44CON 2019

Offensive PowerShell tradecraft is in “Zombie Mode”: it’s sorta dead, but not entirely. With all of the defenses Microsoft has implemented in the PowerShell runtime over the past few years Red Teamers / Pentesters & APT groups have started too shy away from using PowerShell based payloads/delivery mechanisms and migrate over to C#. However, C# is a compiled language, operationally this has a few major downsides: we can’t be as “flexible”, setting up a proper development environment has overhead and can be time consuming, you have to compile all the things all the time etc.. Bottom line is I’m lazy and creating your malwarez/custom payloads in C# is not as easy & straight forward as it would be in PowerShell or really any scripting language.

This raises the following quandary: can we somehow get our own scripting language interpreter on the target machine while still remaining opsec safe and use it to perform all of our post-exploitation activities?

Turns out by harnessing the sheer craziness of the .NET framework, you can embed entire interpreters inside of .NET languages allowing you to natively execute scripts written in third-party languages (like Python) on windows! Not only does this allow you to dynamically access all of the .NET API from a scripting language of your choosing, but it also allows you to still remain completely in memory and has a number of advantages over traditional C# payloads! Essentially, BYOI payloads allow you to have all the “power” of PowerShell, without going through PowerShell in anyway!

In this talk we will be covering some key .NET framework concepts in order to understand why this is possible, how to actually do the interpreter/engine/runtime embedding, the concept (that I coined) “engine inception”, differences between traditional C# payloads & BYOI payloads, demoing some examples of BYOI payloads and finally SILENTTRINITY: an open-source C2 framework that I’ve written that attempts to weaponize some of the BYOI concepts.