Why Attackers Are Using C# For Post-PowerShell Attacks

An anonymous Slashdot reader summarizes an article by a senior security researcher at Forecepoint Security Labs: Among cyber criminals, there has been a trend in recent years for using more so called 'fileless' attacks. The driver for this is to avoid detection by anti-virus. PowerShell is often used in these attacks. Part of the strategy behind fileless attacks is related to the concept of 'living off the land', meaning that to blend in and avoid detection, attackers strive for only using the tools that are natively available on the target system, and preferably avoiding dropping executable files on the file system.

Recently, C# has received some attention in the security community, since it has some features that may make it more appealing to criminals than PowerShell. [Both C# and Powershell use the .NET runtime.] A Forcepoint researcher has summarized the evolvement of attack techniques in recent years, particularly looking at a recent security issue related to C# in a .NET utility in terms of fileless attacks.
From the article: A recent example of C# being used for offensive purposes is the PowerShell/C# 'combo attack' noted by Xavier Mertens earlier this month in which a malware sample used PowerShell to compile C# code on the fly. Also, a collection of adversary tools implemented in C# was released. Further, an improved way was published for injecting shellcode (.NET assembly) into memory via a C# application.... Given recent trends it seems likely that we'll start to see an increased number of attacks that utilize C# -- or combinations of C# and PowerShell such as that featured in Xavier Mertens' SANS blog -- in the coming months.

Disabling C# / Powershell

Is it true that Linux doesn't use either C# nor Powershell?

On the other hand, is there a way to disable C# / Powershell in windoze?

Thanks !

Re: Disabling C# / Powershell

[datavirtue]

C# is ubiquitous. Before long. Net core will be everywhere. You still need the user to execute the code and provide permissions. This is stupid.

VB.net is much more secure than C#

[aberglas]

There has never been a single attack using VB.net.

Re:VB.net is much more secure than C#

[mfearby]

That's because nobody with any self respect uses VB.NET ;-)

Re:VB.net is much more secure than C#

Ayup - All attacks depend on programmer stupidity, not computer language - PEBKAC is the mother of all issues.

Re:VB.net is much more secure than C#

[antdude]

Nah. Original VB & C R more secured. [grin]

Re:VB.net is much more secure than C#

[OzPeter]

Ayup - All attacks depend on programmer stupidity, not computer language - PEBKAC is the mother of all issues.

Whoosh

Re: VB.net is much more secure than C#

[datavirtue]

Yeah. You lose that much respect for yourself and before you know it you are writing apps in VB. NET's bitchy toothless cousin, Python.

If you have access to Powershell the rest is moot

Powershell itself can curl anything and execute anything. Or run Node, most systems have it because most apps need it. Or just download python and hack the planet with __pythonicpower__

It has the same power as any basic Linux shell. So singling out C# is entirely moot, and I question the motivation behind doing so.

Re:Filtered inputs

[gweihir]

They probably will discover this as a "new" idea in 10 to 20 years or so. MS and its community are always far, far behind.

Wait what?

Installing powershell implies installing a ceehash compiler?

Next you're gonna tell me there's a complete IDE hidden in the dotnet runtime crapolade. Which of the runtimes adds a hidden mail client, and which a hidden html browser?

Re: Wait what?

In-memory compilation is part of the runtime, no compiler needed.

Re: Wait what?

[CustomSolvers2]

In-memory compilation is part of the runtime, no compiler needed.

It is logical to expect all the compilation to be performed by a compiler, regardless of it being included in the main runtime. But even though, you seem to assume that the .NET runtime (+ PowerShell) is installed by default everywhere, when this is only the case with Windows. For other OSs, there will have to be a specific installation and the resulting environment is likely to have lots of limitations with respect to the Windows one.

Logical but impractical

[CustomSolvers2]

Both PowerShell and C# (or any other .NET language) are Microsoft environments allowing to have a relatively easy access to any part of Windows. On the other hand, they seem to have a notable disadvantage with respect to other (compiled) languages to perform actions of this sort: you can get the source code either right away or after a quite straightforward decompilation process.

Even though I am not related to all the virus/vulnerability/invasion/damaging world at all (I just build, grow and share :)), it seems that relying on .NET/PowerShell isn't the most efficient/practical proceeding but the easiest one.

Re: Logical but impractical

[CustomSolvers2]

Powershell and .net are now cross platform and have been for a while.

In which part of my post have I said otherwise? My point wasn't about where you can use them, but what is their advantage with respect to other alternatives. And as per my impression, their only advantage is being able to easily access anything in Windows. They work on other OSs (although their compatibility isn't immediate, some software has to be installed; not a requirement in Windows as far as .NET/PowerShell are installed by default), but what would be the point of using them there?

Seems pretty obvious.

[Gravis+Zero]

When in Rome, do as the Romans do.

It is advisable to follow the conventions of the area you are in lest you draw attention to yourself... like from an antivirus application. This is an infiltration game on the binary level so it's best to look the part of an innocuous application.

We're becoming more and more idiots

Fileless my ass. Fileless means the browser downloads the thing and puts it somewhere (RAM, possibly cache) and then executes it. This somehow becomes "magic" to the so-called "experts" -- "fileless". Wow.

Ever more often, I find it difficult to be proud of my trade. I then tell people I'm "shepherd", or "cook" or "carpenter". Or perhaps "fisher".

Re:We're becoming more and more idiots

[Hognoxious]

When you start claiming to be a realtor or a lawyer it's definitely time to quit.

Re:We're becoming more and more idiots

[Zontar+The+Mindless]

Used to have a friend on here whose sig was, "Please don't tell Mama I'm a sysadmin—she thinks I play the piano in a whorehouse."

Re:We're becoming more and more idiots

Fileless my ass. Fileless means the browser downloads the thing and puts it somewhere (RAM, possibly cache) and then executes it. This somehow becomes "magic" to the so-called "experts" -- "fileless". Wow.

Technically, you're right, it's not "fileless" -- there's always a file of some sort, somewhere.

In this particular context, fileless means "not dropping executable files on the victim's system", e.g., pulling in some source code from somewhere (the Internet, a network share, etc.) and then compiling it and executing it.

Re:We're becoming more and more idiots

[Tablizer]

sig was, "Please don't tell Mama I'm a sysadminâ"she thinks I play the piano in a whorehouse."

It's not necessarily mutually exclusive. During an econ slump, I almost took an IT job at a Web porn outfit.

Re: We're becoming more and more idiots

[zachriggle]

Are you saying fileless / in-memory only exploitation, post-exploitation donâ(TM)t exist?

Welcome to 2002, go read about any exploit kit from the past decade.

Re:We're becoming more and more idiots

[blincoln]

If malicious content isn't written to disk[1], it's much less likely to be picked up by AV/antimalware components, because most of those hook into file read/write operations within the OS for their real-time protection. Additionally, this technique can sometimes be used to bypass application-whitelisting tools, if it's a tool already on the whitelist which is injecting the malicious code into process memory. That's why it's treated as something special/"magic".

Post-exploitation tools that avoid writing malicious code to disk are inherently different from more basic tools which *do* write the code to disk. If not "fileless", how would you suggest referring to them?

[1] Doesn't matter if it's magnetic media, SSD, RAM disk, etc., but it needs to be something the OS considers a "disk", not just a random place in memory.

Re:Because they need a toy language?

[gweihir]

And if that were a grammar error, you would be right. It is a typo. Makes you a dumb spelling Nazi though, with obviously nothing worthwhile to contribute.

Re:Because they need a toy language?

[OzPeter]

Shell, even the dumbed-down "Power"-shell seems to be to hard for them to code in....

It sounds like you have never experienced the joys of powershell programming. Dumbed-down is not an adjective I'd be using so flippantly.

Re: Because they need a toy language?

[50000BTU_barbecue]

When a narcissist is caught, that's when.

Re:Because they need a toy language?

[50000BTU_barbecue]

Just face it, you're nowhere near as smart as your auto-fart-smelling over the last few years makes you think.

Re: Because they need a toy language?

[gweihir]

To soft key-press on the second o. What else? Happens to me all the time.

Re:Because they need a toy language?

[gweihir]

You wish. And you should stop deducing from yourself what others may do...

Whoa....

[bondsbw]

This must literally be THE FIRST TIME EVER we realized admin privileges can allow the user to execute arbitrary scripts.

Oh noes!

Re: If you have access to Powershell the rest is m

[datavirtue]

Found the python developer

Re: Because they need a toy language?

[datavirtue]

You can actually avoid the brain dead powershell syntax and leverage the entire . NET namespace directly. In fact, given the sloppy nature of Windows system admins I recommend it since you never know what fucking powershell version is going to be on a particular server.