Offensive Development Post-Exploitation Tradecraft in EDR
Offensive Development Post-Exploitation Tradecraft in EDR
Development
Post-Exploitation Tradecraft
in an EDR World
• Dominic Chell:
• Based in the UK
• Tweets at @domchell
https://www.fireeye.com/blog/threat-research/2019/03/silketw-because-free-telemetry-is-free.html
• Open source
obfuscators such as
ConfuserEx can assist
here
https://www.mdsec.co.uk/2020/03/hiding-your-net-etw/
• clrjit.dll
• mscoree.dll
• clr.dll
• PE headers in RWX or
RX pages become an
IoC for memory
scanning
• Engine: .NET core web API that receives requests for projects,
consumes the project source code, bootstraps, compiles and protects
it then returns the compiled and encrypted project back to the loader
• Using the loader is optional, the obfuscated exe can be run direct from a
CLR harness if required; however the loader introduces keying and/or
bootstrapped code
• Rename resources