (aka “in memory”).
PowerShell’s integration with the Windows operating system and its common use by system administrators has traditionally not been tightly controlled or audited.In the past, PowerShell actions did not create events in IDS/IPS platforms, nor would they be caught by common malware or antivirus products. Using PowerShell gave malicious attackers access to the underlying OS Win32 API which provides great flexibility to evade traditional detection as well as perform various attacks such as creating file-less malware and seeing which users are logged in across various systems. Since its rise in popularity, Microsoft and other Endpoint Detection and Response (EDR) products have been proactive in adding protections that help mitigate the use of PowerShell as an attack vector.
The Transition
As the security surrounding PowerShell has become more robust, attackers have adjusted to focus on new avenues for exploitation that may not be as tightly monitored. One of the most popular transitions from PowerShell has been to utilize C#, which contains all of the advantages of working in PowerShell but does not have the same amount of auditing and restrictions, and also does not include signatures from popular EDR products.
Specifically, C# leverages the .NET framework in the same way as PowerShell, however the defenses are not as robust. The move from PowerShell to C# also works well for attackers because it is compatible with all .NET frameworks regardless of system age. Additionally, C# is Microsoft’s built-in language that has full support on Windows and can be used to compile .NET applications locally.
Naturally, multiple exploitation frameworks have been developed to leverage many of the benefits to attackers listed above, with GhostPack and Covenant as some of most popular options. To combat this attack vector, high-performing organizations have been working to place constraints on the use of the C# throughout their environment by hardening endpoint execution policies and updating to modern solutions that have the latest detection capabilities. Specifically, organizations are enhancing logging regarding commonly leveraged methods used to execute malicious .NET assemblies such as “System.Reflection.Assembly.Load()”, “regsvr32.exe”, and “wmic.exe”. Additionally, organizations are logging abnormal activity surrounding the C# and F# scripting binaries “csi.exe” and “fsi.exe”. To counter this move, attackers are now obfuscating and compiling their own tools or even embedding them in other benign files.
Conclusion
In the continuous game of cat and mouse that is the offensive security field, security researchers and bad actors are always looking for ways to stay ahead of the curve. As we continue to move forward as an information security community, C# will likely fall victim to the path taken by PowerShell, but will be closely followed by another attack vector such as F#, IronPython, IronRuby or Boolang.
Blue teams, defenders and information security organizations should continuously work to stay current on the latest trends and technologies used by attackers to negate or reduce intrusion efforts.
How We Can Help
Protiviti assists organizations of all industries and sizes in identifying the exposures outlined in this post through cutting edge attack and penetration simulations.
To learn more about Protiviti’s attack and penetration capabilities, contact us.
