Penetration Testers Tool Kit: A Transition from PowerShell to C#

Attackers are continuously evolving their tool sets to keep ahead of defenders. In this blog, we highlight and discuss one major transition occurring in the attack and penetration space: the move from PowerShell to C# as an attack framework.

The History

PowerShell has been an asset to penetration testers for years. Unrestricted access to PowerShell allows penetration testers — and threat actors — access to a powerful language built directly into most Microsoft Windows operating systems (OS). In particular, PowerShell gives direct access to the .NET framework, which allows access to a large suite of built-in functions, as well as integration with Microsoft’s C# platform. PowerShell’s integration with the Windows operating system also allows a threat actor access to an environment that does not require any information to be written to the disk (aka “in memory”).

PowerShell’s integration with the Windows operating system and its common use by system administrators has traditionally not been tightly controlled or audited.In the past, PowerShell actions did not create events in IDS/IPS platforms, nor would they be caught by common malware or antivirus products. Using PowerShell gave malicious attackers access to the underlying OS Win32 API which provides great flexibility to evade traditional detection as well as perform various attacks such as creating file-less malware and seeing which users are logged in across various systems. Since its rise in popularity, Microsoft and other Endpoint Detection and Response (EDR) products have been proactive in adding protections that help mitigate the use of PowerShell as an attack vector.

The Transition

As the security surrounding PowerShell has become more robust, attackers have adjusted to focus on new avenues for exploitation that may not be as tightly monitored. One of the most popular transitions from PowerShell has been to utilize C#, which contains all of the advantages of working in PowerShell but does not have the same amount of auditing and restrictions, and also does not include signatures from popular EDR products.

Specifically, C# leverages the .NET framework in the same way as PowerShell, however the defenses are not as robust. The move from PowerShell to C# also works well for attackers because it is compatible with all .NET frameworks regardless of system age. Additionally, C# is Microsoft’s built-in language that has full support on Windows and can be used to compile .NET applications locally.

Naturally, multiple exploitation frameworks have been developed to leverage many of the benefits to attackers listed above, with GhostPack and Covenant as some of most popular options. To combat this attack vector, high-performing organizations have been working to place constraints on the use of the C# throughout their environment by hardening endpoint execution policies and updating to modern solutions that have the latest detection capabilities. Specifically, organizations are enhancing logging regarding commonly leveraged methods used to execute malicious .NET assemblies such as “System.Reflection.Assembly.Load()”, “regsvr32.exe”, and “wmic.exe”. Additionally, organizations are logging abnormal activity surrounding the C# and F# scripting binaries “csi.exe” and “fsi.exe”. To counter this move, attackers are now obfuscating and compiling their own tools or even embedding them in other benign files.

Conclusion

In the continuous game of cat and mouse that is the offensive security field, security researchers and bad actors are always looking for ways to stay ahead of the curve. As we continue to move forward as an information security community, C# will likely fall victim to the path taken by PowerShell, but will be closely followed by another attack vector such as F#, IronPython, IronRuby or Boolang.

Blue teams, defenders and information security organizations should continuously work to stay current on the latest trends and technologies used by attackers to negate or reduce intrusion efforts.

How We Can Help

Protiviti assists organizations of all industries and sizes in identifying the exposures outlined in this post through cutting edge attack and penetration simulations.

To learn more about Protiviti’s attack and penetration capabilitiescontact us. 

Tom Stewart

Senior Director
Security and Privacy

Cameron Byers

Senior Consultant
Security and Privacy

Subscribe to Topics

Protiviti’s Sharon Stufflebeme and Ramesh Gupta share advice in @InformationWeek with organizations looking to update #LegacySystems and adopt the right amount of #EmergingTechnology to balance business needs. http://ow.ly/Jcpv50Nqlp0 #ProtivitiTech

We understand the challenges organizations face regarding #DataManagement and security. A structured data protection approach centered around people, processes and technology can help you tackle those challenges. Learn more: http://ow.ly/S93G50NqpNv #ProtivitiTech #Data

What is the #Metaverse? What does it mean for business? And how should companies prepare? @Protiviti’s Kim Bozzella tells @Forbes why now is the right time for businesses to leverage this immersive technology. http://ow.ly/ng6950NoAIS #ProtivitiTech

Is your organization post-quantum ready? Join Host @KonstantHacker for a chat with Skip Norton of @QuintessenceLab about real products available today that will be ready for post-quantum #encryption by 2024. http://ow.ly/GUvS50NpzX9 #QuantumComputing #ProtivitiTech

Maximize the value of your organization's #Data by building a modern enterprise #DataArchitecture. Find out how to get started with Protiviti's latest whitepaper: http://ow.ly/aQsZ50NpyBN #ProtivitiTech

Load More