LAB 14.

Scenario
According to https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html, one of
most significant recent developments in sophisticated offensive operations is the use of "Living off the Land" (LotL) techniques by
attackers. These techniques leverage legitimate tools present on the system, such as the PowerShell scripting language, in order to
execute attacks. In response, defenders have developed detections for the malicious use of legitimate applications. These detections
include suspicious parent/child process relationships, suspicious process command line arguments, and even deobfuscation of malicious
PowerShell scripts through the use of Script Block Logging.

For this reason, attackers came up with an alternative to LotL techniques. Attacker's (and penetration testers) are now executing .NET
assemblies entirely within memory. By developing custom C#-based assemblies, attackers no longer need to rely on the tools present on
the target system; they can instead write and deliver their own tools, a technique fireeye calls Bring Your Own Land (BYOL).

A great example of BYOL is the execute-assembly command of CobaltStrike (https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-

11-the-snake-that-eats-its-tail/)

In this lab we will emulate such behavior and show you how you can proactively hook all .NET processes of a system and also perform
an in-line hook of the LoadImage function (that is used under the hood to load the provided assembly.)

For more information please refer to https://www.elastic.co/blog/hunting-memory-net-attacks.

Goals
The learning objective of this lab is increase familiarity with .NET attacks by doing a hands-on analysis.

What you will learn

You will learn how to hook critical functions to proactively detect certain .NET-based threats on a host.

Recommended tools
 https://github.com/endgameinc/ClrGuard

Tasks
Task 1. Get familiar with ClrGuard
ClrGuard comes with some testing .bat files. One is benign and one is malicious. Try them out.

ClrGuard.exe is located at: C:\Users\admin\Desktop\ClrGuard\dist

Testing scripts are located at: C:\Users\admin\Desktop\ClrGuard\Testing\scripts

First, execute ClrGuard.exe and then run fp.bat. Notice what ClrGuard mentions.

Then, run run.bat. Notice what ClrGuard mentions.

Task 2. Emulate execute-assembly activity and use ClrGuard to proactively detect it

The easiest way in which we can cause the LoadImage() function to be called in order for a custom assembly to be loaded is through
PowerShell.

PowerShell has the ability to load .NET assemblies from a specified location or even from a Byte Array (like attackers prefer). See an
example below.

https://powershell.one/tricks/assemblies/load-from-memory

The above capability calls the native LoadImage() function under the hood to load the specified assembly, essentially emulating the
execute-assembly command of Cobalt Strike.

Try to create such a code and see if ClrGuard detects it.

Hint: If you can't create your own PowerShell code, a LoadNETAssembly.ps1 can be found in the Downloads directory of the machine,
that performs what we have described above.
SOLUTIONS
Below, you can find solutions for each task. Remember though, that you can follow your own strategy, which may be different from the
one explained in the following lab.

Task 1. Get familiar with ClrGuard

Execute ClrGuard.exe as administrator.

ClrGuard.exe is located at: C:\Users\admin\Desktop\ClrGuard\dist

You should see the below.

Now, double-click fp.bat.

fp.bat is located at: C:\Users\admin\Desktop\ClrGuard\Testing\scripts

You should see the below.

The module being loaded is whitelisted by ClrGuard. Assembly loading can also be performed for legitimate purposes!

Now, execute the below.

Click the PowerShell icon that is pinned on the taskbar and execute the below.

powershell -ep bypass

cd C:\Users\admin\Desktop\ClrGuard\Testing\scripts
.\AddTypeRaceCondition.ps1

Note: If you receive the above error, Please re-run all the commands again.

fp.bat is located at: C:\Users\admin\Desktop\ClrGuard\Testing\scripts

You should see the below.

Inside ClrGuard, you should see something similar to the below.

The specific .net assembly loading was blocked by ClrGuard. Notice that there is no "whitelisted" string in the second entry.

Task 2. Emulate execute-assembly activity and use ClrGuard to proactively detect it

Let's now better emulate the execute-assembly command/functionality of Cobalt Strike.

In the scripts directory, there is a PowerShell script called LoadNETAssembly.ps1.

To execute it, perform the following.

Click the PowerShell icon that is pinned on the taskbar and execute:

powershell -ep bypass

cd C:\Users\admin\Desktop\ClrGuard\Testing\scripts
.\LoadNETAssembly.ps1

You should see the below.

Inside ClrGuard you should see something similar to the below.

Notice that there is no "whitelisted" string in the last entry.

Note that there are execute-assembly variations included in multiple attacking frameworks. The detection method covered
doesn't work only against Cobalt Strike.