← All talks

BSidesMCR 2018: Next Gen AV vs My Shitty Code by James Williams

BSides Manchester39:1641K viewsPublished 2018-08Watch on YouTube ↗
Show transcript [en]

excellent so yeah this is next-gen AV versus my shitty code and in true form a deaf fashion I stole all of this code from getup and various blog posts like I say my code it's amalgamation of other people's code so Who am I my name's James I'm a pen tester with a comma new pen testing red teaming not sort of stuff I'm also a Berk of erinc net developer so I did that for about 10 years before moving into info suck so what's coming up we're gonna run through an explanation and theory of this sort of a be bypass technique I've got a load of demos a few bad memes and then I've got the tool release on github to send you

all the way with so you can all have a play with this stuff later on so it's probably helps if I run a demo first so you can sort of see what's gonna happen later on in the talk so if any of you saw the lightning talk version there's a steel comp this is what the video is from that but this is silence mom's going to there's a reason it's 32-bit which I'll cover later on so from the video so the window on the right is an RDP session into a Windows 10 machine running silence this is silence in full block mode with PowerShell allowed it's fully patched Windows 10 Windows Defender is on if you can see what's

going on the tool I'm running in the command window is my stage for this product so I'm pressing in a crypto key and a URL to a payload server which will be covered shortly the terminal sessions behind the RDP is just terminal in my host machine that's the sex you can see there is the sort of old version of the payload gen and then this is chopping the shellcode into memory so we've got the multi handler running there when the on the command and we get a bit of a session open so that's the tip for stop with session 32-bit silence the window on the side it says inspecting because this was a fresh install we still do the

background scanning but the active protection is running so yeah but pull the hostname out to see you can see there's no trickery going on there but it is Cylons being Microsoft 32-bit so that's what we're looking at here so what just happened the stage which I've won I'm calling update service dog exe just a little bit of OPSEC right I've fetched an Aes encrypted payload it built it in memory using muslin then executed it using reflection a payload contain meterpreter shell code which was injected into memory the stage checked it wasn't in a sandbox before it did any of this so if you're in a sandbox you can just exit out the process and do nothing

if that's difficult to understand I drew you a nice pink diagram so yeah you can probably tell I'm not any sort of artist this is the best I could do here so the payload server on the attacker machine these can be two boxes in all the demos there one box but you can paint loads from any way you want and you can send shells anywhere you want so the victim machine over on the right it fetches the payload over the network after it's checked it's not in some box it says decode on here it does decode it also decrypt so this isn't me mixing terms of it's a base64 encoded AES and so it does that it

builds a payload it executes it using Rozlyn it then does the reflective loading shellcodes injected into memory then you have the sort of normal MSF stagings of the back and forth between the the shellcode and Metasploit and then you get shells sent off to the attacker machine so the real basics of this it's written in c-sharp mostly because it's what I know but you also get the benefits of the flexion and stuff like that which if people don't know reflection is a way of launching something in memory in dotnet the payloads are fetched over the network they go over HTTP there's no reason why you can't use HTTP for this I've just not bothered to set it up for us

they Ras encrypted so it's a one-time key which we'll see in the payload generation stuff shortly so even if you grab this off the wire without the keys on the victim machine it's basically useless the stage has to touch disk this is a completely benign payload it has nothing in there which should trigger any sort of baby product if you ever get signatures you can just change the code got garbage in there anything you want to change the signature binary all that does is the fetch build and execute that all the malicious stuff happens in what's fetches over the network the cool thing with s whilst the stage has to touch disk the payload does not so you can

serve literally anything that is valid c-sharp and having built-in memory and executed so once you've dropped this stage on there I'm going to show you this in one of the later videos you can keep using this tool to do new things so you can spin up a metalloid session which gives you shell access you can then use this tools a load of a c-sharp code into memory so you first mean for the day using c-sharp debility sharp like this is the inception meme people don't know so this is where the name of the tool come from so this is how we build c-sharp in memory and I'm going to stand here and wave the laser pointer

around so off the screen where you can't see there's a bit of code that fetches the payload and does the AES decrypt I'm not going to show the coves or a yes decryption it's pretty standard stuff you're sending the IV along with the encrypted string and all the rest of it if you google how you do a yes to work with Python and C sharp you'll find the same blog post I stole this chunk of code on so the code variable at the top here this is the plain text code so first of all we Chapman are in some box which I'll cover shortly then we fetch the payload we decrypt it if any of

those steps fail we just exit and return nothing so we grab this code variable we pass it into the C shop syntax tree this is the Gosling way of sort of building code in memory we need a random file name so when you build stuff you have to give it an assembly name so we can just get a random name it doesn't matter what that's called and then this is the references block so in the version I'm releasing there is another couple of lines in here so if you want to bring in using statements in your payload which aren't part of the standard dotnet like also reference libraries you can reference them here if you don't do this

your payload won't build you have to reference them through muslins to be able to say okay so I'm building this with this using statement C you reference it here I don't have the line in the slides that tells you how to do this but it's in the code so you can go and just chop in whatever libraries you need to bring in down here is where we do the completion so we use this stock create and we possibly sembly name the syntax tree the reference is and a couple of options basically just saying spit out my dynamic link library because that's what we're going to use it reflection and then we emit the result of the build into a memory

stream so for those of you that don't know a memory stream is basically a byte array in memory in c-sharp it's slightly more complicated than that that's all you really need to know to understand this so once we've built this again slightly off the screen there's a if statement that says if the bill failed return do nothing just drop everything out the memory caveat as you were in this else statement this is where we do the reflective loading so we grab the name we say person where we move to the beginning and a memory stream just as I'll make sure we're building from the start of the app otherwise things go terribly wrong so this bit here

inception program is the namespace on the class that we're trying to build so I'm going to show you the template for this shortly but this first bit on the run method these are the only bits that have to match when you build your own payloads so the namespaces inception the class is called program and your entry point into your payload is called run that's just a public static method any other codes you want can be put in there but it will call run and your class has to implement this namespace this is just a reflection way of loading stuff in memory so it's pretty standard c-sharp and binding flags invoke method and if we fail we basically do nothing this

console white is in there for when I was building this and trying to do debugging this should probably be taken out before it's sort of used in the wild but there you go it doesn't actually do anything so that's it some box detection this happens right at the start so I'm using the check please scripts these were released I think a couple years ago steel comm the github link is there any almost to have a look at those because I'm running this basically for debugging testing I'm only doing su checks at the moment so minimum number of USB drives install browsers nobody has ever used Windows 10 with just edged like nobody does that so check with our install the

way if you're doing that you're probably safe in this tool at the minute so William view there are other checks you can do so you can check you on a domain joined machine you can the domain name that you'll join - so if you're in a red team gig and your domain in scope is Acme comm you can make sure there's only execute on a technique on dooming that's you know that's quite cool it's really easy to add new ones in you literally grab the code from the github copy and paste the check should want stick them in my code and just make sure they call it's really simple to add new chucks in there's about 15 or 20 of

these I think so loads of stuff you can play with so the payloads this is where it gets reasonably interesting so this essentially execute arbitrary c-sharp code in memory without touching disk so anything you can do in c-sharp and C sharps kind of flavor of the month or the minute my team guys like you can use this tool to work that into memory and bypass anything so at the minute I'm releasing along with this shell code loader for 32 and 64-bit shell code again completely stolen code this is not my code modified version sharp dump so I've got a slide on this in a minute but this is a set of tools where we spice

backdrops it basically does a memory dump of alsace and then you can extract trance using memory capsule offline which is kind of cool but there are no real limitations on this one I did this a steel core I said there may be some issues of bringing in references to sort of use extra stuff in using statements that's been sold by a few Google searches so this is ghost park where sharp dump comes from if you guys don't know about this check out the length it's an awesome set of tools so it's basically a c-sharp port of Thomas point a mini dump but I've sort of modified it slightly to work with this this tool and

I will show you the way I've modified that later on if we have time it's not interesting to be fair okay so the payload builder this is a Python it's completely menu driven I have to make a choice between command-line switch is on menus and I'm still not sure I made the right choice when you start getting into shell code versions and template files the command-line switches are just getting a little bit unmanageable we have a nice sort of GUI menu that wants you fur to make selections and data in and it spits out stuff here so this currently supports meterpreter HTTP shellcode only it is trivial to modify this to use any of the other

outputs a phantom literally all it does is call out on the shelter myself Bentham if some values you pass in it gives you she'll go back and you tidy it up to work in c-sharp it does find in a place essentially so your templates for shellcode have a tag in them so angle bracket shell co-angler bucket and it does find that template take the shell go stick it in there and then pass it on to be built and encrypted we also support custom payloads so these are arbitrary c-sharp whatever you want it will just encrypt it and make it ready to be ruled by this tool so the one I'm sort of releasing with this is the port

sort of sharp dump there's other stuff that I want to pour into this but if you can vice it in c-sharp you can load it this way so this is just a quick video showing you the the payload builder in action I've recorded all my demos we've got a lot like demos are just a recipe for disaster so yeah you got a video that I know is going to work so this is building shell code you've got to have asked your inner exploit kit so that it prompts you to pick an options a shell code custom help you pick shell code it punch you if you want 32-bit 64-bit then it will ask you for some variables for msfn ml host help

or the template file these are just text files that you do find and play stuff on and then it calls out on the shelter missus venom does the build and encrypt and it spits out the crypto key up here this becomes part of the URL that you pass into the into the stage each off on disk and then the sort of generic one for custom templates it doesn't know find in a place it doesn't know building shell code or anything like it literally just encrypts it and gives you a key sticks it in a format where you can use it later on so yeah this is that in slightly more words so shell Co palos it is using the

Tirpitz shell code there's no reason why you can't put your own shell code in these I don't currently support that it would be a very trivial effort to add a new menu to allow you to do that or you can just make the custom payload with the shell code in there really easy so if you want to pop calc on all your compromised machines you can do that it then writes the shell code into a payload template just using basic finder the place is encrypt a randomly generated key and then it writes to files so in your home directory when you set this up it creates a dot inception folder within there is a Palos directory and a

payloads war directory payloads contains the AES encrypted payload this is used later on by the payload server payloads wall is there so if you want to do any debugging all the stuff that comes out of this you can access the template that it generated before it encrypted it for you we use the crypto key as part of the UML so in the silence video I was passing in the key in the URL separately you no longer need to do that it's the URL slash that okay custom payloads is a little bit more straightforward so we just do a yes encrypt on the template that you give it it writes the encrypted payload only there's no reason so we

write the war payload in this case because there's no modification and again we use the key for the the URL and the payload server so if you want to build your own templates this is how you do it so this is just a really simple sort of empty class that you can fill any of your own data so this is the bit I was saying is important namespace inception class program public site voivod so when you launch this on the code is built and executed on the on the compromised machine this is the method that will get called you can put any other methods in there you want as long as it's policy sharp and it bells you

can mystic as many classes in there as you need to this is the entry point so call them from there and then everything else was just sort of magically happen for you so we also have a payload server this handles the download requests from the stage in the sort of previous version of this talk it was just running on Python simple server I've no built upon the flask app which allows you to do some other stuff so at the minute you can tell this tool the maximum number of times a payload can be read it's defaulting to wall at the minute and again there's not an option to set that the code is all where to do it it's just

a case of building a new menu and it supports redirects if the payload is fetched more than 10 times so let's say you're whenever Red Team engagement the client has a pretty good blue team and you're worried they might be able to sort of fetch your UAS encrypted payload if they're monitoring command line they have the URL and they have the crypto key and they can pull the page off the wire again maybe putting the request so they have everything they need to be equipped up and find out what you rub on there come from my system unless you just send them to something else so you can send them to a legitimate looking update or you can

send them a completely benign file or you can issue them a redirect to something else which I have a video with this coming up so this is a flask app it's got a sink wall like DB back-end so the payload builder just drops crypto keys and links to files on disk into sequel Lite with a number of counts that are allowed this reads that database and says hop this has this been accessed more than ten times no okay send the encrypted file yes send a redirect so if the sound works apologies with a slightly potato quality on the sound I don't I don't have a way of recording screens so this is the first request and

then the second request and you can probably guess where this is going there we go sorry I had a chance to bicker all you all and I went for it so you can send these beaten like you can send this to wherever you like then you can be directed to a different server or a YouTube video whatever this that the minute is hard-coded in the server as a URL but it's a trivial effort to sort of make that customizable so for theory that is essentially it so I'm going to start running through the demos I've got four or five different AV products with various videos so again I have recorded all these demos because the four were

doing live demos and this room terrifies me beyond belief so the first one is Symantec endpoint 14 and this is their marketing blurb it says it is the world's most advanced single agent endpoint security with prevention detection and response deception and adaptation it's a lot of words so that's that source this yeah see what happens when we run this so again same sort of setup Windows 10 RDP did so on the right this is the new way of learning the tool just one command you'll notice it says no check in there I've disabled some box checks just to sort of run this in be am because plugging in flash drives and installing stuff is a bit of a pain so

we can run yeah straight away you've got Michelle back this is sixty four-bit now full 64-bit fully establishment service session yeah it it saw nothing it did nothing it has some fancy words but just don't go so the next one saw force intercept X I should probably say that all these products they get more and more next-gen as we go they all claim to be next-gen except ISA ISA have a blog post where they say we don't believe in next-gen we've been doing this a long time we do the same stuff right so this is software since a subtext there strapline being seeing the future is the future of cybersecurity so you can probably guess what's going to

happen at this one by now right but so this again for perhaps Windows 10 defend there is our latest definitions and all the rest of it in in so forth from the same thing and again it's a session it says 25 in here I did a lot of testing when I recorded this video so yeah so yeah for 64-bit meterpreter session so that's that one so this I want to just sort of show you you can do thing to this session it doesn't signature on stuff once you have the session so the window the terminal window on the left is me running maybe counts fire meterpreter so you have meterpreter you can still use all the cool tools that

you can run emitter because he you can do creds or you can load mini cups you can dump hashes there's no how she's in there because i've not turned on the reg key and windows tends to say store then plane tax but it still execute doesn't signature and anything it has so this is interesting with so fast other if you could read this but it warns the fact that i've run an unsigned binary on this host it didn't block me running it but it has sort of logged it that I've executed in unsigned binary so I guess this is not really done a great deal apart from like saying I've done it by the point that done is too late so II

set um yeah I've not got the blurb from the blog if you go and have a google around ye certain next-gen they have a very wordy blog post saying we've been in this industry from day one and we do all this stuff that people are now calling next-gen like you don't really we don't believe in it all this kind getting a trial for their business offerings is actually kind of difficult so you only you can only really get trials of the home user offerings but they do basically the same stuff if you look at the tick list of what they offer they all offer the same thing that the home version just doesn't have the sort

of management interface and all that kind of stuff so the demo is going to be revista internet security because of this line here which says it blocks attacks specifically designed to evade empty virus detection yeah so that's a butterball claim but I am pretty much taking this as a challenge yeah like the more I read in the marketing with the boy yeah but yeah there's so this just again does not care that you've just launched shell weight loss over the shell code the reason I chose meterpreter shell code for this is because I kind of wanted these things to signature on it I wanted to give them every chance of flagging this tool so if

you try and run meterpreter just like spam and XE from MSS venom and drop it many of these hosts they flag instantly you can't get it on desk it's instantly detected there's so this is using the XOR yeah whatever the 'flag x author shell code in the message burnham is the 32 bit is using shy e Naga encoding but they're still signature you can still drop these files on disk and they'll get detected straightaway so ESET allows you to run the turbo if you try and drop into shell summative on ESET it has a little bit of a moment about that so this is a fully established 64-bit meterpreter session everyone this is admin so we can get system we can

automate the system using name type in memory drop it the shell and it doesn't work this is unusual but try it again and then it Flags the fact that you've dropped into command shell from the tip so what the [ __ ] so it's a recap what we've done here we've run an unsigned binary doesn't care we've downloaded some randoms from the internet doesn't care bill executes it launched no like bad shellcode in memory established a fork meterpreter session it doesn't care about any of that you can go on and you can mini carts you can dump ashes you can do all the cool stuff and server that can do but you can't have access to

the system shell because that's gonna stop the bad guys right I have no idea why it Flags on this it seems completely bizarre but there we go so McAfee yeah this is a this is another one I maneuver attacks who advanced consolidated endpoint defense the interesting bit in here in the blurb is this near real-time detection mmm detects a road a threats in near real-time I don't know what the definition of near is but I can you can probably guess what's going to happen so this is an old video by run this a steel calm so this is when you install silence it actually kills VirtualBox because it does DLL injection and VirtualBox doesn't like that so this was before I

install silence on this winter machine so this is running it it's the latest updates older version of the tool but still the same technique this is just rather than sending a shell from a p.m. so at like from RDP into those machine this is just sending it into a virtual machine it does the same thing this one doesn't mind if you go into the shell yes I just it most of these I'm dumping out the hostname to see if the sort of see there's no trick are we going on but if you can't read it trust me there is no trickery in these videos so that is McAfee and then we come to the good one so all the other products

here sort of home user business user offerings and they all claim to be next-gen but they're all they're all long established companies alright they've kind of moved in the next-gen market because that's where things are going with AV central one is a reasonably new company they don't offer anything over the next-gen as far as I can tell they have old claims in there their marketing talk lines asked as everyone else so yeah this claims to diff and every end points against every type of attack as every stage in the threat lifecycle if I were on the video the trial for this you can't get one from someone directly I managed to get one through a

slightly shady looking South African company who sells this on their behalf interestingly I'm fairly sure that company has an XSS or now login page for the management wall speaks for play or any of you to tell you about that uh so when you first install this it didn't fly anything around the tool didn't catch anything this is brilliant like this is gonna be an awesome video well then I started thinking perhaps this is slightly too easy so I don't have an X see from MSS venom dropped it on desktop didn't detect it execute it instant shells didn't detect it so there's something not right about that so I left this running on the VM for a couple of days thinking maybe

needs to sync with the server download some sort of definition files and fill my lap and then up to two days it did actually detect him at this point it was an acci so if you install this and expected Zapotec juice from day one it won't do that i don't know why but it took at least two days of sitting there it did not say nearly a ton I'm like maybe it should have been so this is certainly one same sort of thing I've got a couple of videos for this one because I expect better from the product with this sort of reputation so this is the you can probably tell what's gonna happen by this point in that's alright

no first detected its monitoring ninety eight processors ninety one services we still got a session out of it so yeah we can full 64-bit shell code we can interactive it we can do all that kind of stuff we can drop it the shell it doesn't care about that and like saw force or be sure whichever was yeah so yeah called the host name out for you yeah it is running on this host so what if I told you this gets worse so this is a next-gen product that claims to prevent every kind of attack right so getting a shell on a box we've seen this as silence which I'm gonna cover a little bit in a minute just because they

have a shell of this box doesn't mean I can actually do anything useful with it apothem user as a pivot point if you're sort of blocking other stuff so this is the video of the full sort of end to end of this tool so where we're going to start off getting it up meterpreter session as we have done in all the others so you generate it using the nice little menu structure here the template path is the path to the text file you want to replace shellcode with call out and generate that for you apologies this is at the two minute long video because I don't know how to speed these up when you record them well yeah

do the same thing with the URL so this is if you can read that this is how you call this tool you just let you get a URL session come in okay so now we've got a an established meterpreter session what we probably want to do at this point is start trying to dump creds from this host there's like let's let's assume missus dominga host that would like domain admins logged in on or something like that we can run this tool again from our shell session launch of a c-sharp code so this is where you're going to see the port of sharp dump so go back in the payload server tailor builder and just build the sharp dump

payload so this is a custom payload it's yeah it doesn't do a great deal of often encrypting it so we need the crypto key then we can just move on this directly at a sports session

we get to watch me type in real-time which isn't sure you all want it's a sitting see ah there we go so this now is gonna go it's made the request to go and crop the payload it's gonna start dumping memory from L sauce this takes a little bit of time to run this system isn't it's a brand new VM basically that there's only one user on there there's not a whole lot going on the interesting thing with this is it does kind of hang the shell a little bit I've got no idea why it's in a new process it shouldn't have any sort of impact on the whole session but like when you when you and di are in a minute

it sort of lags a little bit while it waits for it to finish dumping memory which is this so what this is doing in the background is doing a memory dump of Alsace and then it's turning it into a gzip file renaming it with a dot peen extension and you can exfiltrate that to your local system you can look mini caps on that memory dump as long as it's the same version in architecture with Windows 10 you can just run mini cavity against him in a memory dump rather than doing it sort of on the compromised machine it's finished so if we run da I saw in the first one is me testing this so the debug state64 the ah-64 is the

process ID of alsace in this instance so the second one is the one that we've just run so we can go and download that file this is me failing remembering where I am in the filesystem so what I'm not going to show you is actually dumping the credentials as once you've got the the memory dump it's it's reasonably straightforward to just won't let me cut so it doesn't really have much value to this but so we can go and download this memory dump so to summarize what's just happened we've run unsigned binary we've shellcode we've established as possession we've dropped into shell we've done this on so inviting me again we've been lost a process that is

dumping the alsace process memory so hell sauce is a privileged process right you have to be system to read this memory so we've moved up the system we start dumping memory it's exceeded its created a whopping big file on your desk and then we've downloaded a whopping big file sentinel one doesn't care about any of these actions absolute this whole prevents every type of threat i mean you can can't enjoy your own conclusions from that but it's not prevented this one so silence so when I did this steel calm I'd only actually built the 32-bit version of the shell code launcher thank perfectly well we saw the video at the start you can get a shell with food soup

it on silence it it doesn't care that you're doing all this stuff but it's not quite as simple as that so when I built the 64-bit version of this tool soil and straightaway and it blocks everything instantly like so it turns out it actually flags on marking memory is executable so when you run 32-bit shellcode it's slightly different to running 64-bit to run 64-bit you allocate memory and your market is executable marking is actually cutable courses causes Cylons to flag that process and kill it it doesn't kill the XE that you've uploaded because this happens in a separate process but it does kill that process so you can't get a 64-bit shell by shell code it also

flags on else has read so you can still run the sharp dump direct me don't need a shell to do that and it will start running and it will generate an output file but the content is absolute garbage because silence stops it from reading else ass all this 64-bit stuff that is nice to do silence will flag on all of it as far as I can tell but it completely ignores 32-bit like 32 bit just doesn't exist to silence which so it does prevent you getting a nice Ness point session and it prevents you dropping credentials and all the rest of it but I can still use that host as a pivot point I can still have shells on

that box and you can kill Cylons if you have shell access to the box why it's not part of this talk but there are techniques to kill silence once you have sort of system access all that both on that box in the 32-bit shell you can elevate the system using in memory whatever else you want to do silence doesn't care so if you if you try and run this in 64-bit it's not going to work but if you happen to have a way killing silence then you can still get shells you can kill silence you can migrate into a 64-bit processor full 64-bit session and you're still winning so that is it for the demos further work

on this I've done a lot of the stuff that I was talking about a steal con the next thing I want to do is add post buck support so that payload server so at the minute it's get only we could allow it to receive files or some commands that opens up a whole new world of payloads that we can do so dumping a file on desk for example we could just export rig that straight back to C to just push it so far more templates I've said a few times sky is the limit with this if you can write it in c-sharp you can run it using this tool and it will bypass AV so

silence is flagging on shellcode execution but you can build a bit of shells in c-sharp there's no reason why you can't do that test it on more of av engines the ones I've tested on are the ones I found that the biggest sort of market name that claim to be next-gen or justify why they're not next-gen carbon black CrowdStrike those sorts of things trying to get trials for those is basically impossible I've sent a couple of requests off and been ignored or had a sales guy asking me how many like hosts I want to install this on and trying to sell me a like 500 user license I'm not buying if I can reduce a license

to test one tool for five minutes and porting this to other languages so I student still concert this would be awesome to buy in Java Java can do the same sort of thing of building itself in memory so one of them our guys about this the Java implementation Ritchie who's our sort of head of all things Scotland he presented this a Def Con in Glasgow if you want to play with it it doesn't do shell code but it does all the sort of building Java in memory so that's his get up it's an awesome tool so how do we protect against this well this is a post exploitation to a light so avoid the initial compromise

probably easier said than done so what I'm not releasing here is like Bo days and a be no Nabisco target say be in anyway it's it's just a way of bypassing it there will always be a V bypasses this is not a new thing it's not going to be the last of them so don't rely on a be like a B's brilliant for stopping stuff by cryptolocker or like no malware samples but there will always be like patient zero you always have to have somebody you've got wrecked by something before the signatures for it so do you defense-in-depth alerting on stuff everything I've shown you if you have decent alerting you should have at least detected that host being

compromised like suspicious network traffic and signed binaries being around huge files being actual trade across the network I'll work on all of it and send the blue team guy out to figure out what the hell's going on there that server was smoking out of it so yeah there's no real way so I'm not opposed to any of the AV vendors of this by the way it's not an exploit for a V if I told what I'd have to tell them all and it just there's nothing really there that needs to be disclosed this is just a technique that whilst some like they should be flagging on suspicious actions like silence for example in 64-bit it does

quite a good job it prevents your doing things that like attackers will do the others don't so yeah this is this isn't gonna get perhaps by AV you gonna have to put the defense in depth stuff in place so the moment you've all been waiting for I'm sure the tool is live on the github it has been there for a couple of weeks it's it's stable it's been used in the wild on some of our engagements there's that yeah field field feats like those the slides will be stuck on github later on this week probably tomorrow when I get home I'll drop some of the videos on there as well if you want to watch them again you've

got the 32 bit shell code launcher 64-bit shot but once your the port of sharp dump the readme is got the template in to build you own payloads enough info to get you going with it it's all there you need a couple of dependencies just to make the font colors nice and stuff like that in the payload builder but that's it you can go away and start using this now if you want to that's it if you've got any questions shut them out or come find me on our stand outside grab me on Twitter yeah shut my feed on it give it up the James thank you

has anyone got any questions if you do I've got the mic if not yep don't yeah I'm just a quick question and have you ever actually checked or verified that the compilation happens purely a memory yeah so like identity views like code on for example there's certain like compiler parameters that you set like generating memory equals troop but they actually lie so they usually drop the c-sharp source code to the tempo directory then call out CSC load the dll then import the DLL into memory so I've not monitored every action that's going on with this so that's how like like the other like C shots a lot like in network in yeah it's looking up I know the sort

of dotnet way so there's a few different ways of building got that right you've got msbuild and the other one the visual studio users those definitely touch desk okay well to take a look but it's one thing I've not looked up but I guess it's kind of doesn't matter at this point

Justin yeah yeah look at you she got a link to your blog quite fiery over onto it at all I could love the city do it - moans I know how she told you just go ahead I'm fairly yeah I was under the impression it didn't I've not seen any evidence that it does but if you're saying like it's calling out to something I didn't know about the new and they well do awesome so I'm gonna change the slides and say it may touch just excellent anyone got any more questions if not we've got the visa tweet king of the Internet Chris Boyd in here next is a coffee break at 11 o'clock so yep see you guys

in a bit thanks a lot you

Related talks

42:21
Hacking Wireless Home Security Systems
BSides Manchester · 2017
46:25
BSidesMCR 2018: Practical Web Cache Poisoning: Redefining 'Unexploitable' by James Kettle
BSides Manchester
47:26
BSidesMCR 2018: It's A PHP Unserialization Vulnerability Jim, But Not As We Know It by Sam Thomas
BSides Manchester
46:12
BSidesMCR 2019: HTTP Desync Attacks: Smashing Into The Cell Next Door - James Kettle
BSides Manchester
48:32
DOM Based Angular Sandbox Escapes
BSides Manchester · 2017
35:53
2016 - Steve Lord - Building your own hardware for hardware hacking
BSides Manchester