Cybersecurity

Penetration Testers Tool Kit: A Transition from PowerShell to C#

Tom StewartCameron Byers
October 19, 2020
3 min read

Attackers are continuously evolving their tool sets to keep ahead of defenders. In this blog, we highlight and discuss one major transition occurring in the attack and penetration space: the move from PowerShell to C# as an attack framework.

The History

PowerShell has been an asset to penetration testers for years. Unrestricted access to PowerShell allows penetration testers — and threat actors — access to a powerful language built directly into most Microsoft Windows operating systems (OS). In particular, PowerShell gives direct access to the .NET framework, which allows access to a large suite of built-in functions, as well as integration with Microsoft’s C# platform. PowerShell’s integration with the Windows operating system also allows a threat actor access to an environment that does not require any information to be written to the disk (aka “in memory”).

PowerShell’s integration with the Windows operating system and its common use by system administrators has traditionally not been tightly controlled or audited.In the past, PowerShell actions did not create events in IDS/IPS platforms, nor would they be caught by common malware or antivirus products. Using PowerShell gave malicious attackers access to the underlying OS Win32 API which provides great flexibility to evade traditional detection as well as perform various attacks such as creating file-less malware and seeing which users are logged in across various systems. Since its rise in popularity, Microsoft and other Endpoint Detection and Response (EDR) products have been proactive in adding protections that help mitigate the use of PowerShell as an attack vector.

The Transition

As the security surrounding PowerShell has become more robust, attackers have adjusted to focus on new avenues for exploitation that may not be as tightly monitored. One of the most popular transitions from PowerShell has been to utilize C#, which contains all of the advantages of working in PowerShell but does not have the same amount of auditing and restrictions, and also does not include signatures from popular EDR products.

Specifically, C# leverages the .NET framework in the same way as PowerShell, however the defenses are not as robust. The move from PowerShell to C# also works well for attackers because it is compatible with all .NET frameworks regardless of system age. Additionally, C# is Microsoft’s built-in language that has full support on Windows and can be used to compile .NET applications locally.

Naturally, multiple exploitation frameworks have been developed to leverage many of the benefits to attackers listed above, with GhostPack and Covenant as some of most popular options. To combat this attack vector, high-performing organizations have been working to place constraints on the use of the C# throughout their environment by hardening endpoint execution policies and updating to modern solutions that have the latest detection capabilities. Specifically, organizations are enhancing logging regarding commonly leveraged methods used to execute malicious .NET assemblies such as “System.Reflection.Assembly.Load()”, “regsvr32.exe”, and “wmic.exe”. Additionally, organizations are logging abnormal activity surrounding the C# and F# scripting binaries “csi.exe” and “fsi.exe”. To counter this move, attackers are now obfuscating and compiling their own tools or even embedding them in other benign files.

Conclusion

In the continuous game of cat and mouse that is the offensive security field, security researchers and bad actors are always looking for ways to stay ahead of the curve. As we continue to move forward as an information security community, C# will likely fall victim to the path taken by PowerShell, but will be closely followed by another attack vector such as F#, IronPython, IronRuby or Boolang.

Blue teams, defenders and information security organizations should continuously work to stay current on the latest trends and technologies used by attackers to negate or reduce intrusion efforts.

How We Can Help

Protiviti assists organizations of all industries and sizes in identifying the exposures outlined in this post through cutting edge attack and penetration simulations.

To learn more about Protiviti’s attack and penetration capabilitiescontact us. 

Tom Stewart

Senior Director
Security and Privacy

View all posts

Cameron Byers

Senior Consultant
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
2 Nov

Many often overlook the potential impact—both positive and negative—a #TechnModernization project can have on operational #resilience. #ProtivitiTech's Kim Bozzella shares her thoughts with #Forbes Technology Council. https://ow.ly/1FLA50TYIaE

Reply on Twitter 1852806697112187072 Retweet on Twitter 1852806697112187072 Like on Twitter 1852806697112187072 Twitter 1852806697112187072
protivititech Protiviti Technology @protivititech ·
1 Nov

Establishing a scalable #AI #governance framework is crucial for balancing innovation with #risk and #compliance. Dive into our latest ebook, co-authored with #OneTrust, to explore key steps and technologies that will elevate your AI governance strategy. https://ow.ly/QqKy50TVUx3

Reply on Twitter 1852320075530809735 Retweet on Twitter 1852320075530809735 Like on Twitter 1852320075530809735 Twitter 1852320075530809735
protivititech Protiviti Technology @protivititech ·
31 Oct

News reports implied that China has managed to break "military grade" encryption using quantum computers. But the truth is more complicated than that. Protiviti's #quantum expert Konstantinos Karagiannis explains it all to #VISIONbyProtiviti. https://ow.ly/Zb9z50TWNuh

Reply on Twitter 1852018952433549469 Retweet on Twitter 1852018952433549469 Like on Twitter 1852018952433549469 Twitter 1852018952433549469
protivititech Protiviti Technology @protivititech ·
31 Oct

The #IIoT can help organizations collect and analyze data to optimize operations and maximize resources. #ProtivitiTech's Kim Bozzella details how IIoT can yield benefits for businesses and the people they serve with #Forbes #Technology Council. https://ow.ly/V5I250TVLAj

Reply on Twitter 1851988257015226688 Retweet on Twitter 1851988257015226688 Like on Twitter 1851988257015226688 Twitter 1851988257015226688
protivititech Protiviti Technology @protivititech ·
31 Oct

Protiviti has earned the AWS DevOps Competency, which complements our existing Migration and Security Competencies. These competencies reflect Protiviti's ability to deliver comprehensive AWS system integration services. https://ow.ly/Baj550TWR9I

#AWSDevOps #AWSCloud #AWS

Reply on Twitter 1851821523918528853 Retweet on Twitter 1851821523918528853 Like on Twitter 1851821523918528853 1 Twitter 1851821523918528853
Load More