Cybersecurity

Penetration Testers Tool Kit: A Transition from PowerShell to C#

Tom StewartCameron Byers
October 19, 2020
3 min read

Attackers are continuously evolving their tool sets to keep ahead of defenders. In this blog, we highlight and discuss one major transition occurring in the attack and penetration space: the move from PowerShell to C# as an attack framework.

The History

PowerShell has been an asset to penetration testers for years. Unrestricted access to PowerShell allows penetration testers — and threat actors — access to a powerful language built directly into most Microsoft Windows operating systems (OS). In particular, PowerShell gives direct access to the .NET framework, which allows access to a large suite of built-in functions, as well as integration with Microsoft’s C# platform. PowerShell’s integration with the Windows operating system also allows a threat actor access to an environment that does not require any information to be written to the disk (aka “in memory”).

PowerShell’s integration with the Windows operating system and its common use by system administrators has traditionally not been tightly controlled or audited.In the past, PowerShell actions did not create events in IDS/IPS platforms, nor would they be caught by common malware or antivirus products. Using PowerShell gave malicious attackers access to the underlying OS Win32 API which provides great flexibility to evade traditional detection as well as perform various attacks such as creating file-less malware and seeing which users are logged in across various systems. Since its rise in popularity, Microsoft and other Endpoint Detection and Response (EDR) products have been proactive in adding protections that help mitigate the use of PowerShell as an attack vector.

The Transition

As the security surrounding PowerShell has become more robust, attackers have adjusted to focus on new avenues for exploitation that may not be as tightly monitored. One of the most popular transitions from PowerShell has been to utilize C#, which contains all of the advantages of working in PowerShell but does not have the same amount of auditing and restrictions, and also does not include signatures from popular EDR products.

Specifically, C# leverages the .NET framework in the same way as PowerShell, however the defenses are not as robust. The move from PowerShell to C# also works well for attackers because it is compatible with all .NET frameworks regardless of system age. Additionally, C# is Microsoft’s built-in language that has full support on Windows and can be used to compile .NET applications locally.

Naturally, multiple exploitation frameworks have been developed to leverage many of the benefits to attackers listed above, with GhostPack and Covenant as some of most popular options. To combat this attack vector, high-performing organizations have been working to place constraints on the use of the C# throughout their environment by hardening endpoint execution policies and updating to modern solutions that have the latest detection capabilities. Specifically, organizations are enhancing logging regarding commonly leveraged methods used to execute malicious .NET assemblies such as “System.Reflection.Assembly.Load()”, “regsvr32.exe”, and “wmic.exe”. Additionally, organizations are logging abnormal activity surrounding the C# and F# scripting binaries “csi.exe” and “fsi.exe”. To counter this move, attackers are now obfuscating and compiling their own tools or even embedding them in other benign files.

Conclusion

In the continuous game of cat and mouse that is the offensive security field, security researchers and bad actors are always looking for ways to stay ahead of the curve. As we continue to move forward as an information security community, C# will likely fall victim to the path taken by PowerShell, but will be closely followed by another attack vector such as F#, IronPython, IronRuby or Boolang.

Blue teams, defenders and information security organizations should continuously work to stay current on the latest trends and technologies used by attackers to negate or reduce intrusion efforts.

How We Can Help

Protiviti assists organizations of all industries and sizes in identifying the exposures outlined in this post through cutting edge attack and penetration simulations.

To learn more about Protiviti’s attack and penetration capabilitiescontact us. 

Tom Stewart

Senior Director
Security and Privacy

View all posts

Cameron Byers

Senior Consultant
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More