 Hi, Northsack. My name is Dimitri Sneshkov and I work at X4 Shred at IBM. I do security work and this talk is something that we came up with for the past probably half a year is that we are gonna try to retool with .NET payloads on-site at the customer So the problem of a red team operator once you get on the host is that You have a first mover disadvantage, right? What does that mean? That means that you have to move first to be able to discover what the system is, how it operates Essentially, you need to do your recon first and You may be stopped by a lot of different things, right? It's your CMD instrumentation, your sandbox execution You may have monitoring agents on a quiet system And so Some companies also do white listing of binaries that you can run more so In a blacklist fashion where you basically say okay PowerShell.exe cannot run But more importantly Defense fingerprints your tools that you bring in on the host and so let's see how we can actually start solving this issue Being on the host how we can become less more detect less detectable and more agile in our Tooling right that we bring in and so before we go into retooling strategic disadvantage for the red team or on the host is That well we talked about you have to move first, right? You're in offense. You have to move first you need to collect the information and You may burn your presence. Your presence may get discovered right away So the way offensive operators move is a little bit more predictable, right? specific thing that you need to collect from the From the host to be able to continue Persistence on that host so a lot of unknowns The problem with bringing already existing tools on the host is just that right this detection And so how do we make sure we can retool what we have in the field right on the live host? so there was this idea that We may start doing building blocks of things right on the box instead of bringing static tools in and Maybe we can even start building tools that build tools that will be our Will be part of our offensive arsenal and also one of the other things that we need to keep in mind While we're doing it is utilization we have to operate within the realm of what's available on that host And it may not necessarily be what you want to be on the host So retooling in the field has advantages, right? You create custom stuff create custom code you You blend into the environment, but you also have disadvantages You have deaf time on the live host while being watched Many times and it's a live system, right? So you do not know how the system responds your operational security also has to be a Priority so in reality you've got bugs you have defensive mechanisms that watch over you and live offensive dev Right on the host is is fairly hard So if we agree with the premise that we actually need to do live retooling on the host, what do we need for this? Let's define some goals strategic goals of the recon. Let's say right the first First path in before we go further You need to stay under the radar for longer time survivability You need to better deliver your code or payloads to the existing ecosystem without changing it And you need to be able to retool for the unknown, right? You may not know what kind of defenses you have So from the tactical traits what does left to live tooling really mean? So you have to support the transfer of the payloads you have to support building of those payloads on site While you're evading operating system and sometimes network defenses So essentially stop being a kitchen and they I mean the elephant in the kitchen and you know breaking all the rules While you're doing your recon Once we agree to that we start building this right what are the properties that we need to accomplish our goals That we set out to to accomplish so from the technical standpoint You want to avoid logs right on the operating system facilities You may need to get to a reasonable interface with legacy or unmanaged layer right of Of the operating system You may have a different decent interrupt with with OS and API's that exist on that machine And obviously you always need to keep your operational security for your tools So there's this concept of slim payload delivery, right? So you've got a slim Cradle that doesn't pose it doesn't pose any threat to the operating system. It's not detectable. It doesn't carry payloads It doesn't have a malicious Feature it doesn't serve malicious goals So it is benign from the scanning perspective, right? But it can dynamically load other payloads that bring you bring in and you can actually be able you should be able to load assemblies if we're talking about that net and The concept of treating code as data that you bring in into the environment and then you start operating on The more important things we're gonna see down down in presentation would be You know, so we're gonna do compilation obviously and we but we also want to decouple the compilation from the actual Execution, right? So the cycle may confuse defense a little bit more So what are the current options that we have? Well, normally we default to PowerShell, right? It's available. It's installed It's it's used very heavily from both defensive and offensive perspectives We've got WMI and we also have a comma and Unmanaged code, right? You can code towards direct API on the Windows machine You also have direct managed code, which is dot net. Everybody loves and knows about right so Both all of these options have pros and cons So you're talking about availability of the compilers on the target system use of is of use and logging for example for PowerShell through automation API and Then if you want to drop into interop and actually talk to the operating system at the low level Then you have those interfaces and calm that you need to make sure that you actually cover so and it also You know comes down to how well you can actually develop an alive environment there Okay, so out of all these options I'm very interested in dot net right to manage code. What we can do with it so The issue of executing code through dot net is not new there are tons of tools Static tools that exist that should be able to do any kind of invocation of operating system commands to PowerShell from dot net But our goal here is how do we use dot net into? Retooling of our arsenal right on the box without having static tools in So the advantage of the dot net for using this is you obviously have breadth of interfaces to the operating system You know wealth of very well developed You know features that target anything from network communication to host communication you can reach deep into operating system with processing vocation or platform invoke and You have utilization properties to dot net meaning it is available on at least latest Windows machines it's fairly flexible and To solve our problem initially is that it's not logged at the API level at least for now Right if PowerShell is logged and that net is not logged right now But it does have disadvantages and those disadvantages are something that we have to deal with Well, first of all, it's a slower dev time, right? You have to go through the cycle of writing compiling writing writing compiling writing It's very little prototyping and that net inherent to the box, right? We're taking it as a carte blanche There is there's nothing installed on the on the Windows machine except for dot net and maybe a compiler And it is compilation, right? It is identifiable by digital forensics as well Okay, so we know that we can target advantages all the advantages are playing towards our favor But our decent veggies just have to be also recognized. So let's address them So let's let's start to start let's start to gradually design and build this sort of You know prototype the manage execution toolkit Behind those big words what that really means is that using dot net to be able to execute your code Execute your data that you bring in from the outside or or write directly on the on the box and so And so we begin with a module of the typhoon Which which is a name for managed execution kit proof of concept here is seesaw See saw meaning really just focusing on C sharp implementation of that so when we start thinking about this Compilation and running Cycle that you reins and repeat, right? We have a source code. We've got a compiler You've got the executable and then you go with it From the offensive perspective, what is dot net in a nutshell, right? You've got the apis You've got the common language runtime, which is the framework of dot net and you've got compilers That isn't here into to windows installation But you also have some distant relatives of that, right? You've got code Object model and you've got some other things that we're gonna talk about so we want to focus on things that build things for us so code dom is Essentially solving the issue of dynamic compilation and creation of code generation of code generation of code from code, right? You see this from esp.net xml a bunch of UI code wizards in the visual studio and It's a solve a problem, right? You you want to create your code from the code that you have and you essentially compile something that you know something from you you take a maybe a string of code, right and you turn it into an object and So you made the code right emission of the code is the goal here and The good thing about this code dom is that you can do dynamic compilation no longer You need to invoke cse that the xc for example, right because it may be blacklisted or maybe Logged somehow from the command shell so you can actually do it right in the in the cradle that slim cradle you can dynamically compile it So the first order of operation to solve our issues is a rappel, right? Some things that we're missing in that net. Let's do a little rappel so we can constantly, you know proof our code prototype our code you can use VB javascript or jscript rather or C sharp in code dom so we're gonna concentrate on C sharp So we want quick gains because if we want to see what this machine is about we need to go into the cycle really fast And we want to execute interactive commands maybe on it, right? So we're gonna take the code We're gonna compile it into some form of a digestible You know format and then we're gonna try to execute this so from the evasion perspective red teams gain You move away from cse that exe or ms build into the dynamic compilation right at the code level So what's needed? It's not really hard to compile it But you need to make sure you take care of certain things first of all you need to load your You need to understand how we want to compile it in a safe manner, right? Do you want to compile it in memory? Do you want to compile and drop the Executable on a disk where are your temp files are going to be stored? And what are the compiler parameters that you're gonna pass to the compiler to accomplish your goal specifically for Apple, right? and so Many things can go wrong here, and let's dive in and unpack what can't go wrong. How how we can actually do this so There there are certain things that can be evaded while you're compiling in code dom right the detection so for example if Blue team is detecting DLL drops on the file system Then you can just replace DLLs with TMP is because that net has a property of not requiring you to compile to a DLL name Right, they will happily take the TMP name. So that's your evasion point right there so What is the goal for our seesaw right beyond rappel is the dynamic combination of C sharp code is the Dynamic loading of assemblies into memory and removing those disk artifacts that we may potentially have here right if we decide to dump a temp file somewhere and then Possibly forcing dot-net to compile and run in separate the direction right for Even further confusion of the defense because of the if the sandbox looks at the compilation and invocation in one Stage then you may get to the point where they can actually trace it better and then You know other things that we we want to achieve from the operation security perspective and Features that we want them here. So let's go through this one by one So rappel is still on our list right so let's how do we do this? So we know we can generate code for code dom right We want to have some form of a contract without with our code that executes in the loop right for example We want to compile it We want to get results from it and we want to dispose the object that you've just run so you don't leak memory or Whatever the case may be here So for code dom it's just a string right so you you put a snippet directives like for example using system into one Object or part of the code then you have some form of an instrumentation from your cradle code To run the code through dynamic compile and then you dispose that right? So we marry code dom to the compilation also Evasion points here that you generate half of the code from the tool and the other code The other half of the code comes from the operator somebody who wants to to run the code in the rappel once you Compile you can reflectively load your name space for example It's called dynamic compile right and then you use activator reflection to create an instance of your code That you've just compiled through rappel then you get results and then you dispose so essentially this is how our rappel is going to work and so at the rappel at the you know Whatever interpreter shell that you have you specify a directive that goes into Preamble right and then you have the code and then you start compiling and you get the result because you've you've invoked that the contract So in this contrived example, we just get the number of you know What languages and compilers are available on the system, but your mileage may vary you can start querying the system through that net So CS rappel has a code cradle like we saw it uses code dom right and it has rudimentary reusable component Because of the contract, but it's also sequential. It's also there. There's no abstraction You can run functions off of it. You can create name spaces. You can't do any sort of You know object manipulation Beyond your direct branch so you can't reuse the code and so it's it's quick and dirty It works, but we can do better to the right side there is a There is a script that you can actually paste into the You know rappel right here, right? And so if you brought a script and you can just paste those things in and it will compile in and give you a result But so it's a crude way of doing the rappel and scripting together So we can do better as we said All right, let's fix the issue that we had with with the rappel of Reusability and just expansion. Let's create CSX extensions CSX is just a name. It's a C sharp extensions That's how I named it, right? So we create a better contract So we say a pre-la pre-launch run code and pause launch pretty simple, right? But it's also it also maintains that evasion Vector right so you can actually do you can split your code if somebody is looking in your memory for for a payload code Be it a shell code or whatever the case may be Then they don't see it in one buffer They see it and something that is split between the tool and you the operator So we want to create full branching and classes and we want to be want to do compilation As we did before and we can write extensions that can actually execute real code This is the example of the contract where we create a names namespace Let's say it's a file that you want to invoke a code, right a text file That you somehow introducing to typhoon And it has to follow some rules, right? It has to have a specific namespace It has to have a specific before after hook and it has to have some form of execution You know your logic and whatever the case may be So from the operator perspective They will see an executable which is a slim cradle that doesn't have much That is going to load just a code file, right clipboard manager.cs which is code file. It's not executable. It's not Assembly so it's Pretty much safer, right? It's we're talking about code as data you bring in code inside and you start compiling or write the code inside and start compiling So we know that csc or codom creates temporary files or can create temporary files So after this invocation of compilation You will have a temp file in your current directory, which is bad for your artifacts, right for hiding from Inciner response will address that problem later, but here's the example of What you would do to compile it in one iteration to a DLL and then you would execute that DLL by loading that DLL into the memory of the cradle and then you would call that namespace and the object to execute your Logic there, right? So we're decoupling compilation and execution goals in in two So talking about DFR again, right? So some things are good some things are not so we're not invoking csc.dxc which is good But it is still indirectly invoked right if you look at the sysmon or a process monitor You will see that exactly the same facilities are Are engaged just not directly from the command line Also, the other things that we need to we need to make sure we take care of is the temp files, right? They can be transient or permanent Permanent right so compilation in memory in .NET is a misnomer. It never compiles in memory It just compiles to a temporary space on disk, right and so Something from the forensic perspective You know people are aware and we should be aware of offer as offensive operators of that as well So we're gonna deal with this issues, you know Different iteration and we also want to make sure that we can actually Load and unload assemblies that we compile and create Dynamically for example if you brought in some code you've compiled it you load it up The assembly is locked right until the end of the iteration or execution of the of the code So you can't really in classic .NET you cannot remove that DLL from the disk and sometimes you want to do this because You want to stay in memory even if you drop the DLL temporarily for just a sub second, right? You want to be able to remove it Okay, so as we talked about the generation in memory is not really in memory It still drops it into a temp file. The question is where it drops it, right? It either drops it into a local temp Or it drops it into a local directory depending on how you compile. So selection of Parameters to your CSE and code DOM are very important This is the the example of process monitor that is looking at code DOM compilation and invocation. It's littered with Artifacts it's littered with temp files. It's littered with DLLs. They're Dropped on the box. We want to fix this So the the next goal for a seesaw is to remove artifacts right in order for for us to do this We need to understand limitations of the .NET. First of all, you can't load bytecode you can't load a stream of bytes or stream of You know generated assembly into the memory and execute it in a classic .NET without further instrumentation and so The way to do this is to say, okay, you know, I would like to remove a DLL from the disk, but I'm not able to do so because I'm locked Right, so we have to fix this issue right here and the way to do this is to bring in the concept of application domains Right you load your DLL. You load your artifact You load your executable payload into a completely different application domain from your cradle you do your job Then you remove it right and then you offload the application domain because now your cradle runs in one application domain And your payload runs in another you're able to break that Coupling right and deal with the artifacts Okay, so we fix this issue the other issue that we face as an operator on the box is .NET does not have everything right sometimes you need to run into things and invoke operating system facilities through the Windows API and Here's the interrupt right interrupt is a technique a set of APIs for .NET To be able to drop down to the operating system level to Windows API to come to come plus to C++ and to active X and So if CLR is managed code where we've been living for a very long time while we're creating this This prototype right Manage code and interrupt to the man unmanaged code and interrupt to the unmanaged code is outside of CLR The there is a specific namespace system that runtime that interrupt services that takes care of this and There's wealth of information on the internet. Here's the link where you can get more info but essentially and I have to say that that also carries evasion Mechanisms right because now you're Leaving .NET which might potentially get instrument at some point and you're actually dropping into operating system Level and so what happens is while you may still be flagged on a payload your analysis You know Mechanism or workflow is decoupled right you're you're going from .NET to completely unmanaged code Which breaks a lot of workflows and defense? so interrupt Essentially works on the DLL import attribute right to to your function you instrument it in such a way that says Okay, that's an external code somewhere over there after we compile will be able to manage it at the runtime and So for example in this case We will find a window and we will send them we set the windows title right and we're gonna involve a user 32 the DLL which is hopefully available everywhere and Drive our code from the from there. So that's that's a platform invoke right That's a shim and then we can start a process and we can say you know from our cradle We can say okay. Well, you know, I want to find window which will be found in user 32 that DLL And I want to set the window I sent a window title on it Again the shim and the evoking code is in different assemblies or can be in different assemblies and that place to our tours are in the evasion mechanism Now but we can do even better right we can do dynamic interrupt. What does dynamic interrupt mean? in .NET 4.0, I believe they introduced a concept of dynamic Object meaning that the object is type is not known at the compilation time. It's given it's given a marker that will be resolved Or a tag that will be resolved at the runtime and so you can Reflectively start loading any DLL that you have on the system Directly not knowing what type of the function you're going to be invoking what what returns it has or whatever the case may be You use some reflection and emit APIs like define type create type and get method Which is really helpful right and very powerful in our case So the example of that in our repl will be to load our system and then Load our namespace for dynamic load, which we already know how to do with code DOM and then we just say okay Well, let's load any win API right in this case is user 32 and let's call any function from that DLL or assembly For example in this case it's message box right and it's all dynamic So in this case you move away from knowing what you're going to do at the compile time to knowing what you're going to do at The runtime so you got yourself a scriptable net.net API bridge, which is really powerful for our purposes Okay So by now we pretty much took care of the seesaw goals Right. We are able to dynamically compile the C-sharp code in rappel. We can do this without you know Logging for the most part if we can Assume that typhoon that they see is can be lodged whatever right? We can load on a load as assemblies Intermemory we can take care of the artifacts on the system. We can remove DLLs once you load them and we can do interrupt with With code outside of the clr okay, but It's still net it's still compilable right so can we do something better? Can we do more flexible solution? Can we gain more script ability out of it? Can we even forgo app domains all together because they're hard to work with and can we actually? avoid compilation right and so Again, let's start building this Managed execution to look at them and further right so we we let's look at a component called delirium right so We want to bring in dynamic DLR into the mix and start working with this so what is DLR right in dot-net you've got CLR Common language runtime, but you also have a dynamic language runtime a dynamic language runtime It's a set of services to create dynamic languages in dot-net or using dot-net facilities and so The advantage of that is that you move away from statically type languages like C sharp right where you have to know the The type of the variable or whatever the case may be or object right or know the library that you're gonna invoke Into something that is completely dynamic right dynamic languages. We know it's JavaScript PHP Python and so It's gonna gain us a Lot of advantages Well from the developer perspective DLR is used for porting dynamic languages to dot-net So for example, if you want to have Ruby dot-net or if you want to have Python dot-net It's all achievable now with DLR right and so just like a Java virtual machine has you know Parrot or Jython or whatever the case may be the same thing happens in dot-net Ecosystems so you can actually work in your preferred language of choice just using dot-net facilities And so it says on top of the a CLR It's a it's a feature or you know part of the framework and then you start building your languages on top of it Essentially for us This is the game right we move from this completely Focused and managed Workflow of knowing your type to something that you're used to do in any dynamic language You just have an option object or a variable and just set some property on the variable directly without knowing what type it is So to get to delirium you have to use Three assemblies right you have to use Microsoft script in namespace you have to use Microsoft dynamic namespace and then you have to use a And namespace and in the library of the language that has already been created and ported to dot net dot net for example Iron Python right or Ruby in this case. We're gonna be talking just about iron Python, but you know the rules Stay either way right and so Pretty powerful thing because we can move away from strong type to dynamic and We can actually do more code reflection to us code reflection means evasion So in C in C sharp your static types Let's just give you an example Very common scenario where you need to get something from while you're in the box You need to get something from the internet from your point of presence like a payload or whatever this the case may be And so in this example, you're getting a content of google.com in C sharp right power shells Power shell is a little bit more dynamic and so it can create an object of that net And then it's not going to be strongly typed. It's gonna be dynamic and you can get exactly the same thing in you know With less pain no compilation and good things, but partial is locked. So python itself is It's good for offense because it has a lot of facilities that have been used over the years right has a lot of libraries And so we can accomplish exactly the same thing with python, but not having the C python executable on the box at all right so in the in the regular C python You use a library like url lip to you fetch the content and then off you go in DLR You're doing exactly what power shell does you're invoking or you're you're leveraging dot net Namespace to bring in an object and then you call a property or a method on that object to do something with it Right all that lives in the iron python that DLL So what really just happened here from a strategic standpoint? Once you run this code, right and let's say you have set up your iron python Environment through the cradles that we're gonna see how we're gonna do this we do compilation watch on the On the process monitor in its empty, right? No, csc.exe no artifacts no temporary files and no App domains right this fairly clean while we're still executing what we want to execute. It's pretty powerful stuff So all right we proved that So what do we want to do with this? Well, we want to solve exactly the same thing We want to solve with seesaw. We want to have the full average of DLR DLR to compensate for partial deficiencies while managing the dot net advantages we want to compile python to exe's or DLLs if you want to through the dynamical Language runtime without artifacts. We want to actually use The features of that net that were hidden through the regular C sharp invocation is to actually load DLLs and assemblies through the byte stream read network stream or maybe a Pipe right or a socket whatever the case may be and we want to maintain the interrupt to the native interface through through DLR Okay, so here comes delirium. It is specifically iron python. It does work with dynamic types it mixes and matches styles of programming for python and dot net so you can actually Have we'll see examples of that, but you can actually confuse the defense even more and you can actually Reflect code from one language to another for example You can invoke C sharp compilation from python or python invocation from C sharp So iron python lives in CLR namespace nothing more nothing less you import CLR into your delirium and Rappel right and and you're done with iron python comes a lot of a Lot of libraries are a lot of support actually inherent there right you've got socket even though you have a dot net the counter a counterparty for the second you also have a An overlay from a python perspective. You've got math libraries. You you have zip libraries you've got a lot of good stuff, but Please remember that you do not have standard library. You do not have all the other goodies like url lib That resides in that small little iron python that DLL you could potentially load it from a disk somewhere and here's another evasion point for example in order for you to load a Standard library for iron python. It just needs to find the file. It doesn't have to be dot DLL or dot zip It can be dot Dock X right so you can have you can bring in a Corrupted dock X into the environment and load it up as a standard library and and off you go So here's the example of how you would actually Load standard library if you want to you can do without it right because you have that net So DLR is nothing more than just a dot net technique. It's a heavily Reflected heavily dynamic loaded Introspective way of dealing with a dot net API You just add add reference to the let's say Windows forms and then you call that form right or for example If you want to import a message box from the form and then you invoke them You know a method in the message box or whatever the case may be plus on top of it You have the flexibility of the python and you can just go off to create a very powerful and fast code and so Other things that you can do with delirium for now is that if you have a python code remember We talk about code as data. We bring in data. It's plain text, right? Nobody knows what we're bringing. It's not executable It's not detectable And then you can actually compile python into DLL if you want to unload it by other tools So again, you break that the chain of analysis from compilation to invocation across highly reflective pipeline So you're you're compiling a module test that PY and to test that DLL, right? And then you then you invoke that and so you can give you can go in even further. Why not just create a delirium? Executable that will call dynamic python files. So for example, you have an extension We saw the extension that we we can create in C sharp But we can also create extensions in python now because it's still that net it can still go against that contract that we created the pre-launch execute post launch and then we can specify what executable we want what what platform we want and Whether it's a DLL or an executable things to keep in mind is that Compilation is not the runtime as far as dependencies are concerned. So if you can compile things Because everything is dynamic the compiler doesn't know or doesn't care what you compile It says okay. Well, they just throw it to the runtime, right? We're gonna compile give you a fully valid executable But then at the runtime you're gonna have to figure out a way to meet those dependencies and so Separation of things you can compile it on one machine bring it over and then supplement the runtime with Dynamic link libraries like iron python and Microsoft dynamic scripting. So when the defense looks at Payload DLL that was created or pilot a payload exes that is created that is devoid of iron python devoid of Microsoft dynamic DLL It doesn't have Microsoft scripting DLL. It's safe. It's only when they to meet Right the magic happens again, let's Let's do even easier Rappel, right? You don't have to compile anything. You can just start working with CLR namespace Pretty pretty easy, right? You just load it up and then Then you execute it into into Rappel Here's another example that you can actually do even go in further and instead of using the dot net You can use C types for types of things that you want to call on you know interop emulation but For that you do need the standard library But you can still call kernel 32 get Windows directory or whatever the case may be so this bridge Scripting bridge that you've just created gets even more powerful, right? Because now you can actually dump it dump into you can dump dependency on Platform invoke and you can work with C types if you want to So strategically what just happened, right? We're all of the all this time We're bringing code as payload to execute in an empty cradle, right? We do not bring Compiled code we do not bring executables. We bring code in plain text format and then we start running from it, you know Through through either compilation in the case of seesaw or delirium doesn't even have compilation, right? You just kind of run it so on the point of Delivery of code How do you get iron python that DLL into your system? Well Or for that matter, how do you get? Maybe there is a way to have an intermediate language Construct that you can bring in for example if you don't want to bring Code to compile you can split the DLL into two parts, right? call modules for example and the way modules work at that net is that it's The module the module is a DLL, but it doesn't have a manifest So when the defense looks at it, they look at a binary blob that is not executable that is not It's nothing it's just binary blob, but when you combine that with manifest that's when you get to the assembly So on that topic typhoon itself it brings in iron python that DLL in as an embedded resource in itself, right? So we basically hook assembly resolution when we're saying okay We'll load me up a python right runtime and then that that hook goes and resolves it to the embedded assembly inside of the Typhoon right it just says okay. Well, let's load it from the resource. So that's that's really good You don't need to go out and grab it from anywhere. It comes with the tool itself There are other evasion mechanisms that you can start thinking about like for example That net module that we talked about and we're gonna see an example of that you can also hide both assemblies and net modules into the Downloaded directory for assemblies that you fetch from code itself. It's kind of convoluted, but the way it kind of works is this Essentially every every executable can have executable dot exe dot config file and then you can specify dependencies where to fetch Additional DLLs from right and so you can hide iron python that DLL if you cannot bring it as an internal resource To fetch at the fetch it at the runtime So for net modules, this is the example of what a Microsoft intermediate language looks When you're compiling that modules, right? It's it's it's just a just an assembly without manifest and so This brings us to to a point of well, can we even compile dynamic net module from from C sharp in C sharp into Into an assembly through the DLR Yes, right we can say okay. Well, let's stage code into a string like for example, it's going to be a interruption in C sharp right you see the DLL import for a bunch of libraries on the operating system and Then what we're going to do we're going to generate library through python We're going to stuff it into a variable all in memory We're going to create a list of those libraries that we've generated and then we're going to be We're going to be reflectively loading them in memory again Compiling them together to create a third dynamic assembly right and then calling An API or or function within this created dynamic assembly to you know for the gain Pretty much so essentially you're looking at bits and pieces building blocks That you're bringing in into typhoon right and you're compiling them into memory to to invoke something that will gain you More visibility or run your code your payloads or queries Okay, so Things about hiding things into memory like for example You could potentially Bring in a zip file through the code right you can unwrap it into the memory you can Stuff it into a memory map file, which doesn't have counterpart on the disk and then invoke payload from that memory map file directly right that also You know speaks to the evasion and it it's really really hard to detect unless every memory map file is Inspected or just the fact that you're creating a memory map file is locked or detected and and stopped And so we can even do Create we can invoke iron python From iron python over that net assembly with variables right you can dynamically create You know the constructs like bring string and then you say okay Well that string is going to be hello war a world and then you can create a python engine Then you can have a script that you create from that String that you've just you know passed to it and then you can reflectively execute python code Morse more stealth and you know there are some examples here if you want to do a compilation and memory here You can load the file you can It just kind of shows you that you can actually go really deep in reflection and the more reflection you have the less chances of that workflow for Folks on the defense side who do not know what to look for they will just not be able to put two into together To be able to detect that right or at least part of it Okay, so We've done recon right you can do Wmi query and everything that net can do Can you do exploitation through that? Okay, so shellcode is a shellcode right is it can be a Binary blob or it can be a text blob and that payload follows exactly the same strategy right code is data you bring shellcode in in plain text form and Introduce that into the cradle that either compiles it and then runs it or just runs it directly through a reflection right you can create You know compilation with unsafe keyword, which means you're introduced you're You're lowering the guard for dot net to say I'm gonna check for Memory leaks or whatever the case may be and you say no I know what I'm doing I'm you know just give me direct access to the memory right so that's what that nut does and then you essentially say okay Well, again, you can say memory map file You can stuff your shellcode in the memory map file reach out to the memory map file and Map a pointer to the location of the memory map file where your shellcode is and Off you go right. I mean there are issues with virtual a lock and and some things may not work but in concept you Should be able to do that Okay, so from from the seesaw style you can create a C sharp style You know shellcode which may be dynamic as you're bringing stuff in right and that's how you would pair it up with let's say Metasploit where you would create a You know a listener to to a specific C sharp shellcode connection and then you create the thread and then you Do this right pretty standard But for delirium standpoint you can do it in Python too like the the buffer that contains the shellcode Maybe just like any battery buffer you're doing in regular C. Python, right? You just stuck in a buffer and then you have a socket and you can send to it, right? It's socket comes with iron python.dll. You do not need to have centered library while you're still using the dot net and not having a Single python executable that is a true windows executable on the system And then if you're missing something you can always drop to PowerShell, right? You can always start a process you can start a process with encoded commands and you know essentially the the path is known How to operate? PowerShell here So for development Python is is relatively easy, right? If you abstract from the fact that you're still working with dot net and you still work with the namespaces namespaces and some of them may not necessarily be exactly the same as in the regular Python, but Your lists are the same your innumerables are the same your lambdas even are the same so you can write pretty You know reflective code here and pretty concise code to accomplish your goals and everything again starts with Importing CLR and then importing your namespaces just like in the regular C sharp or VB script So delirium typhoons goals are met, right? We're able to leverage DLR to avoid PowerShell together while gaining script ability while defeating much of the artifacts that C sharp generates on the box or CSC.exe generates on the box and We can mix and match right we can drop to dot net from Python or we can use Python purely for our goals you know socket connections versus you know System.net whatever right and then we can do fully reflection reflected code and We can if not remediate Then at least force analysis into that stage where they need to work a lot harder to figure out The ins and outs of our code here So typhoon manage execution toolkit has two parts for now right is the seesaw that is able to Do the Rappel do the dynamic? Deletion of artifacts to do compilation of the DLL loading the DLL directly without executables in memory and calling You know functions in that DLL and you also have a delirium part, right which? Forgoes compilation altogether, but Brings in our in Python DLL and then works on a DLR to be able to execute Code directly without compilation and then compile code to exceeds DLL's load them up exactly as seesaw did and Also speed up the development maybe two to four times right right live on the host so essentially This brings us to the point where Our goal of live retooling can be actually realized and can be achieved right and so you do have a Disadvantage a first mover disadvantage because you need to be able to go and query the system but you can do this in the safer a little bit safer manner by using the .net facilities and by correctly invoking compilation correctly watching over your artifacts or bringing in your dependencies as in Python DLR and then that makes you Makes your operational security is an offensive operator much stronger And that makes you think what you're actually doing on the box and how that affects your your pet there So the code is is out there. It's it's released. It is really alpha, right? I mean, it's it's working, but it's definitely not at the point where it's you know, super uber Performance or whatnot right and and essentially If I can actually drop to I don't think I can To this guy so I can drop to my VM. I don't know but yeah, the code is there the the examples are there If you guys want to download play with it or contribute to it Obviously, you know, I'm very much open to that and if you have any questions, let me know Thank you