Advances in detections for offensive PowerShell set the stage for an epic tradecraft migration into C#. Now, with the inclusion of more advanced AMSI (Antimalware Scan Interface) functionality in .NET 4.8, offensive C# tactics look to migrate so as to not become obsolete. Offensive DLR (Dynamic Language Runtime) not only makes AMSI and ScriptBlock Logging detections a distant thought, but it also allows threat actors to access the power of .NET libraries with simple scripting languages like IronPython. Influential development clusters within the security community have already begun weaponizing offensive DLR, and it won’t be long before adversaries look to migrate their .NET narrative to match.
PowerShell, the Holy Grail
PowerShell is thought by many red teamers as the holy grail of offensive .NET tradecraft. This is in part due to it being a scripting language, installed on endpoints by default, allowing for in-memory injection and its ability to interact with .NET APIs. The problem is that offensive PowerShell has become highly detectable with security features like AMSI and ScriptBlock Logging , or limitations imposed on it by constrained language mode. Even though bypass methods  exist to bypass PowerShell detections, the results are typically less than ideal. These advances in detections caused a migration of tradecraft which gave birth to offensive C# tools like Covenant C2 . Many of these tool systems aimed to replicate functionality found in popular Offensive PowerShell systems, just ported to C#. To compound this idea, many developers who originally authored those offensive PowerShell systems also authored the new C# tools.
What is .NET?
Maybe right now is a good time to step back and look at what .NET actually is. ".NET Framework (pronounced as "dot net") is a software framework developed by Microsoft that runs primarily on Microsoft Windows. It includes a large class library named as Framework Class Library (FCL) and provides language interoperability (each language can use code written in other languages) across several programming languages. Programs written for .NET Framework execute in a software environment (in contrast to a hardware environment) named the Common Language Runtime (CLR). "
Trouble in C# Paradise
One of the biggest problems besides overhead for offensive C# happened with the release of .NET 4.8 and its increased anti-malware functionality. "In previous versions of .NET Framework, Windows Defender or third-party antimalware software would automatically scan all assemblies loaded from disk for malware. However, assemblies loaded from elsewhere, such as by using Assembly.Load(byte), would not be scanned and could potentially carry viruses undetected. .NET Framework 4.8 on Windows 10 triggers scans for those assemblies by Windows Defender and many other antimalware solutions that implement the Antimalware Scan Interface. We expect that this will make it harder for malware to disguise itself in .NET programs. "
What is DLR?
"The purpose of the DLR (Dynamic Language Runtime) is to enable a system of dynamic languages to run on the .NET Framework and give them .NET interoperability. " So that’s the legitimate purpose, but what opportunities does this grant adversaries? DLR allows the embedding of compilers/engines within other .NET languages (e.g PowerShell & C#) while still remaining Opsec safe & executing in memory. This vector also allows threat actors to access the power of .NET libraries with simple scripting languages like IronPython, IronRuby and Boo. Lastly, evasion benefits are greatly increased - “all your 'evil' can be coded in the language of your embedded engine/compiler. If you do this using PowerShell, ScriptBlock Logging sees nothing since all the magic happens in the DLR .”
As with what happened with the advances in PowerShell detections that pushed Offensive PowerShell to migrate to Offensive C#, the same has happened with C# detections now continuing to push the evolution of .NET tradecraft. The weaponization of DLR is that advancement and is being leveraged in tools like SILENTTRINITY . SILENTTRINITY is a Command and Control, post exploitation framework that is actively being developed by a brilliant developer cluster, connected to some of the most influential flavors of .NET tradecraft. We anticipate the weaponization of DLR and tools like SILENTTRINITY to become a staple in the advanced adversary toolkit for two reasons - other than the reasons stated above. The authors of SILENTTRINITY and their development micro-cluster are contributing developers to some of the most authoritative tools that have shaped adversary tactics. This gives the developers an enormous amount of credibility as to whether or not their emerging tradecraft will be effective. Second, adversaries watch the security community, but specifically, they watch community influencers and adopt their tactics accordingly. The more social reach a tool system has, the more likely adversary adoption is. Some key features of SILENTTRINITY are:
We are just getting our feet wet with this vector and plan to do many tests with various tools and techniques encompassing offensive DLR. In our opinion, this is a great evolution of .NET tradecraft, backed by influential developers and leverages systems with inherent complexity and that usually translates into an attack surface that is difficult for defenders to lock down.