Hijacking .NET to Defend PowerShell release_ggs4wvcok5brbabk4gwi5y7squ

by Amanda Rousseau

Released as a article .

2017  

Abstract

With the rise of attacks using PowerShell in the recent months, there has not been a comprehensive solution for monitoring or prevention. Microsoft recently released the AMSI solution for PowerShell v5, however this can also be bypassed. This paper focuses on repurposing various stealthy runtime .NET hijacking techniques implemented for PowerShell attacks for defensive monitoring of PowerShell. It begins with a brief introduction to .NET and PowerShell, followed by a deeper explanation of various attacker techniques, which is explained from the perspective of the defender, including assembly modification, class and method injection, compiler profiling, and C based function hooking. Of the four attacker techniques that are repurposed for defensive real-time monitoring of PowerShell execution, intermediate language binary modification, JIT hooking, and machine code manipulation provide the best results for stealthy run-time interfaces for PowerShell scripting analysis.
In text/plain format

Archived Files and Locations

application/pdf  2.3 MB
file_7s6hymnse5hvtb2vwiplpgtcsq
arxiv.org (repository)
web.archive.org (webarchive)
Read Archived PDF
Preserved and Accessible
Type  article
Stage   submitted
Date   2017-09-21
Version   v1
Language   en ?
arXiv  1709.07508v1
Work Entity
access all versions, variants, and formats of this works (eg, pre-prints)
Catalog Record
Revision: ea1872b8-dc4e-4993-9b69-f68aad763c16
API URL: JSON