The Invisibility Cloak: Obfuscate C# Tools to Evade Signature Based Detection | Brett Hawkins

Attend Wild West Hackin' Fest (WWHF) in Deadwood, In-Person and Virtual!
https://wildwesthackinfest.com/deadwood/

Attackers and offensive security professionals have been migrating from PowerShell to C# for post-exploitation toolkits, due to advances in security product configurations and features. An example of one of these improvements has been AMSI for .NET, which allows the scanning of .NET assemblies in memory. Currently, the majority of detections for these C# tools rely on static signatures, rather than the behaviors of the tools themselves. This talk will review various static indicators that can be used within C# toolkits for detection, and how to bypass those static signatures by making manual modifications, and through automated modification methods using X-Force Red’s proof-of-concept C# obfuscation tool InvisibilityCloak. Additionally, defensive considerations will be discussed.

Brett has been in Information Security for several years working for multiple Fortune 500 companies across different industries. He has focused on both offensive and defensive disciplines, and is currently on the Adversary Simulation team at X-Force Red. He holds several industry recognized certifications, and has spoken at several conferences including DerbyCon, Hackers Teaching Hackers, and BSides Cleveland. Brett is also a member of the open-source community, as he has contributed to or authored various public tools, such as SharPersist, DueDLLigence and InvisibilityCloak. Brett’s extensive knowledge and experience in a breadth of different Information Security areas gives him a unique and well-rounded perspective.