Hijacking .NET to Defend PowerShell
This addresses security vulnerabilities in PowerShell for system administrators and security professionals, offering a novel defensive approach that is incremental by adapting existing attacker methods.
The paper tackles the problem of monitoring and preventing PowerShell attacks by repurposing stealthy .NET hijacking techniques used by attackers for defensive real-time monitoring, achieving effective results with methods like intermediate language binary modification, JIT hooking, and machine code manipulation.
With the rise of attacks using PowerShell in the recent months, there has not been a comprehensive solution for monitoring or prevention. Microsoft recently released the AMSI solution for PowerShell v5, however this can also be bypassed. This paper focuses on repurposing various stealthy runtime .NET hijacking techniques implemented for PowerShell attacks for defensive monitoring of PowerShell. It begins with a brief introduction to .NET and PowerShell, followed by a deeper explanation of various attacker techniques, which is explained from the perspective of the defender, including assembly modification, class and method injection, compiler profiling, and C based function hooking. Of the four attacker techniques that are repurposed for defensive real-time monitoring of PowerShell execution, intermediate language binary modification, JIT hooking, and machine code manipulation provide the best results for stealthy run-time interfaces for PowerShell scripting analysis.