Explore advanced techniques for developing flexible and secure .NET-based offensive toolkits in this conference talk from NorthSec. Learn how to maintain operational agility and overcome static defensive mechanisms through dynamic code compilation, reflective .NET DLR, and on-the-fly access to native Windows API. Discover methods for hiding sensitive execution aspects in managed code memory using the DLRium Managed Execution toolkit. Gain insights into OpSec lessons, slim payload delivery, and evasion mechanisms. Dive deep into topics such as CodeDom, reflective loading, application domains, dynamic interrupts, and memory mapping. Understand the strategic and technical goals of retooling in the field, and how to leverage various programming languages like C#, Python, and PowerShell for effective red team operations.
Overview
Syllabus
Introduction
Retooling in the Field
Strategic Goals
Technical Goals
Slim payload delivery
Current options
NET Managed Code
Managed Execution Toolkit
What is NET
CodeDom
Whats Needed
Goal
Reflective Load
Invoke Contract
Code Cradle
CSX Extensions
Create Namespace
Code as Data
cfir
Process Manager
Limitations
Application Domains
Interrupt
Evasion
Interop
Start a process
Dynamic interrupt
Dynamic load
Dynamic compile
Flexible solution
Dynamic DLR
What is Dynamic DLR
What is Dynamic DLR used for
Code Reflection
PowerShell
Python
IronPython
DLR
DLL
Dynamic Python Files
CLR
CTypes
Delivery of Code
Typhoon
Other evasion mechanisms
How it works
Net Modules
Dynamic Net Modules
Hiding things into memory
Invoke Python
Shellcode
Memory Map
C Shellcode
C Python
C PowerShell
Python for Development
Alpha
Outro
Taught by
NorthSec
