Hijacking .NET to Defend PowerShell
نویسنده
چکیده
With the rise of attacks using PowerShell in the recent months, there has not been a comprehensive solution for monitoring or prevention. Microsoft recently released the AMSI solution for PowerShell v5, however this can also be bypassed. This paper focuses on repurposing various stealthy runtime .NET hijacking techniques implemented for PowerShell attacks for defensive monitoring of PowerShell. It begins with a brief introduction to .NET and PowerShell, followed by a deeper explanation of various attacker techniques, which is explained from the perspective of the defender, including assembly modification, class and method injection, compiler profiling, and C based function hooking. Of the four attacker techniques that are repurposed for defensive real-time monitoring of PowerShell execution, intermediate language binary modification, JIT hooking, and machine code manipulation provide the best results for stealthy run-time interfaces for PowerShell scripting analysis. Keywords—PowerShell; .NET; Blue Team;
منابع مشابه
Route Reliability Ranking Algorithm for Prefix Hijacking Attacks in Border Gateway Protocol
Prefix-hijacking attack offers malicious parties to gain access to untraceable IP addresses in Intenet. Border gateway protocol (BGP) is the dominant inter domain routing protocol used in Internet. In this paper, to defend against Prefix Hijacking Attack on border gateway protocol (BGP), we propose to design a route reliability ranking (RRR) algorithm. The algorithm is used to authenticate the ...
متن کاملA Scheme for Securing Traffic Transport among Autonomous Systems
By using existing mechanisms, especially for SBGP, IP prefix hijacking and AS-PATH tampering can be prevented despite some unsatisfied inherent factors. However, except IP prefix hijacking and AS-PATH tampering, there are some other traffic attraction attacks, which are currently not considered and prevented in existing mechanisms. Attracting more by announcing long paths, which is typical one ...
متن کاملVMware vCloud® DirectorTM Infrastructure Resiliency Case Study Automation with Microsoft Windows PowerShell and VMware vSphere® PowerCLITM
متن کامل
Intervention of Phytohormone Pathways by Pathogen EffectorsOPEN
The constant struggle between plants and microbes has driven the evolution of multiple defense strategies in the host as well as offense strategies in the pathogen. To defend themselves from pathogen attack, plants often rely on elaborate signaling networks regulated by phytohormones. In turn, pathogens have adopted innovative strategies to manipulate phytohormoneregulated defenses. Tactics fre...
متن کاملAssessing the Attack Surface Reduction in Exe- cutables for an Advanced Code Reuse Attack
Nowadays control-flow hijacking attacks represents the highest software-based security threat [16]. For this reason we want to develop a tool that can asses the attack surface reduction (Q: Which useful code parts for an attack are still available after a hardening policy was applied to an executable?) w.r.t. the attack dubbed, Counterfeit Object-Oriented Programming (COOP) [8]. This attack is ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- CoRR
دوره abs/1709.07508 شماره
صفحات -
تاریخ انتشار 2017