RogueAssemblyHunter – Rogue Assembly Hunter Is A Utility For Discovering 'Interesting' .NET CLR Modules In Running Processes

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

Rogue Assembly Hunter is a utility for discovering ‘interesting’ .NET CLR modules in running processes.

Background

.NET is a very powerful and capable development platform and runtime framework for building and running .NET managed applications. Over the last several years, .NET has been adopted by Red Teams (and likes thereof) for instrumenting tradecraft to support offensive operations. In particular, the shift from offensive PowerShell to .NET was a logical leap (for many) due to the increased optics and opportunistic visibility present in PowerShell v5+. As such, .NET offensive tooling and tradecraft has been successfully used to evade host-based defensive capabilities, bypass application control, and to build/stage/deliver/execute malicious code (similar to PowerShell).

From a prevention perspective, Microsoft is doing more to combat .NET instrumented threats and to minimize the overall .NET attack surface. For example, Microsoft has added AMSI inspection capabilities in .NET Framework 4.8, and WDAC/WLDP mechanisms are quite effective. From a detection/response perspective, further visibility and introspection into the .NET ecosystem is always advantageous for discovering new ways to combat .NET-focused threats.

In 2017, Joe Desimone (@dez_) wrote a fantastic article called Hunting For In-Memory .NET Attacks. Still relevant today, the article outlines modern .NET attack vectors as well as on-demand and event-based techniques for detection. Accompanying the article, Joe released a tool (Get-ClrReflection) to proactively detect (and retrieve) in-memory .NET CLR modules that lack a proper disk reference. Inspired by Joe’s work and taking advantage of the introspection capabilities of the CLRMD

Read more

Explore the site

More from the blog

Latest News