IronNetInjector: Weaponizing.NET Dynamic Language Runtime Engines

As adversaries evolve their Tactics, Techniques, and Procedures (TTPs) to stay ahead of defenders, Microsoft’s.NET Framework emerges as a common component found in the tradecraft many contemporary Advanced Persistent Threats (APTs), whether through PowerShell or C#. Because of.NET’s ease use availability on every recent Windows system, it is at forefront modern TTPs primary means exploitation. This paper considers the.NET Dynamic Language Runtime (DLR) an attack vector, how APTs have utilized for offensive purposes. The technique under scrutiny Bring Your Own Interpreter (BYOI), which ability developers embed dynamic languages into.NET using engine. focus this analysis adversarial case APT Turla BYOI evasion technique, IronPython.NET Injector named IronNetInjector. research analyzes IronNetInjector was used reflectively load.NET assemblies. It also evaluates role Antimalware Scan Interface (AMSI) defending Windows. Due AMSI being core malware mitigation, further memory patching bypass by demonstrating novel method IronPython Platform Invoke (P/Invoke).