Paul Spicer
Senior Red Team Consultant Mandiant/Google
Paul Spicer is a Senior Red Team Consultant based in Mandiant’s UK office. As part of Mandiants APT66, Paul primarily works on adversary simulations, red and purple team assessments. Paul has experience delivering a variety of red team scenarios including external attack, assumed compromise and phishing.
Paul has led and participated on multiple red and purple team style engagements with a variety of high-profile clients based in the public sector, private sector and financial services, including multiple threat intelligence lead CBESTs. Paul's red team experience has covered various different attack services from traditional Active Directory environments, to clients with a cloud-first approach.
Outside of red teams Paul spent time working in a security hardware testing and research laboratory. During this time Paul conducted physical attacks on electronic devices by identifying initial access points via hidden debug interfaces, hardware teardowns and performing signal and RF analysis. Paul has combined this experience with his red team skills to provide initial access to encrypted devices.
Talks & Q&A
Conference | Sep 18
Bring Your Own AppDomain: Finding and (ab)using trusted .NET binaries for initial access and more
Launch malicious implants without EDR alerts. Or protect yourself against it.
Description
AppDomainManager injection can be used to force any .NET binary to load a malicious library. This is a highly useful technique when trying to launch an implant that can evade modern Endpoint Detection and Response (EDR). Red Team operators and threat actors (ab)use this technique often combined with a ClickOnce deployment to gain initial access to a target organisation.
Both techniques are a powerful method for any Red Team operator looking to launch their implant. However, they require identifying a .NET application, or ClickOnce deployment that is signed, trustworthy, and relevant to the target environment. VirusTotal (and other similar multiscanners) absorb thousands of files from endpoints worldwide. Learn how to leverage these massive data sets to find the perfect .NET binary to integrate into your campaigns.
Blue Teams and organisations will also benefit from this talk: learn about the underlying injection and ClickOnce techniques in order to create detection logic, and monitor your environments.
Join Dave & Paul, two senior red team operators at Mandiant/Google, as they discuss how to hijack trusted .NET binaries to find the perfect binary for your Red Team engagement.
Specifically, this talk will cover the background on:
- How to build your own .NET hijacking tool to launch malicious DLLs on Windows systems.
- Leveraging VirusTotal to identify the perfect trusted .NET binary for your target environment.
- Tips for organisations on how they can detect and alert on techniques discussed.
Why the committee chose this talk
Abusing trust in software is a growing concern for all defenders.
