Specifically, getting code execution via insecure .NET methods in trusted code: Assembly.Load, BinaryFormatter, etc.
#PowerShell IMO is too noisy to remain a "living off the land" technique. The new hotness: .NET assembly loading via insecure methods.
-
-
-
The people innovating in this space are
@tiraniddo,@subTee, and@tifkin_.https://twitter.com/subTee/status/889448552723644416 …<msxsl:script>
https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script …
End of conversation
New conversation -
-
-
.NET logs as comprehensive as PS logs would be huge...
-
Yes! The equivalent of scriptblock autologging (only .NET method tracing) for suspicious .NET methods would be amazing!
-
@Lee_Holmes could work some magic again? -
Naw let's throw
@blowdart under the bus to help get some .NET optics.
-
Every .net method is suspect. That log would be huge. No no no.
-
You're misunderstanding, you just need to be shown to be doing something. Doesn't matter if it's impractical in the real world.
-
That's depressingly true.
End of conversation
New conversation -
-
-
Sounds like this one sir? https://labs.mwrinfosecurity.com/blog/securing-the-loading-of-dynamic-code/ …
-
-
yes sir. I like all of them. :D
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.