Bring Your Own AppDomain: Finding and (ab)using trusted .NET binaries for initial access and more

Launch malicious implants without EDR alerts. Or protect yourself against it.

Description

AppDomainManager injection can be used to force any .NET binary to load a malicious library. This is a highly useful technique when trying to launch an implant that can evade modern Endpoint Detection and Response (EDR). Red Team operators and threat actors (ab)use this technique often combined with a ClickOnce deployment to gain initial access to a target organisation.

Both techniques are a powerful method for any Red Team operator looking to launch their implant. However, they require identifying a .NET application, or ClickOnce deployment that is signed, trustworthy, and relevant to the target environment. VirusTotal (and other similar multiscanners) absorb thousands of files from endpoints worldwide. Learn how to leverage these massive data sets to find the perfect .NET binary to integrate into your campaigns.

Blue Teams and organisations will also benefit from this talk: learn about the underlying injection and ClickOnce techniques in order to create detection logic, and monitor your environments.

Join Dave & Paul, two senior red team operators at Mandiant/Google, as they discuss how to hijack trusted .NET binaries to find the perfect binary for your Red Team engagement.

Specifically, this talk will cover the background on:

• How to build your own .NET hijacking tool to launch malicious DLLs on Windows systems.
  
• Leveraging VirusTotal to identify the perfect trusted .NET binary for your target environment.
  
• Tips for organisations on how they can detect and alert on techniques discussed.

Why the committee chose this talk

Abusing trust in software is a growing concern for all defenders.