A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


IronPython... omfg - Marcello Salvati Derbycon 2018 (Hacking Illustrated Series InfoSec Tutorial Videos)

IronPython... omfg
Marcello Salvati
Derbycon 2018

Over the course of the last few years, PowerShell has been the number one way of conducting essentially any type of offensive operation on Active Directory networks and Windows endpoints. It allows offensive personnel to execute implants completely in memory, stealthily conduct situational awareness, and dynamically leverage the underlying power of .NET. Due to recent protections put in place by Microsoft, PowerShell is becoming increasingly less viable to use offensively. These protections are "baked in" to the latest versions of the Windows operating systems and allow AV/EDR/Logging solutions to gain an overwhelming amount of insight into PowerShell execution, and even, in some cases, completely shut down any type of malicious PowerShell tooling/tradecraft. It’s been a good run, and PowerShell has served us well. However, the future is upon us, and it's our job to adapt; we have to go deeper! With that in mind, what if I told you that everything PowerShell does can also be done with Python--without dropping anything to disk and bypassing every protection that Microsoft has put in place for PowerShell? Welcome to the wonderful world of IronPython, where rainbows and unicorns *still* gallivant as if it were 2009! In this talk, we will be looking at my approach to solving the tradecraft problem of gaining complete, unrestricted, and dynamic access to the .NET runtime without going through PowerShell in any way. I'm going to be walking through the entire process of how I discovered this possibility existed, starting from "not knowing what I'm doing" and going to a "somewhat understanding of what I'm doing". The talk will cover the progression from creating an initial weaponization PoC all the way up to building an Implant/C2 framework around it and all the success/failures/roadblocks I encountered along the way. Finally, at the end of the talk, I will be releasing the implant/C2 framework which I named SILENTTRINITY to the infosec community.

Marcello Salvati (@byt3bl33d3r) is a security consultant at BlackHills Infosec by day and by night a tool developer who discovered a novel technique to turn tea, sushi and dank memes into somewhat functioning code. He's also really good at writing bios. I know, at this point you're probably asking yourself: " Wait, how good of a bio writer is this guy? I need a quantifiable metric in order to come to a conclusion! The suspense is killing me!". Well John Strand hired him so that he could continue to write them. Yeah... that's how good. Checkmate Atheists! *dab* *mic drop*


Back to Derbycon 2018 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast