Hijacking .NET to Defend PowerShell
release_ggs4wvcok5brbabk4gwi5y7squ
by
Amanda Rousseau
2017
Abstract
With the rise of attacks using PowerShell in the recent months, there has not
been a comprehensive solution for monitoring or prevention. Microsoft recently
released the AMSI solution for PowerShell v5, however this can also be
bypassed. This paper focuses on repurposing various stealthy runtime .NET
hijacking techniques implemented for PowerShell attacks for defensive
monitoring of PowerShell. It begins with a brief introduction to .NET and
PowerShell, followed by a deeper explanation of various attacker techniques,
which is explained from the perspective of the defender, including assembly
modification, class and method injection, compiler profiling, and C based
function hooking. Of the four attacker techniques that are repurposed for
defensive real-time monitoring of PowerShell execution, intermediate language
binary modification, JIT hooking, and machine code manipulation provide the
best results for stealthy run-time interfaces for PowerShell scripting
analysis.
In text/plain
format
Archived Files and Locations
application/pdf 2.3 MB
file_7s6hymnse5hvtb2vwiplpgtcsq
|
arxiv.org (repository) web.archive.org (webarchive) |
1709.07508v1
access all versions, variants, and formats of this works (eg, pre-prints)