Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Attackers Are Using C# For Post-PowerShell Attacks (forcepoint.com)

Posted by EditorDavid on from the safety-.NET dept.

An anonymous Slashdot reader summarizes an article by a senior security researcher at Forecepoint Security Labs: Among cyber criminals, there has been a trend in recent years for using more so called 'fileless' attacks. The driver for this is to avoid detection by anti-virus. PowerShell is often used in these attacks. Part of the strategy behind fileless attacks is related to the concept of 'living off the land', meaning that to blend in and avoid detection, attackers strive for only using the tools that are natively available on the target system, and preferably avoiding dropping executable files on the file system.

Recently, C# has received some attention in the security community, since it has some features that may make it more appealing to criminals than PowerShell. [Both C# and Powershell use the .NET runtime.] A Forcepoint researcher has summarized the evolvement of attack techniques in recent years, particularly looking at a recent security issue related to C# in a .NET utility in terms of fileless attacks.
From the article: A recent example of C# being used for offensive purposes is the PowerShell/C# 'combo attack' noted by Xavier Mertens earlier this month in which a malware sample used PowerShell to compile C# code on the fly. Also, a collection of adversary tools implemented in C# was released. Further, an improved way was published for injecting shellcode (.NET assembly) into memory via a C# application.... Given recent trends it seems likely that we'll start to see an increased number of attacks that utilize C# -- or combinations of C# and PowerShell such as that featured in Xavier Mertens' SANS blog -- in the coming months.

7 of 92 comments (clear)

  1. Re:VB.net is much more secure than C# by mfearby · · Score: 2

    That's because nobody with any self respect uses VB.NET ;-)

  2. We're becoming more and more idiots by Anonymous Coward · · Score: 4, Insightful

    Fileless my ass. Fileless means the browser downloads the thing and puts it somewhere (RAM, possibly cache) and then executes it. This somehow becomes "magic" to the so-called "experts" -- "fileless". Wow.

    Ever more often, I find it difficult to be proud of my trade. I then tell people I'm "shepherd", or "cook" or "carpenter". Or perhaps "fisher".

    1. Re:We're becoming more and more idiots by Hognoxious · · Score: 2

      When you start claiming to be a realtor or a lawyer it's definitely time to quit.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    2. Re:We're becoming more and more idiots by Zontar+The+Mindless · · Score: 5, Funny

      Used to have a friend on here whose sig was, "Please don't tell Mama I'm a sysadmin—she thinks I play the piano in a whorehouse."

      --
      Il n'y a pas de Planet B.
    3. Re:We're becoming more and more idiots by blincoln · · Score: 2

      If malicious content isn't written to disk[1], it's much less likely to be picked up by AV/antimalware components, because most of those hook into file read/write operations within the OS for their real-time protection. Additionally, this technique can sometimes be used to bypass application-whitelisting tools, if it's a tool already on the whitelist which is injecting the malicious code into process memory. That's why it's treated as something special/"magic".

      Post-exploitation tools that avoid writing malicious code to disk are inherently different from more basic tools which *do* write the code to disk. If not "fileless", how would you suggest referring to them?

      [1] Doesn't matter if it's magnetic media, SSD, RAM disk, etc., but it needs to be something the OS considers a "disk", not just a random place in memory.

      --
      "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
  3. Re: Wait what? by CustomSolvers2 · · Score: 3, Insightful

    In-memory compilation is part of the runtime, no compiler needed.

    It is logical to expect all the compilation to be performed by a compiler, regardless of it being included in the main runtime. But even though, you seem to assume that the .NET runtime (+ PowerShell) is installed by default everywhere, when this is only the case with Windows. For other OSs, there will have to be a specific installation and the resulting environment is likely to have lots of limitations with respect to the Windows one.

    --
    Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
  4. Re:Because they need a toy language? by OzPeter · · Score: 4, Insightful

    Shell, even the dumbed-down "Power"-shell seems to be to hard for them to code in....

    It sounds like you have never experienced the joys of powershell programming. Dumbed-down is not an adjective I'd be using so flippantly.

    --
    I am Slashdot. Are you Slashdot as well?