Black Hills Information Security - Technical Segment

• SilentTrinity: Advanced Windows Backdoor Techniques by Marcello Salvati

  Over the course of the last few years, PowerShell has been the number one way of conducting essentially any type of offensive operation on Active Directory networks and Windows endpoints. It allows offensive personnel to execute implants completely in memory, stealthily conduct situational awareness, and dynamically leverage the underlying power of .NET. Due to recent protections put in place by Microsoft, PowerShell is becoming increasingly less viable to use offensively. These protections are “baked in” to the latest versions of the Windows operating systems and allow AV/EDR/Logging solutions to gain an overwhelming amount of insight into PowerShell execution, and even, in some cases, completely shut down any type of malicious PowerShell tooling/tradecraft. It’s been a good run, and PowerShell has served us well. However, the future is upon us, and it’s our job to adapt; we have to go deeper! With that in mind, what if I told you that everything PowerShell does can also be done with Python–without dropping anything to disk and bypassing every protection that Microsoft has put in place for PowerShell? Welcome to the wonderful world of IronPython, where rainbows and unicorns *still* gallivant as if it were 2009! In this talk, we will be looking at my approach to solving the tradecraft problem of gaining complete, unrestricted, and dynamic access to the .NET runtime without going through PowerShell in any way.