Scribd
Upload
75 views4 pages

Hunting .NET Malware (Lab 2)

The document discusses the use of 'Living off the Land' (LotL) techniques by attackers and introduces the 'Bring Your Own Land' (BYOL) method, which involves executing custom .NET assemblies in memory to evade detection. It outlines a lab scenario where participants learn to proactively detect .NET-based threats using a tool called ClrGuard, including hands-on tasks to familiarize themselves with the tool and emulate attack behaviors. The lab emphasizes the importance of hooking critical functions to enhance detection capabilities against such attacks.

Uploaded by

Rayen Salem
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
75 views4 pages

Hunting .NET Malware (Lab 2)

The document discusses the use of 'Living off the Land' (LotL) techniques by attackers and introduces the 'Bring Your Own Land' (BYOL) method, which involves executing custom .NET assemblies in memory to evade detection. It outlines a lab scenario where participants learn to proactively detect .NET-based threats using a tool called ClrGuard, including hands-on tasks to familiarize themselves with the tool and emulate attack behaviors. The lab emphasizes the importance of hooking critical functions to enhance detection capabilities against such attacks.

Uploaded by

Rayen Salem
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

LAB 14.

Scenario
According to [Link] one of
most significant recent developments in sophisticated offensive operations is the use of "Living off the Land" (LotL) techniques by
attackers. These techniques leverage legitimate tools present on the system, such as the PowerShell scripting language, in order to
execute attacks. In response, defenders have developed detections for the malicious use of legitimate applications. These detections
include suspicious parent/child process relationships, suspicious process command line arguments, and even deobfuscation of malicious
PowerShell scripts through the use of Script Block Logging.

For this reason, attackers came up with an alternative to LotL techniques. Attacker's (and penetration testers) are now executing .NET
assemblies entirely within memory. By developing custom C#-based assemblies, attackers no longer need to rely on the tools present on
the target system; they can instead write and deliver their own tools, a technique fireeye calls Bring Your Own Land (BYOL).

A great example of BYOL is the execute-assembly command of CobaltStrike ([Link]


11-the-snake-that-eats-its-tail/)

In this lab we will emulate such behavior and show you how you can proactively hook all .NET processes of a system and also perform
an in-line hook of the LoadImage function (that is used under the hood to load the provided assembly.)

For more information please refer to [Link]

Goals
The learning objective of this lab is increase familiarity with .NET attacks by doing a hands-on analysis.

What you will learn


You will learn how to hook critical functions to proactively detect certain .NET-based threats on a host.

Recommended tools
 [Link]

Tasks
Task 1. Get familiar with ClrGuard
ClrGuard comes with some testing .bat files. One is benign and one is malicious. Try them out.

[Link] is located at: C:\Users\admin\Desktop\ClrGuard\dist

Testing scripts are located at: C:\Users\admin\Desktop\ClrGuard\Testing\scripts

First, execute [Link] and then run [Link]. Notice what ClrGuard mentions.

Then, run [Link]. Notice what ClrGuard mentions.

Task 2. Emulate execute-assembly activity and use ClrGuard to proactively detect it


The easiest way in which we can cause the LoadImage() function to be called in order for a custom assembly to be loaded is through
PowerShell.

PowerShell has the ability to load .NET assemblies from a specified location or even from a Byte Array (like attackers prefer). See an
example below.

[Link]

The above capability calls the native LoadImage() function under the hood to load the specified assembly, essentially emulating the
execute-assembly command of Cobalt Strike.

Try to create such a code and see if ClrGuard detects it.

Hint: If you can't create your own PowerShell code, a LoadNETAssembly.ps1 can be found in the Downloads directory of the machine,
that performs what we have described above.
SOLUTIONS
Below, you can find solutions for each task. Remember though, that you can follow your own strategy, which may be different from the
one explained in the following lab.

Task 1. Get familiar with ClrGuard


Execute [Link] as administrator.

[Link] is located at: C:\Users\admin\Desktop\ClrGuard\dist

You should see the below.

Now, double-click [Link].

[Link] is located at: C:\Users\admin\Desktop\ClrGuard\Testing\scripts

You should see the below.

The module being loaded is whitelisted by ClrGuard. Assembly loading can also be performed for legitimate purposes!

Now, execute the below.


Click the PowerShell icon that is pinned on the taskbar and execute the below.

powershell -ep bypass


cd C:\Users\admin\Desktop\ClrGuard\Testing\scripts
.\AddTypeRaceCondition.ps1

Note: If you receive the above error, Please re-run all the commands again.

[Link] is located at: C:\Users\admin\Desktop\ClrGuard\Testing\scripts

You should see the below.

Inside ClrGuard, you should see something similar to the below.

The specific .net assembly loading was blocked by ClrGuard. Notice that there is no "whitelisted" string in the second entry.

Task 2. Emulate execute-assembly activity and use ClrGuard to proactively detect it


Let's now better emulate the execute-assembly command/functionality of Cobalt Strike.

In the scripts directory, there is a PowerShell script called LoadNETAssembly.ps1.

To execute it, perform the following.

Click the PowerShell icon that is pinned on the taskbar and execute:

powershell -ep bypass


cd C:\Users\admin\Desktop\ClrGuard\Testing\scripts
.\LoadNETAssembly.ps1

You should see the below.


Inside ClrGuard you should see something similar to the below.

Notice that there is no "whitelisted" string in the last entry.

Note that there are execute-assembly variations included in multiple attacking frameworks. The detection method covered
doesn't work only against Cobalt Strike.

You might also like