Slashdot Mirror
Why Attackers Are Using C# For Post-PowerShell Attacks (forcepoint.com)
An anonymous Slashdot reader summarizes an article by a senior security researcher at Forecepoint Security Labs:
Among cyber criminals, there has been a trend in recent years for using more so called 'fileless' attacks. The driver for this is to avoid detection by anti-virus. PowerShell is often used in these attacks. Part of the strategy behind fileless attacks is related to the concept of 'living off the land', meaning that to blend in and avoid detection, attackers strive for only using the tools that are natively available on the target system, and preferably avoiding dropping executable files on the file system.
Recently, C# has received some attention in the security community, since it has some features that may make it more appealing to criminals than PowerShell. [Both C# and Powershell use the .NET runtime.] A Forcepoint researcher has summarized the evolvement of attack techniques in recent years, particularly looking at a recent security issue related to C# in a .NET utility in terms of fileless attacks.
From the article: A recent example of C# being used for offensive purposes is the PowerShell/C# 'combo attack' noted by Xavier Mertens earlier this month in which a malware sample used PowerShell to compile C# code on the fly. Also, a collection of adversary tools implemented in C# was released. Further, an improved way was published for injecting shellcode (.NET assembly) into memory via a C# application.... Given recent trends it seems likely that we'll start to see an increased number of attacks that utilize C# -- or combinations of C# and PowerShell such as that featured in Xavier Mertens' SANS blog -- in the coming months.
Recently, C# has received some attention in the security community, since it has some features that may make it more appealing to criminals than PowerShell. [Both C# and Powershell use the .NET runtime.] A Forcepoint researcher has summarized the evolvement of attack techniques in recent years, particularly looking at a recent security issue related to C# in a .NET utility in terms of fileless attacks.
From the article: A recent example of C# being used for offensive purposes is the PowerShell/C# 'combo attack' noted by Xavier Mertens earlier this month in which a malware sample used PowerShell to compile C# code on the fly. Also, a collection of adversary tools implemented in C# was released. Further, an improved way was published for injecting shellcode (.NET assembly) into memory via a C# application.... Given recent trends it seems likely that we'll start to see an increased number of attacks that utilize C# -- or combinations of C# and PowerShell such as that featured in Xavier Mertens' SANS blog -- in the coming months.
Is it true that Linux doesn't use either C# nor Powershell?
On the other hand, is there a way to disable C# / Powershell in windoze?
Thanks !
so even you can do this. yes, you can. believe in yourself.
Well, don't any Windows programmers filter and validate their inputs?
There has never been a single attack using VB.net.
Powershell itself can curl anything and execute anything. Or run Node, most systems have it because most apps need it. Or just download python and hack the planet with __pythonicpower__
It has the same power as any basic Linux shell. So singling out C# is entirely moot, and I question the motivation behind doing so.
Shell, even the dumbed-down "Power"-shell seems to be to hard for them to code in....
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Installing powershell implies installing a ceehash compiler?
Next you're gonna tell me there's a complete IDE hidden in the dotnet runtime crapolade. Which of the runtimes adds a hidden mail client, and which a hidden html browser?
Both PowerShell and C# (or any other .NET language) are Microsoft environments allowing to have a relatively easy access to any part of Windows. On the other hand, they seem to have a notable disadvantage with respect to other (compiled) languages to perform actions of this sort: you can get the source code either right away or after a quite straightforward decompilation process.
:)), it seems that relying on .NET/PowerShell isn't the most efficient/practical proceeding but the easiest one.
Even though I am not related to all the virus/vulnerability/invasion/damaging world at all (I just build, grow and share
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
When in Rome, do as the Romans do.
It is advisable to follow the conventions of the area you are in lest you draw attention to yourself... like from an antivirus application. This is an infiltration game on the binary level so it's best to look the part of an innocuous application.
Anons need not reply. Questions end with a question mark.
Fileless my ass. Fileless means the browser downloads the thing and puts it somewhere (RAM, possibly cache) and then executes it. This somehow becomes "magic" to the so-called "experts" -- "fileless". Wow.
Ever more often, I find it difficult to be proud of my trade. I then tell people I'm "shepherd", or "cook" or "carpenter". Or perhaps "fisher".
The novelty is that this virus has garbage collection that cleans the unused shit.
the evolvement???
...is when they start blocking any compilers from ever running or generating anything executable without explicit interactive permission input from the user. Oh user convenience over system security, yeah about that.
See subject: To add to what you said (truth)? If they can't determine words or phrases from w/in the context in which they're used TROLLS have the problem (proving the SHOCKINGLY LIMITED INTELLIGENCE their "by-rote only" PUNY BRAINS they are afflicted with - including using "scriptkiddie" languages (limited also)).
* HOWEVER - in fairness - most every language out there is Object.Property Method so grasping most ANY of them is simple enough (know the question "I know how to do it in C++ or Object Pascal - how to do the same thing in (insertX language here)" really - but, what I don't get is WHY use tools that are limited to only certain things when "the bigboys" like C++ or Object Pascal pretty much DO IT ALL instead?).
APK
P.S.=> The rest is merely knowing the principles of solid software engineering & designwork (which you won't get minus @ least a course in datastructures educationally OR reading up on it & mastering those principles)... apk
This must literally be THE FIRST TIME EVER we realized admin privileges can allow the user to execute arbitrary scripts.
Oh noes!
All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
Who did it 1st: China or me? I did - dates are my proof http://theregister.co.uk/2017/... w/ the FACT China rampantly STEALS U.S. Intellectual properties & military secrets!
* IMITATION truly IS the SINCEREST FORM of FLATTERY!!!
(... & proves hosts work vs. DNS faults in tracking you via dns request logs (since you avoid it & resolve FASTER locally using hosts) + DNS being downed OR Kaminsky REDIRECT security flaw misdirected poisoned (or vs. DNSChanger))
APK
P.S.=> Let me tell you ALL 1 thing: It's NOT EASY being "World-Class" like me (lol - 100,000++ users prove it for me) - enjoy the fruits of my labors for FREE + going FASTER/SAFER/MORE RELIABLY online (w/ a bit more anonymity too via my program)... apk
I question your reading comprehension, as your question is answered right there in the summary.
They're 'living off the land' and not downloading big packages, and powerhell-into-Cflat doesn't require a big install process like, oh say, python for windows.
Illiterate moron. Fetch me some grits.
See subject: Via APK Hosts File Engine 2.0++ 64-bit for Linux/BSD h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p
Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less.
Vs. "Bolt on 'MoAr' illogic-logic" slowing you hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploitation!
* ONLY 1 of its kind in GUI 4 Linux/BSD!
(Better vs. Windows model in speed/efficiency/merge)
APK
P.S.=> Protects vs. script trackers/ads/DNS request tracking + redirect poisoned or downed DNS/botnets/malware downloads/malcript/email malicious payloads... apk
Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017
Your premise that hostfiles are a good way to deal with advertising and malvertising is quite valid - by JazzLad April 20, 2016
his hosts program is actually pretty good by xenotransplant August 10 2015
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015
I like your host file system by Karmashock September 09 2015
that APK guy, I use his host file by rogoshen1 Tuesday March 03, 2015
I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017
* Linux model = faster/more efficient!
APK
P.S.=> APK Hosts File Engine 9.0++ SR-1 32/64-bit for Windows https://www.google.com/search?...
"It's working: Neville... it's working!" See subject & results from THIS past month alone https://it.slashdot.org/commen... & https://it.slashdot.org/commen... + https://it.slashdot.org/commen... + https://it.slashdot.org/commen... https://it.slashdot.org/commen... that's only recently while I've been on Linux (few months now only) & 100's of times vs. MANY other botnets/malwares etc. in the past circa 2006-early 2018 while I was on Windows: CONCRETE VISIBLE UNDENIABLE REALITY (see those links as proof).
P.S.=> ... & that's ONLY what /. reported on (there are FAR more)... apk
"classic Windows hosts trick to block the Coinhive or Crypto-Loot domains" - https://www.bleepingcomputer.com/news/security/a-new-player-joins-coinhive-on-the-browser-cryptojacking-scene/ - BLEEPING COMPUTER
ZD NET http://www.zdnet.com/article/how-to-use-a-hosts-file-to-improve-your-internet-experience/ "Hosts files really shine by letting you block ads, spyware sites, malware sites, & tracking sites"
SANS ("A related approach to the DNS issue is to create a hosts file on each system that sends requests for spyware to some place else. Both Ramu and an anonymous reader have suggested this" hosts by myself & RAMU right @ START of "malware explosion" mid 2005 on) https://isc.sans.edu/forums/di...
Aryeh Goretsky/ESET/NOD32: hosts = good security http://it.slashdot.org/comments.pl?sid=7442373&cid=49747129/
Oliver Day (SYMANTEC/SECURITYFOCUS) http://www.securityfocus.com/columnists/491/
APK
P.S.=> See subject: For BOTH added SPEED & SECURITY ... apk
Who did it 1st: China or me? I did - dates are my proof http://theregister.co.uk/2017/... w/ the FACT China rampantly STEALS U.S. Intellectual properties & military secrets!
* IMITATION truly IS the SINCEREST FORM of FLATTERY!!!
(... & proves hosts work vs. DNS faults in tracking you via dns request logs (since you avoid it & resolve FASTER locally using hosts) + DNS being downed OR Kaminsky REDIRECT security flaw misdirected poisoned (or vs. DNSChanger))
APK
P.S.=> Let me tell you ALL 1 thing: It's NOT EASY being "World-Class" like me (lol - 100,000++ users prove it for me) - enjoy the fruits of my labors for FREE + going FASTER/SAFER/MORE RELIABLY online (w/ a bit more anonymity too via my program)... apk
Language agnostic here. If you have anything that lets me write code on your box I will fuck your shit up.
Found the python developer
I object to power without constructive purpose. --Spock
Never listen to lying retard Alexander Peter Kowalski
Like how he claims the Chinese copied him but can't produce any evidence.
How about when he states that hosts does port filtering but again can't backup his statement which was shown to be false.
There is also his list of "experts" who support him but it turns out they don't say what he is claiming.
This also ignores his out of context quotes he uses to lie by omission.
The problem with APK is that his entire reputation is built upon the lie he told years ago that hosts is an effective security solution. It has been exposed numerous times as being a lie and when exposed APK fails to argue logically and instead will try to deflect criticism, change the subject, move the goal posts, return to a previously disproven statement, demand you prove you did better than his file concatenator, or just call people names. Expect that he will used these tactics to try to deflect from these criticisms. He will continue to lie by stating that he won or "dusted" you while failing to refute anything you said, will never provide real evidence, and generally try to dodge the issue.
Face it APK is one of the most detested individuals here for good reason. When ever his poor behavior, awful logic, over statements, and horrendous writing are called out he has a fit and has done so for years across the internet. He is a spammer, and is an abusive insecure little man who is washed up and never amounted to anything. Until he produces actual verifiable facts supporting his case nothing he says should be taken seriously.
See subject & 2 questions you won't answer: 1.) Do hosts stop threats served by hostname (the way threats are done most) by blocking them? Yes. 2.) Do hosts speed you up 2 ways in adblocking (preventing more infection/tracking/slowdown) & via hardcoded favorite sites resolving faster + protecting vs. dns down or redirect poisoned? Yes.
My hosts program's the only 1 that does the latter @ TOP of hosts cached in RAM (for best performance) & only 1 of its kind on Linux/BSD in easy to use flexible configuration GUI form.
(I also did that latter part LONG before the Chinese & 1st http://theregister.co.uk/2017/... )
APK
P.S.-> Have you done work that's that effective doing more for less faster in kernelmode speed (cpu priority) w/ less complexity for exploit + excess overheads vs. solutions KNOWN to be security-issue riddled (like addons (souled-out to NOT work by default OR easily detected & blocked that are BYPASSABLE & EXPLOITABLE), DNS & Antivirus)? No... apk
"classic Windows hosts trick to block the Coinhive or Crypto-Loot domains" - https://www.bleepingcomputer.com/news/security/a-new-player-joins-coinhive-on-the-browser-cryptojacking-scene/ - BLEEPING COMPUTER
ZD NET http://www.zdnet.com/article/how-to-use-a-hosts-file-to-improve-your-internet-experience/ "Hosts files really shine by letting you block ads, spyware sites, malware sites, & tracking sites"
SANS ("A related approach to the DNS issue is to create a hosts file on each system that sends requests for spyware to some place else. Both Ramu and an anonymous reader have suggested this" hosts by myself & RAMU right @ START of "malware explosion" mid 2005 on) https://isc.sans.edu/forums/di...
Aryeh Goretsky/ESET/NOD32: hosts = good security http://it.slashdot.org/comments.pl?sid=7442373&cid=49747129/
Oliver Day (SECURITYFOCUS) http://www.securityfocus.com/columnists/491/
APK
P.S.=> Anyone can read those & from their sources + decide for yourselves (you fail liar)... apk
"It's working: Neville... it's working!" See subject & results from THIS past month alone https://it.slashdot.org/commen... & https://it.slashdot.org/commen... + https://it.slashdot.org/commen... + https://it.slashdot.org/commen... https://it.slashdot.org/commen... that's only recently while I've been on Linux (few months now only) & 100's of times vs. MANY other botnets/malwares etc. in the past circa 2006-early 2018 while I was on Windows: CONCRETE VISIBLE UNDENIABLE REALITY (see those links as proof).
P.S.=> ... & that's ONLY what /. reported on (there are FAR more)... apk
Arstechnica = losers who stalked me (as you do now anonymously unidentifiably) to NTCompatible.com & Windows IT Pro magazine forums to their public dismay in Jeremy Reimer & Jay Little + Jarrett DeAngelis (who posts here on /. until I drove his ass off too) when their websites were REMOVED by their hosting providers in Shaw Canada & CrystalTech (for both email harassing me caught on a tracking ticket + stalking me & posting lies about me on them AFTER I destroyed them both PUBLICLY @ Windows IT Pro on Exchange Servers memory being freed UNHALTING them (which tells you Exchange is HEAVILY POINTER ORIENTED linked list driven, which leads to memory fragmentation that CAN halt a serverware)).
Jay Little the "self-proclaimed 'EXCHANGE EXPERT'" HAD TO CONCEDE IT from MICROSOFT'S OWN DOCUMENTATION proving it FOR me there (where they as usual stalked me AS YOU ARE NOW)
Peter Bright/Dr. Pizza (alias GOITERMAN, lol) can tell you what happened to his IRC server after that (lol).
"The great arseHOLEtechnica" (not) RUN OUT of their own server chatrooms hahaha (by "yours truly").
APK
P.S.=> In effete retaliation they edited my posts & impersonated me on their little playpen of UNDERACHIEVER losers... apk
Ask him WHY his false accusation of an old ware of mine was 1st taken down to NO threat & CA sold off the SHITTY antivir he sold (as a paid pawn of theirs) & they are GONE, done. dead... lol!
Lookup "CA Accounting Scandal" on Google - scumbags & THEIR BIRDS OF A FEATHER just go down vs. me everytime!
APK
P.S.=> He's nothing but a BLOATED FAT pig of a lying LOSER from podunk idaho... apk
Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017
Your premise that hostfiles are a good way to deal with advertising and malvertising is quite valid - by JazzLad April 20, 2016
his hosts program is actually pretty good by xenotransplant August 10 2015
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015
I like your host file system by Karmashock September 09 2015
that APK guy, I use his host file by rogoshen1 Tuesday March 03, 2015
I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017
* EAT YOUR WORDS liar!
APK
P.S.=> Tell us, how do they taste? Like your FOOT in your MOUTH?? apk
Apk has the answer for that - really... kill automatic updates by adding a hosts file entry setting updates.steam.com or whatever to 127.0.0.1. You have to find the right hostname for each software you want to block updates on by raymorris (2726007) on Friday July 06, 2018
APK your posts on this and the hosts file posts, and more, have never been in error and/or bad advice by BlueStrat (756137) on Wednesday June 21, 2017
I support APK's stand on the hosts file and can't see why it's not used more than it is. My hosts file is 144247 lines long (4,332 Kb) it & a firewall serves me very well - by Trax3001BBS (2368736)
ABP is insufficient as a solid hosts file does everything APK reminds us about fast turtle September 17 2013
You need APK's hosts file - by Teun (17872) on Wednesday August 06, 2014
APK
P.S.=> You EATING YOUR WORDS != GOOD NUTRITION... apk
APK solution STILL relevant Thud457 June 11 2015
Actually, APK is totally right on this count. Adblock Plus on Firefox mobile is a dog on older, or lower end, phones. A hostfile based adblocker makes for a much better experience in this context. Of course, your phone has to be rooted, which isn't the case with Firefox + adblock." - by chihowa on Saturday May 16, 2015
In a footnote, I would like to note that I find your hosts file admirable - by vel-ex-tech (4337079) on Tuesday November 24, 2015
APK's monolithic hosts file is looking pretty good at the moment - by Culture20 on Thursday November 17
you're right about hosts files - by drinkypoo (153816) on Thursday May 26
APK, I know people give you a lot of shit regarding hosts, but please don't ever stop - by nasredin (958927) on Friday June 12, 2015 @03:34PM
APK
P.S.=> More coming: Are you ENJOYING the taste of EATING YOUR WORDS yet?... apk
I say the following as a caring human being who agrees with how useful HOSTS files are: Your zeal is to be respected - by dave420 (699308) on Monday September 08, 2014
But I love APK!The power of the hostfile compels you! by ratboy666 (104074) on Friday January 29, 2016
APK was right all along! C:\WINDOWS\HOSTS is the solution ;) - by sabri (584428) on Friday October 21, 2016
No complaints from me, I like APK's spam. Reminds me to use a host file. Also, his stuff is free. - by aaaaaaargh! (1150173) on Tuesday November 17, 2015
I'm a fan of apk. Yes he trolls, but he only trolls where it's contextually appropriate. I respect that - by Noah Haders (3621429) on Wednesday July 29, 2015
APK
P.S.=> Those words of yours YOU'RE EATING: You choking on them yet? apk
the Host File Engine performs exactly as promised - by mmell (832646) on Thursday February 16, 2017
(APK) is still right a hosts file really does work. It even blocked a some of the video ads that were inserted into a stream OrangeTide February 10 2016
I do use APK's host file on all my systems at home by OrangeTide December 01 2017
I've never tried to belittle (APK's work), I've flat out said it's good - by BronsCon (927697) on Thursday February 11, 2016 @06:48PM (#51491263)
APK
P.S.=> YOU'RE OUTNUMBERED DOZENS TO 1 - toss on 100,000++ users of my program worldwide too & SEE SUBJECT: JUST FOR "GOOD MEASURE"... apk
Notice how Alexander Peter Kowalski fails to actually refute any thing that was critical of him and instead only further proves he is a retard. He first attempts to deflect away by asking questions that have been answered previously, but he didn't like the answers, as he tries to construct a strawman argument. He also decides to repeat a lie over and over again because Alex thinks that might make it true. Then the mental midget reposts the same links to experts that have been show to not support his claims, again hoping that this time it isn't a lie. Next there is the rage against people who had previously embarrassed him for being the asshole he is, yet they are successful and APK is stuck being the retarded spammer of slashdot. Finally he goes all in on reposting the out of context quotes from slashdot users some of whom have told him to not quote them. These quotes are used to lie by omission as was previously stated and Mr. Kowalski just can't accept that truth either.
Now everyone can see that the retard Alex Kowalski just can't stop lying. When ever people tell the truth you will feel the rage and you will be stalked and harassed by him so it is best to post anonymously. APK goes to great lengths to track people down in real life just to continue to be an asshole to them because he got exposed as the fraudster he is. For a good laugh all one needs is to google AlecStaar and ArsTechnica and see his long history of making a total ass of himself. Maybe Alexander Peter Kowalski can blame his continued failure on Zontar The Mindless, Hillary Clinton, c6gunner, Arth1, George Soros, Whipslash, OlOsoc, Khyber, Mark Zuckerberg, JustAnotherOldDude, or any of the other people on his ever growing enemy list.
C# and Powershell originated in the Microsoft push to Enterprise/Government customers.
... there's a chance this could be reflecting that malicious code is being written by salaried employees, under a florescent light, in Cincinatti (or someplace like that) by departments of large organizations far removed from any awareness of any adverse affects they are making.
If malicious attacks involve C#/PS more frequently
You're the one STALKING me (by UNIDENTIFIABLE anonymous) & I can offer no BETTER proofs than 6 sets of registered /.ers good opinions of it who like & use it (w/ 100,000++ users worldwide) https://games.slashdot.org/com... https://games.slashdot.org/com... https://games.slashdot.org/com... https://games.slashdot.org/com... https://games.slashdot.org/com... https://games.slashdot.org/com...
+ RESULTS OF ITS EFFICACY FOR SECURITY recently (very partial list only vs. botnets & malware) https://tech.slashdot.org/comm...
& of course SECURITY PROS opinions on hosts being effective for more SECURITY + SPEED too https://tech.slashdot.org/comm...
PLUS even CHINA imitated PART of what my program does vs. DNS down or redirect poisoned & I did it 1st (only hosts program that does this part which also lets you RESOLVE FASTER from LOCAL system RAM + protects you vs. DNS requestlog tracking) https://tech.slashdot.org/comm...
APK
P.S.=> Let's see YOU do better ... apk
MOV is turing complete dumbass.
Now retard Alexander Peter Kowalski finally admits he has nothing but out of context quotes, a list that shows hosts failing to prevent attacks, links to security researchers who don't say what he thinks, and some wild ass speculation on his part. He always fails to refute any criticism and can only repeat things that have been shown time and time again to be false. This is why APK is a loser who has never amounted to anything. It is hard to claim victory when one is such a failure and all of their evidence has been shot to pieces. The only thing that could make him a bigger failure would be if he counted having one of his shitty ideas rejected by some other project and tried to say that it was an example of his success. Wait Alexander Peter Kowalski did just that with the ultra defrag project because he is a total loser. Maybe he can now go over to 4chan and reddit and spam there instead. Maybe now APK can start posting unsigned in support of himself in a poor attempt to make it look like he has some support.
"I'll THINK about it..." https://www.youtube.com/watch?...
* Running BACKWARDS I outdistance you - by MILES...
APK
P.S.=> NEVER will happen... apk