When additional logging capabilities were introduced to PowerShell, attackers and offensive security professionals began looking for a new way to execute easy-to-write code on Windows endpoints. The obvious next step was C#: a language with a preinstalled runtime, the same underlying .NET library as PowerShell, and a built-in ability to execute code dynamically.
Fast forward to today – hundreds of tools have been written in C#, making it extremely useful for offensive operations and almost completely replacing the need for PowerShell. Many modern C2 frameworks offer a simple way to execute these tools in memory, but endpoint security products often detect the default configurations of these techniques.
This workshop will introduce you to several methods to improve your .NET execution OPSEC. Each lab will cover a different component of the process in which an attacker executes compiled C# code in memory on a target endpoint. You will work through the labs locally and then test your techniques in a fully patched Active Directory environment that utilizes Defender AV and Elastic EDR.
The workshop will include the following four labs:
Bring your own laptop capable of running one Windows virtual machine”
Registration will be required: Limited seating