Download as PDF, PPTX
![Reference
[0] 2019, IronPython… OMFG Introducing BYOI
Payloads (Bring Your Own Interpreter)
[1] 2019, Common Language Runtime Hook for
Persistence
[2] 2019, .NET Manifesto
[3] 2019, Executing C# Assemblies from Jscript and
wscript with DotNetToJscript
[4] 2017, .NET HIJACKING to DEFEND POWERSHELL
[5] 2014, .NET Framework Rootkits](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-2-320.jpg)
![[0]](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-4-320.jpg)
![[1]](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-6-320.jpg)
![[1]](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-7-320.jpg)
![[0]](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-9-320.jpg)
![[0]](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-10-320.jpg)
![[0]](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-11-320.jpg)
![Executing C# Assemblies from Jscript and
wscript with DotNetToJscript [3]
● WSH (Window Script Host)
● Embedded lanuage & binding, like .NET
● Jscript -> .NET
● File smuggling
● Jscript
– data (own assembly) -> save file -> load
file -> execution](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-13-320.jpg)
![Can it be used to reach file smuggling?
[2]](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-14-320.jpg)
![CLR Profiler Dynamic DLL Hook Injection
Specifying the CLR environment
Defining the CLR Profiler
[4]](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-16-320.jpg)
![ModuleLoadFinished CLR Profiler for
Hooking
[4]](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-17-320.jpg)
![Common Language Runtime Hook for
Persistence [1] – Step 0](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-18-320.jpg)
![Common Language Runtime Hook for
Persistence [1] – Step 1](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-19-320.jpg)
![Common Language Runtime Hook for
Persistence [1] – Step 2](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-20-320.jpg)
![Common Language Runtime Hook for
Persistence [1] – Step 3](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-21-320.jpg)
![Common Language Runtime Hook for
Persistence [1] – Step 4](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-22-320.jpg)
![Common Language Runtime Hook for
Persistence [1] – Result](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-23-320.jpg)
![How to Influence/Encourage Any .NET Application in System32
to Load Arbitrary Assembly [2]](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-24-320.jpg)
![[2]](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-25-320.jpg)
![[2]](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-26-320.jpg)
![.NET-Spolit [5]
[5]
[Microsoft Docs]](https://image.slidesharecdn.com/astudyon-191020154240/85/A-Study-on-NET-Framework-for-Red-Team-Part-I-27-320.jpg)
Uploaded byAj MaChInE
A Study on .NET Framework for Red Team - Part I
This document summarizes techniques for red teaming using the .NET framework in 3 parts. It discusses [1] executing custom assemblies using Windows Script Host file smuggling techniques, [2] achieving persistence by hooking the Common Language Runtime, and [3] influencing applications to load arbitrary assemblies. References are provided for further related research on .NET instrumentation, offensive retooling, and GadgetToJScript.
![[若渴] A preliminary study on attacks against consensus in bitcoin](https://cdn.slidesharecdn.com/ss_thumbnails/apreliminarystudyonattacksagainstconsensusinbitcoin-180422134755-thumbnail.jpg?width=640&height=640&fit=bounds)
![[RAT資安小聚] Study on Automatically Evading Malware Detection](https://cdn.slidesharecdn.com/ss_thumbnails/automaticallyevadingmalwaredetection-180325081451-thumbnail.jpg?width=640&height=640&fit=bounds)
![[若渴] Preliminary Study on Design and Exploitation of Trustzone](https://cdn.slidesharecdn.com/ss_thumbnails/preliminarystudyondesignandexploitationoftrustzone-180324121935-thumbnail.jpg?width=640&height=640&fit=bounds)
![[若渴]Study on Side Channel Attacks and Countermeasures](https://cdn.slidesharecdn.com/ss_thumbnails/studyonsidechannelattacksandcountermeasures-180120164619-thumbnail.jpg?width=640&height=640&fit=bounds)
![[若渴計畫] Challenges and Solutions of Window Remote Shellcode](https://cdn.slidesharecdn.com/ss_thumbnails/challengesandsolutionsofwindowremoteshellcode-171118141605-thumbnail.jpg?width=640&height=640&fit=bounds)
![[若渴計畫] Introduction: Formal Verification for Code](https://cdn.slidesharecdn.com/ss_thumbnails/backgroudformalverificationforsystemcode-170714081746-thumbnail.jpg?width=640&height=640&fit=bounds)
![[若渴計畫] Studying ASLR^cache](https://cdn.slidesharecdn.com/ss_thumbnails/studyingaslrcache-170416163739-thumbnail.jpg?width=640&height=640&fit=bounds)
![[若渴計畫] Black Hat 2017之過去閱讀相關整理](https://cdn.slidesharecdn.com/ss_thumbnails/blackhat2017-170416150012-thumbnail.jpg?width=640&height=640&fit=bounds)
![[若渴計畫] Studying Concurrency](https://cdn.slidesharecdn.com/ss_thumbnails/studyingconcurrency-170121175430-thumbnail.jpg?width=640&height=640&fit=bounds)
![[若渴計畫2015.8.18] SMACK](https://cdn.slidesharecdn.com/ss_thumbnails/smack-150723041910-lva1-app6892-thumbnail.jpg?width=640&height=640&fit=bounds)
![[SITCON2015] 自己的異質多核心平台自己幹](https://cdn.slidesharecdn.com/ss_thumbnails/random-150306082537-conversion-gate01-thumbnail.jpg?width=640&height=640&fit=bounds)
![[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU](https://cdn.slidesharecdn.com/ss_thumbnails/linuxrunsonsockitboardwiththegpgpu-150127112230-conversion-gate02-thumbnail.jpg?width=640&height=640&fit=bounds)
![[若渴計畫]由GPU硬體概念到coding CUDA](https://cdn.slidesharecdn.com/ss_thumbnails/mosutgpucodingcuda-140606072846-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
![[若渴計畫]64-bit Linux Return-Oriented Programming](https://cdn.slidesharecdn.com/ss_thumbnails/learnrop-140405071626-phpapp02-thumbnail.jpg?width=640&height=640&fit=bounds)
![[MOSUT] Format String Attacks](https://cdn.slidesharecdn.com/ss_thumbnails/aj-140116200425-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
A Study on .NET Framework for Red Team - Part I
- 1. A Study on.NET Framework for Red Team – Part I @ 若渴 2019.10.20 <ajblane0612@gmail.com> AjMaChInE
- 2. Reference [0] 2019, IronPython…OMFG Introducing BYOI Payloads (Bring Your Own Interpreter) [1] 2019, Common Language Runtime Hook for Persistence [2] 2019, .NET Manifesto [3] 2019, Executing C# Assemblies from Jscript and wscript with DotNetToJscript [4] 2017, .NET HIJACKING to DEFEND POWERSHELL [5] 2014, .NET Framework Rootkits
- 3. WSH – WindowScript Host DLR – Dynamic Language Runtime CLR – Common Language Runtime BYOI – Bring Your Own Interpreter ADM – Application Domain Manager MSIL – Microsoft Intermediate Language
- 4.
- 6.
- 7.
- 8. BYOI – BringYour Own Interpreter
- 9.
- 10.
- 11.
- 12.
- 13. Executing C# Assembliesfrom Jscript and wscript with DotNetToJscript [3] ● WSH (Window Script Host) ● Embedded lanuage & binding, like .NET ● Jscript -> .NET ● File smuggling ● Jscript – data (own assembly) -> save file -> load file -> execution
- 14. Can it beused to reach file smuggling? [2]
- 15.
- 16. CLR Profiler DynamicDLL Hook Injection Specifying the CLR environment Defining the CLR Profiler [4]
- 17. ModuleLoadFinished CLR Profilerfor Hooking [4]
- 18. Common Language RuntimeHook for Persistence [1] – Step 0
- 19. Common Language RuntimeHook for Persistence [1] – Step 1
- 20. Common Language RuntimeHook for Persistence [1] – Step 2
- 21. Common Language RuntimeHook for Persistence [1] – Step 3
- 22. Common Language RuntimeHook for Persistence [1] – Step 4
- 23. Common Language RuntimeHook for Persistence [1] – Result
- 24. How to Influence/EncourageAny .NET Application in System32 to Load Arbitrary Assembly [2]
- 25.
- 26.
- 27.
- 28. Futher Study ● 2018,.NET Instrumentation via MSIL bytecode injection ● 2018, Offensive Retooling in donet for Red Team ● med0x2e/GadgetToJScript