Technology Insights HOME | Perspectives from Our Experts on Technology Trends and Risks

Technology Insights HOME

Perspectives from Our Experts on Technology Trends and Risks.

Search

ARTICLE

2 mins to read

Penetration Testers Tool Kit: A Transition from PowerShell to C#

Cameron Byers

Manager - Security and Privacy

Views
Larger Font
2 minutes to read

Attackers are continuously evolving their tool sets to keep ahead of defenders. In this blog, we highlight and discuss one major transition occurring in the attack and penetration space: the move from PowerShell to C# as an attack framework.

The History

PowerShell has been an asset to penetration testers for years. Unrestricted access to PowerShell allows penetration testers — and threat actors — access to a powerful language built directly into most Microsoft Windows operating systems (OS). In particular, PowerShell gives direct access to the .NET framework, which allows access to a large suite of built-in functions, as well as integration with Microsoft’s C# platform. PowerShell’s integration with the Windows operating system also allows a threat actor access to an environment that does not require any information to be written to the disk (aka “in memory”).

PowerShell’s integration with the Windows operating system and its common use by system administrators has traditionally not been tightly controlled or audited.In the past, PowerShell actions did not create events in IDS/IPS platforms, nor would they be caught by common malware or antivirus products. Using PowerShell gave malicious attackers access to the underlying OS Win32 API which provides great flexibility to evade traditional detection as well as perform various attacks such as creating file-less malware and seeing which users are logged in across various systems. Since its rise in popularity, Microsoft and other Endpoint Detection and Response (EDR) products have been proactive in adding protections that help mitigate the use of PowerShell as an attack vector.

The Transition

As the security surrounding PowerShell has become more robust, attackers have adjusted to focus on new avenues for exploitation that may not be as tightly monitored. One of the most popular transitions from PowerShell has been to utilize C#, which contains all of the advantages of working in PowerShell but does not have the same amount of auditing and restrictions, and also does not include signatures from popular EDR products.

Specifically, C# leverages the .NET framework in the same way as PowerShell, however the defenses are not as robust. The move from PowerShell to C# also works well for attackers because it is compatible with all .NET frameworks regardless of system age. Additionally, C# is Microsoft’s built-in language that has full support on Windows and can be used to compile .NET applications locally.

Naturally, multiple exploitation frameworks have been developed to leverage many of the benefits to attackers listed above, with GhostPack and Covenant as some of most popular options. To combat this attack vector, high-performing organizations have been working to place constraints on the use of the C# throughout their environment by hardening endpoint execution policies and updating to modern solutions that have the latest detection capabilities. Specifically, organizations are enhancing logging regarding commonly leveraged methods used to execute malicious .NET assemblies such as “System.Reflection.Assembly.Load()”, “regsvr32.exe”, and “wmic.exe”. Additionally, organizations are logging abnormal activity surrounding the C# and F# scripting binaries “csi.exe” and “fsi.exe”. To counter this move, attackers are now obfuscating and compiling their own tools or even embedding them in other benign files.

Conclusion

In the continuous game of cat and mouse that is the offensive security field, security researchers and bad actors are always looking for ways to stay ahead of the curve. As we continue to move forward as an information security community, C# will likely fall victim to the path taken by PowerShell, but will be closely followed by another attack vector such as F#, IronPython, IronRuby or Boolang.

Blue teams, defenders and information security organizations should continuously work to stay current on the latest trends and technologies used by attackers to negate or reduce intrusion efforts.

How We Can Help

Protiviti assists organizations of all industries and sizes in identifying the exposures outlined in this post through cutting edge attack and penetration simulations.

To learn more about Protiviti’s attack and penetration capabilitiescontact us. 

Was this article helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Find a similar article by topics

Authors

Tom Stewart

By Tom Stewart

Verified Expert at Protiviti

Visit Tom Stewart's profile

Cameron Byers

By Cameron Byers

Verified Expert at Protiviti

Visit Cameron Byers's profile

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

This blog was originally posted on The Protiviti View. Like companies in other industries, energy and utilities (E&U) organizations want...

Article

What is it about

This blog was originally posted on Forbes.com. Kim Bozzella is a member of the Forbes Technology Council. Here’s a problem...

Article

What is it about

The HITRUST Alliance Common Security Framework (HITRUST CSF) is a cybersecurity framework that helps organizations manage risk and meet regulatory...