Hijacking .NET to Defend PowerShell

Explore defensive strategies against PowerShell attacks in this 32-minute conference talk from BSidesSF 2017. Delve into the mind of a hacker to understand effective defense mechanisms. Begin with a brief introduction to .NET and PowerShell before diving deep into various attacker techniques from a blue team perspective. Learn about assembly modification, class and method injection, compiler profiling, and C-based function hooking. Discover how to utilize stealthy runtime .NET hijacking techniques for PowerShell attack prevention and monitoring. Examine the limitations of Microsoft's AMSI solution for PowerShell v5 and explore alternative approaches. Gain insights into phishing campaigns, malware obfuscation, offensive frameworks, and the foundations of .NET, including Common Language Runtime (CLR) and Just-in-Time Compiler (JIT). Compare solution results and take away valuable knowledge to enhance your cybersecurity defenses against PowerShell-based threats.

Intro
GOALS
CONTENT OVERVIEW FOUNDATIONS
TIMELINE
PHISHING CAMPAIGNS
BAD MALWARE PICKUP LINES
OBFUSCATION
OFFENSIVE FRAMEWORKS
FOUNDATIONS of .NET
COMMON LANGUAGE RUNTIME (CLR)
JUST-IN-TIME COMPILER (JIT) METADATA LOOKUPS
STRONG NAMED ASSEMBLIES
NGEN ASSEMBLIES
POWERSHELL
AMSI BYPASSES
C# DLL INJECTION
NET ROOTKITS BINARY MODIFICATION
CLR PROFILING
SETTING IL HOOK
JIT COMPILER HOOKING
C-BASED METHOD HOOKING
SOLUTION RESULTS COMPARISON
TAKE AWAYS