 Hi, thank you for joining me today for Tradecraft Development in Adversary Simulations. My name is Faito Yezalju, also thanks Adversary Village and DEF CON for hosting me today. Today we will talk about Tradecraft Development and we will have different chapters that we will introduce how Tradecraft works as well as how the other implementations can be used. After that we will talk about how we can develop our own implementations. Chapter 1b will introduce the development environment to you and chapter 2 will help you to build your own C2 as well as implant. Chapter 3 will enrich your implant using Windows APIs and some other functionalities and chapter 4 will actually improve your implant for the vision perspective. So you can make your implant invisible as much as you like. Today the objective is developing an implant from basic to advanced skills. This is up to you how you can enrich them. My name is Faito Yezalju, I am Managing Security Consultant in the Missing Lake, Australia. Actually I love Adversary Simulations and Security Research, therefore I had several different tools developed for these purposes. I have also presented those tools and my research in Black Hat USA, Europe, DEF CON and other security conferences. I currently also study Master of Cyber Security in University of New Sanct Wales. So you will use some of those tools today as well. Let's talk about those tools. I have developed TA505 Plus Adversary Simulation Pack. That is a full simulation pack that comes with some repurpose tools, new tools as well as some additional evasions and bypasses. It has 4 plus hours of video to prepare each stage for you as well as an implementation guide. And in the end there is also a large report that explains how this tool and environment will work for you and it can be actually useful for you to build your own exercise. I also developed Patek C2 one and a half years ago and the reason behind it was I needed to automate some of the red team actions. Probably it is also the same for you. So you need your own C2, you need your own implant and you need to make things automated for the blue team exercises for this work. In addition I have also Tessat Malware Generator. I assume that some of the attendees and participants here are actually coming from the blue team. Sometimes even data analytics. That's why sometimes you need friendly tools to generate this type of traffic and Tessat Malware Generator is a response for this one. But it can be also used for your own tradecraft development because it comes with a laser UI, web interface and different types of protocols and services so you can enrich them and make them actually working with your implant and maybe it will be useful for you. It's up to you. Finally I have also weaponizing C-sharp training that is also available in Github repo stories. So you can just clone it and you can start working on it to understand how C-sharp can be weaponized for the purple team as well as red team exercises. I am not a developer. I developed those tools for fun as well as for simulations. So if you want to start exercises today you need to actually clone a Github repo story. That is the address of the Github repo story so you can use Gith clone to get this repo story, compile the tools and work on them. It comes with code examples also the presentation itself. In addition it has a C2 capabilities for example there is a text file there. There is actually a C-sharp file executable so you can actually use these functionalities while building your C2 implant and you can use them as a kind of instruction list. So feel free to participate where when necessary or you feel comfortable. I will talk about trace and simulations firstly. We have different levels, different colors of the adverse simulations. Red team is the most interesting one because we actually start with zero information. We need no collaboration and we try to infiltrate the organization just like a trade actor. In the purple team exercises we actually collaborate. In this case the color changes. The meaning is actually the blue team joins us. Blue team can be actually trade intelligence or security operations center or some actually interesting instant response teams or some other reverse engineering teams as well. And offensive teams will be also a red team or penetration testing or maybe more than that. There's also automated tools that can be used for breach and attack simulations and they are useful to actually ring some bells on the environments to understand that your coverage is correct or your network is in scope or your endpoints are in scope. So different types of colors actually come with different abilities so it's up to you how to colorize them based on your purposes. This is an example trade intelligence actually information extracted from Microsoft trade intelligence reports. It is about nobellion and how they operated their actually campaign. During this campaign they compromise SolarWinds and they compromise some of the vendors and after that some government organizations. So you can extract this type of information from the trade intelligence reports. This is a basic example so you can visit this link in Microsoft trade intelligence reports story and you can start working on it. This is important because we actually while we are building the adverse simulations we use this type of information. So if you look at them in a different way you can also reuse them. For example this one is a simple attack and C2 communication type of salary gate and you can see that it can target the organization if organization is in the target list it can start at second stage and then third stage and fourth and fifth whatever necessary. But it actually works on different C2 types. Sometimes it is DNS, sometimes it is web, sometimes social media. In this nobellion case it started with the DNS and then it also loaded a cobalt rack as well. So we can see this information in the trade intelligence report so we can actually customize our simulation based on this information. When we read it carefully we can also see that there can be some additional campaigns as well. This one is another example from nobellion but this time they have sent an email and after this email they started actually a JavaScript file and HTML smuggling feature. They actually downloaded an ISO and this ISO is mounted and then the code executed. Actually ISO has been actually decoded so simply it writes the ISO to disk. So it's up to you how you can implement this. You can use the JavaScript to download ISO or you can just encode base64, encode this ISO file and just decode this on the fly and you can make it an html file or html file or whatever you are comfortable with. So simply you need to make it working but the intelligence report already gives you some information for example the ISO content or how this lnk file link file works. So you can see the commands and parameters there. Moreover the script content and some additional information can be also used to develop this type of trade craft. Finally you are not alone there are other specialists actually working on this type of stuff. For example creating a kind of simulation like that and it needs some steps. First of all working on a JavaScript making it to be able to decode base64 file and start actually building an ISO file and encode this for base64 and then embed this to the JavaScript to make it running. The thing is it is slightly easier if you work on just one single exercise but if you try to automate this there will be some difficulties because of the compatibility requirements. For example Jorge Orchiles has provided actually example for this exercise on atomic rate team so feel free to visit this and it can be useful. Also Mehmet Argeny is actually a blue teamer so he also developed some of the content the adversity simulation initial payload part so it can be also useful for you. Finally Edim Chester also worked on some C sharp DL export types and how it can be exported. It can be useful because we developed our trade craft today using the C sharp and .NET environment but they are actually not unmanaged DLs so they have no exports. So if you want to export the functions and actually the content you use in the .NET assembly you need to actually make your executable supporting them in the export section. So you need to add them one by one to the exports. You can do this manually or you can use some additional tools. That's why this blog will help you to understand how this process works. Another one is actually TA505+, I actually will explain how this adversity simulation environment works for you because this is end-to-end example. The previous ones were only working on the initial payload preparation. The initial payload is there for example starting with an email the email content could be HTML and that HTML file or HTA file itself would have JavaScript that can get the code execution and the JavaScript content will actually put the file on this and we can make it running. Or sometimes we can use AOL beans for this initial payload as well. But after that things get complicated. We need a command and control server. We need some security bypasses. We need a UAC bypass. We need the MC bypass. We need sometimes ransomware examples as well. To do that we need to prepare an advisory simulation pack from beginning to end. TA505+, is a response for this because TA505 was a trade actor actually currently is a trade actor but during those days they were also targeting the Australia financial institutions. So I worked on them and I made it a kind of exercise. But I didn't use exactly what they had in the campaign reports. My assumption was TA505 could improve and upgrade their abilities. This simply says that yes they can upgrade and we don't know. Let's make it known. That's why I started working on Windows 10 up-to-date, Office 2019 up-to-date as well as Windows Defender and MC full up-to-date system. So I decided that what if the system, the target will be like that. How TA505 can improve their systems as well as the campaigns. That's why this advisory simulation pack is coming with a plus. And this advisory simulation pack has a full kill chain. That's why the kill chain has different stages coming with different tools for us to simulate them accurately. As there is no actually reconnaissance phase for this one I prepared trade intelligence information there so the video and the content is based on trade intelligence. But the rest of the phases pretty much like a trade actor. So you only work on the weaponization, you also work on the delivery and when you compromises you actually install the malware there for persistency. You also work on your own C2 and you try to complete some of the objectives that include also ransomware. So ransomware is a kind of known behavior of TA505 that's why I developed a simple tool to simulate those features. Those are the tools I developed or repurposed for the TA505 plus exercise. So it can be useful for you to build. For example, Patek dropper is the initial payload starter. When it believes that the environment is safe for it, it actually downloads the Patek MC bypass to patch MC make it way more clean and to work. And then it downloads the Patek implant and go on and go on. Patek service is the C2 service. And MC patcher is the MC actually bypass utility and it is coming from Daniel Duggan's actually example. But I repurposed it to avoid the actions. And also this dropper, the Patek dropper can start with an Excel file because the TA505 was actively using Excel file. I use Excel anti-donut for it. So there are some tools and there are some new tools in this bucket. So how they work is just like this. The Excel file and Patek dropper, Patek dropper gets the MC bypass tool when everything is clean, it lost the implant and establishes a C2 communications using the web circuits. Through this one, we have a real-time communication. All this patch was undirected those days. Now it is directed. Of course, the tools, techniques and the pack was very public. So there were some signatures generated for it. However, everything is open source. So you can just repurpose those tools to do the same thing. For example, I have repurposed Daniel Duggan's MC patcher MC bypass to make it running again. And there's a video for it. So that will be your starting point. And you can use another way to actually customize this and start using again. When the Excel file starts, we actually establish a ground between the implant and C2. However, we have objectives to work on. And those objectives are not always on the end point. There are some servers in the back, there will be some class services, and we need to connect those services, those systems to actually achieve our objectives. Through this patch, I need to implement some additional features for my implant. That's why Patek C2 comes with implant-inplant linking and some additional features for lateral movement as well. Through this way, I have demonstrated how we can compromise the servers using the lateral movement techniques as well as implant-inplant linking techniques. In addition, I safely executed Meta-operator in memory and actually used Meta-operator for remote exploitation in this case. And Meta-operator was also using Meta-sploit SC2. I haven't used Cobalt for AC2 in this picture, however, it is widely used by TA505. Patek C2, while mentioning like that, is a good C2 for me because I have actually implemented some of the essential features and it helped me to customize them. It avoided directions. It also comes with some abilities as well. Normally, it should be a kind of problem. More specifically, whenever you compromise a system, you try to understand who you are, what you do, and you use Windows commands. Instead, Patek actually accepts the C-sharp commands. So direct C-sharp commands would work. It compiles in memory and runs them. For example, consoleWriteLine, the user name, it writes the user name, and you don't need to use who am I, for example. That's why Patek comes with some additional abilities for me. And today I will talk about Patek and the other features, but in this time I will assist you to develop your own C2 and your own implant. And Patek is coming in MIT license. So simply you can repurpose anything and you can reuse anything. That means they are actually gadgets for you for today. And I actually supplied them in chapter two and three folders, so you can start enriching your implant using those abilities extracted from Patek. And Patek has lots of different gadgets like that that can be used, lateral movement, or implant-to-impact linking, different types of protocols, assembly, name, pipe, TCP, UDP, websockets, they are all there. What you need to do is only merging them, combining them and making yours. Patek supports all of these features as the baseline. For example, DATMT assembly features, or shellcode injection features, or some essential features such as upload, download, or linking another implant. So these type of things are implemented. And as mentioned, this is not a product, this was a proof of concept for me, and it can be a proof of concept as well. In this case, we have also some additional requirements. Sometimes it is a user interface, a graphical user interface. Patek runs on command console, which is not nice. This is why I also developed TASAT malware generator. TASAT helps us to actually simulate some of the malware traffic using the protocols HTTP, HTTP, websocket, TCP, UDP. Those are the current capabilities and the DNS, ICMP, and some additional features will be added soon as well. Actually, I mentioned it here for another reason. Probably you also need graphical user interface for your C2 to make it shinier and look like a kind of real, a good product. In this case, you can repurpose TASAT as well. It is also a MIT license and you can actually use the Blazor UI for the interface and you can still use your DATMT environment. So it comes as another free tool. These are actually real-life deals. We generally try to simulate our exercises on cloud or on-premise servers and points and actually some of the remote locations. That's why we need to support lots of different protocols and communications. If you want to simulate them with no hostile capability, TASAT will work for you. If you are looking for also some additional hostile capabilities such as code execution or command execution or shellcode injection, yes, you need to improve your implant. These are also screenshots of how TASAT works. Now, we talk about some development fundamentals as well. C-sharp is our preferred language for this workshop. We will talk about C-sharp and .NET. But also, .NET comes with different versions. We need to understand these basics first because .NET doesn't have one single version that works everywhere universally. We use C-sharp tools to develop custom abilities for us. This is quite helpful for the adversary simulations because we try to avoid deductions. We actually prefer deductions where they are necessary or where we need them. If they are not needed, we don't need to be detected. That's why our tools must be subtle as much as possible. C-sharp tools actually started developing after PowerShell because PowerShell got secured by Microsoft using a couple of different ways and that's why those restrictions moved all security researchers to C-sharp. However, C-sharp comes with additional problems. For example, different versions on Windows, Linux and Mac. Also .NET framework and .NET Core. There is no universal language. Also, Windows comes with different versions. For example, Windows 7 comes with .NET 3.5 and Windows 10 comes with .NET 4. We need to understand these parts. Moreover, there is a problem with C-sharp and .NET assembly. Just like with PowerShell and what happened to PowerShell, C-sharp also and .NET also gets their own security controls. After 4.8, .NET framework also has MC integration and Windows Defender can identify your malicious behaviors even though they are not running. While you are loading the tools or certain functionalities, they can be detected. So it's not only about static analysis evasion or some dynamic analysis evasion. It's more like someone is on your shoulder and watching what exactly you are doing. So these type of abilities and limitations must be known because we can still leverage those abilities. We can still work with implants. We can still work with tools if we are actually aware of the defender or MC or another EDR watching us. So we can just deal with them. .NET comes with CLR and we need this runtime to actually interpret our binaries, the assemblies. But they are .NET assemblies, not native assemblies. To do that, we need to understand what type of runtime environment we have. If you are running on Windows, you can go to actually see Windows, Microsoft.NET framework and after that, the version folder. Then you can see the versions, whatever they are. They may be .NET 2, .NET 3.5 or .NET 4. Some of the functionalities are missing in .NET 2 or .NET 3.5. That's why your implant must work on all of them actually universally. And another problem there is, it depends on how you compile them. Let's start with some basics before making things complicated. How you can compile these operations as well as C-sharp binaries are quite simple actually. You need mono and you can install mono using apt install mono complete on Linux. Or for Mac, you can just download this or use brute install mono. Mono would help you to compile all these binaries with no hassle. But there is also .NET and .NET is available for Windows, Linux and Mac as well. And you can also download .NET. .NET can build, run and work with Nuggets as well. And mono can do that. Mono can do this only for .NET framework while .NET can do this for .NET Core. That means our implant must be using .NET framework to work on Windows 7 and 10 without any issue. And our server site could be .NET Core, which is a cross-platform. And it comes with additional features, especially .NET 5, which is another type of core, the newer version. .NET 5 comes with additional actually functionalities that could really help us to automate some of the features and implement them easily. That's why we will try to develop our server side using .NET maybe 3.1 or .NET 5 and decline and implement an implementation based on .NET framework. Which is probably between 4 as well as 4.8. Now this is a simple hello. We need to use our namespace, we need to use a class, which is programmed in this case, and then we need to use a functionality here. Actually, this class and the function will turn to a type and method when we compile them on .NET assembly. So it is quite useful and it is quite easy to customize them. For example, the consoleWriteLine is there, and I can use, for example, system.console.writeLine. It is there, but if I have lots of consoleWriteLine lines and instructions, I prefer using system in top. So simply, system will help me to use console directly with no hassle. So it is making things easier for the namespace-wise. This is another example. This is for string operations. String operations of .NET is also quite familiar. If you previously developed some tools using scripting language such as Python, you can see some of the string operations are quite easy to understand. Adding strings to other strings and modifying them, getting indexes, getting them maybe replaced or split. They work well. However, if you are dealing with the .NET framework, not .NET core, you may have limitations. That's why we use, actually, system takes regular expressions. That's why we use regex.split and then the string and what could be split or how we can replace. Because if we use string.replace or string.split, it will not work on .NET framework because of the limitations. It depends on the version, of course, but most of the time it is not implemented. Thus, therefore, while you are developing your implant, please make sure that it works everywhere. This is another example of if condition. If you previously coded on another scripting language, this may help you to understand how this coding works and how the conditioning, the branching works. In this case, I simply used arguments and if there is no argument, the length is zero, it will say that what you want to do. But if there is an argument, it simply says that yes, these are my arguments, these are my parameters too. It may help you to build your implant for the console wise. But if it is not the only way to create branches, switch is also quite useful, especially for the managed generation. If you want to create a menu for your console application, switch will help you to create a kind of decision tree. It is same for the implant as well. Just imagine that the arguments coming are not coming from the arguments. They are coming from the web socket or a web page or a social meta text. So you can see that they are coming there so you can create your own branch. For example, the instruction is right, otherwise read. So you can actually create your own instructions there. Try to keep the switch simple as well as short because you will need also the functions to handle things. For example, the right here is using console right line. But read is using the test function. The test function is important because it gives you another opportunity to continue in that branch. If you will implement everything under the switch and case, this will be a problem for you and the structure will be unmanageable. Instead, all your operations should be standalone functions in the same class or another class. And you can refer them under the case, under this conditioning. If the condition matches such as the text is read, that function will be called. This type of structure would help you to build actually implant capabilities. For example, right, delete, read, run this, run that and maybe exit as well. Loops are pretty similar to the other languages as well. And they can be implemented using for or while or for each. For each is useful for the objects and it can actually get the objects, maybe the items of array or list or dictionary and start working on that. But while and for, they are looking for a condition. For example, increase this integer one by one until the condition arrives. Or while condition is true, do all of these in a loop. This type of loops are useful when we are waiting or processing the objects. If there is a kind of dictionary or a list to process, we can use this type of for each approach or for approach, whatever useful. Another thing is we also have issues. As a starter, we fail and fail is a good way to learn as well. But we need to also catch those failures. And they are called exceptions in the programming and that's why we use try and catch. And this is a simple try and catch example. And it may help us to understand how we can fail or how we can proceed. Now, I also mentioned that you can use MCS or CST to compile, right? But compiling them will make them executable, the PE binary. But there are other ways to run them. I will give you only the PowerShell starters now, but there are several. For example, the PowerShell can load a .NET assembly and can use system reflection assembly to load it and to run it. So it can actually get the types, get the method and invoke it. It can actually focus on entry point as well. So they can be used to actually load the implant from remote. Let's collect everything together. We have an implant that can actually accept some of the parameters. The parameters can be coming from, let's say console or a web page. And we can branch it using switch or if. When the condition arrives, when the instruction arrives, we can create our function and we can work on it. If implant works just like that, we need a starter. That's why we use PowerShell. It can be called as a dropper as well. And what we do is simply downloading the DLL from remote. And for example, using system reflection to run it. Or we can download the source code, the cs file, and we can use add type and required assemblies if there is. And then run it. Revealing your C sharp code will not be great. But if it is just only a dropper just like this. If it is sacrifisable, just sacrifice it and go on. Because it's a trade-off. You need to make it running. Then you can load your actually important code when things are safe. Now, it is exercise time. I will give you some hints to make it your own exercise time. As this is a pre-recorded workshop, I will only give you the hints. But meanwhile you will work on the exercises. So let's work on a couple of things. You need to set up an environment. You can use Mono or .NET. Installing .NET is simple download .NET from Microsoft web page for your operating system and install it. Or you can use APT install Mono complete. And Mono comes with actually MCS and CSC that can be used to compile .NET C sharp code. Compile the sample binary in your chapter 1. You can use Hello as an example as well. But there are also interactive menus. So try to make an interactive menu that can use a sample function for you. Which is also given. And make your implant running on the console first. Compile it using Mono or .NET and run it. I will provide just a kind of starter now. This is a simple starter. So chapter 1 comes with some examples. Condition, console parameters and Hello. The Hello is simple. As I actually previously shown. It is simply writing a text using console write line. You can use MCS to compile this. And slash out will give you the file name. And you can just name it whatever you want to do. It will be your output. And Mono can be used to run this executable. But remember one thing here. Mono is necessary. The executable won't work without a run time. In .NET it is slightly different. You can use .NET to compile things as well. But you need to use .NET new and then console application. And your directory actually the application name. And now I enter the application directory. And it comes with a CS approach file as well as program CS. Program CS is similar again. Hello world. It's the same. But this time .NET needs CS approach that gives .NET the instructions and the capabilities to run. So simply when you hit .NET run. It loads if the reasonable reference is necessary in the CS approach. And then runs it. Now it's your turn to enrich this using the other examples. For example using interactive menu and the case switches. So this is the end of our first chapter. And thank you and stay tuned. We will focus on the chapter 2, chapter 3 and chapter 4. And how we can actually start building our C2 implant. If you have any questions. I will be available on discord channel of advisory village. Thank you for listening this chapter 1. Hi. Welcome to the chapter 2. I hope you completed your exercises and your environment is ready to go. Now we will talk about how to develop an implant and a C2. So we have mitra attack techniques. And they are everywhere in the trade intelligence reports. The offensive tools, defensive tools. What we need to do is focusing on what we can do with them. Therefore we need to understand what ideas and what features to be simulated. And we can add them one by one to our implant. Is integrated or is it standalone binary or standalone feature that can run together. So let's start with how we should design our implant. Our implant may have some various features and they can be used for attack simulation. And those features could be built in or they can work from remote sources. We have some essentials such as upload download functionalities or maybe some certain commands to run. Whatever we need constantly. But there must be also some features capabilities focusing on the third party tools. They could be dotnet applications, power shell scripts, shell codes and some other features as well. We don't know. We will just develop our implant on demand whenever we need some mitra attack techniques. We will add those features using different capabilities. Even you can implement big object file, both process as well. If you want to add both process or both interpretation, you need to add some additional layers. Let's focus on these baselines and how we can develop our implant to support a dotnet assembly, dotnet source code, maybe our shell code and also shell code itself using different types of injections. Moreover, we need also lateral movement. This means we need to also focus on some of the networking facts as well. That's why lateral movement compromise and maybe implant-to-implant linking will be necessary. Our implant will need to get multiple stages and instructions from web. So there are some different types of CTUs. The first CTU type is just discovering things. It's more like non-interactive CTU and it will help you to identify the target, whether the target is in scope or not, such as the solar gate exercise. It may help you to get initial instructions such as register yourself or this is your CTU. And it can be everywhere. For example, the social media and maybe a Twitter tag as well. And nobody would see or identify what would happen until someone actually to be using that tag. Or it can follow up a general tag and it could seek for some certain instruction. And this has been done by two line of way. The other type of CTU is important because we need to now communicate. Not in real time maybe, but we need to push out some data for the implant. So implant would run it and would send some issues or maybe some tasks or maybe loot as well. In this case, it is important to understand what implant can do. But also to understand what we want to do through this protocol. Based on those requirements, we can use HTTP or HTTP WebSocket, DNS or similar protocols. And it is called Tasking and Task Management. Another type of CTU protocol is payload servers. And they are there to deploy additional stages. If you want to deploy your second, third stage malware or some dangerous binaries through your CTU, probably you will burn your CTU. Therefore, we use also payload servers. And the payload server serves some additional stages for the implant such as some DLs, some shellcode, etc. But they need to be also included. In some cases, we see all of them combined. And some advanced, actually, adversaries, we see them distributed to different Docker containers, different servers or maybe already compromised components or companies. Now, if we want to build any plant, we need to start with some gadgets. Something must be there already. And this can be actually a gadget list or pre-used code. MSDN is quite helpful and I use MSDN to build Windows API code or some simple actually instructions. But also there are really good researchers in the world and their repositories are quite impressive. If there are licensing laws and if you show your respect to those authors and researchers, you can use their samples in your implant to work out. And if you have improvements, please share with those researchers to improve their work as well. For this perspective, we generally focus on the gadgets. What we can use? Can we make it a function? Can we implement this in our implant, in our malware? So there are several examples out there in atomic-rate team repositories or individual researcher repositories. Now, registry. It is one common feature we need. Registry is important because we need to add some registry keys or remove some. For different purposes, persistency is one of those. But there are also privilege escalation, comb hijacking, lateral movement techniques. They are there and they involve some register operations. To do that, we need to understand how registry works. That's why registry basis, dictionary in this example, shows you what registry keys could be used in hierarchy and how we can create one or how we can work with that. And whenever we learn how to create, how to delete, how to work on the registry keys or the values, it will help us to build our implant's additional capabilities. So we need to make this a standalone class or an integrated class or maybe a third-party feature whenever necessarily we can load this from remote. But it is used for several different purposes. So we implement this part. Another one is also the process. It is important to understand how the process things work because we need to run some commands. As an implant, we can simply run some commands such as where my calc and etc are not that. And they can be used for, let's say, open-book exercises to generate some indicators of compromise. But if we need to go subtle, we need to use some additional features here, such as changing the startup parameters and working on the process components. But this really helps us to run some commands in this environment. We can make it a single liner or we can make it a bit custom. That helps us to give some parameters and commands as well. One another requirement is the encryption. As our implant will retrieve some data from the victim to our server, it is important to hide this data in the cloud environments and in secure networks. We don't want to reveal the data without any intention. Another problem there is we will need to use encryption to hide our malicious activities. Some of our malicious activities will be in the source code itself, for example, hiding a kind of shell code. Or some of those will be on the network, such as RCT communication. So encryption helps us to harness this layer and make it, let's say, non-readable not easy to decode or not easy to decrypt. The problem there is what encryption type we use. Because if we use symmetrical encryption, our implant will need a key hard-coded or during session we need to push it out. That will reveal the key and that will be actually leading to a full compromise and full decode of the implant. Instead of this, we can always use public key, private key encryption. It is a kind of choice for you and this is easier implementation of the symmetrical encryption. So you can use this with the keys and keys can be generated per session when the client arrives, when the client connects. So this will give you at least an option to keep the key in memory instead of hard-coded in the implant itself. Another one is also we need to retrieve this instruction list or the contact from remote. That's why we use some web client or web sockets or similar features. The problem there is we don't know what we would retrieve. That's why we need to handle this very carefully. We use socket.net features. In this case, socket.net will have web client for us. When we create a web client, it will give us some features such as proxy options such as cache credentials. So we can assume that the user already had credentials before us before we arrive and we can start using it. That means we don't need authentication. That would make things easier. But for this simple implementation, creating a new web client would suffice. And from that moment, you can just assume that just like your interactive menu, you can use web client to get a file from remote and use your own switch case to create a branch or maybe multiple branches it's up to you. In this case, web client may support multiple functions for you, multiple methods. One of those is download data and the second one is download string. We use those too often because download data gets everything in the byte array and download string will give everything in the string format. We use download data because it is less monitored or less understood as it is byte array. So we can get this byte array and we can process it. If you get the assembly as string and try to parse it and also run it, that will not work. Instead, this is a byte data and try to process this and then load this assembly. Of course, loading assembly will require another function for you that we will discuss shortly. If you want to enrich your web client, there is also an advanced feature for it. So we can always use web request instead of web client. Web request will give you multiple options. For example, communicate through the headers only. That is useful for the cloud environments. If you want to deploy your C2 as a serverless application to the cloud services, you will prefer to use some certain headers. For example, AWS Azure or Google headers in your communication to make it, let's say, not easy to understand or not easy to spot. And you can base 64 encode the content or maybe just encrypt the content for this purpose. Another type of requirement here is actually to understand the flow itself. That is why sometimes you need to use also the response and stream because download data and download string will give the data like this. But when you start dealing with the web request, you don't know how to deal with the data because data will be even a stream. So you need to make it a stream, you need to handle the data properly to not lose any content on the way. As I mentioned, you can get a kind of binary from mode, but you need to run it right. That's why you can use system reflection assembly. Just like in the PowerShell, because it is also a .NET feature, available on PowerShell as well as .NET as well as CCHOP. So you can still use system reflection class for this feature and you can use load method to load an assembly from remote or local, whatever you do. But I made this function for an easy access because whenever you give a byte array, it will load this and run with the parameters there. But you can make the parameters also a variable and you can put this in the function there as well, but this is a kind of homework for you. You can easily copy and paste it there and you can look for any parameters or any arguments given to run because you can pass it through. It's up to you. Also, there is another option here. In .NET Core there is Roslin and in .NET Framework we have actually CCHOP code provided for .NET Compile features. That means we can compile CCHOP code or simply .NET source code in memory with providing no artifacts, no files, no executables. Only in memory is a kind of variable or a kind of data for us. Roslin or CCHOP code provider will work for us but it really depends on what .NET version you use and on which platform because it is not good for all platforms and it doesn't work exactly as expected. In this case, the provided example is for .NET Framework so you can use this on Windows .NET Framework environment to compile the given CCHOP in memory and make it an assembly and load this and run it. The lines are explained in the comments anyway so that's a good one. So it is your exercise time. I will give you another hint here but this time hint will be extended because I don't know where you want to go but I have different options for you. The option one is you can download a simple text file and understand that there is a content here let's say C2 instructions given by a server how can I run it? Or you can actually go one step further and say that these are the instructions can I load anything else from remote any modules or something like that and one more. Let's make it for example download a text file discover C2, download stages and start beginning and run interactive in real time in .NET and C2. So the problem there is how we can fit everything in let's say 50 minutes. That's not always possible so I will assist you and show some code segments and gadgets I have put in your chapter 2 folder so let's start with that. Firstly, this is our environment and we see the chapter 2 here. The chapter 2 has multiple examples for us and some of those are highly important and let's start with the simple ones for example the process check is a class and it has a method there it has a function and it is process running so if you want to move this class to your code you can easily access this using process check that is process open and explorer and it will find explorer if there is a process like that so it will help you to understand what process is running another one is web client you will need to download something from remote right? that's your example it accepts some arguments but the arguments must be in an order the console write line help actually shows you the options for example URL, ASM source and file ASM file source so simply you need to create a web client if you want to deal with the remote instructions and the content will be coming from remote and you need to also create some variables for byte data which would be assembly or source code which could be string and you need to parse the instruction if instruction is URL that means you need web client and get this from remote if it matches with ASM you should expect a kind of assembly coming that's why you need to use byte array and download data the exact .NET assembly as I already shown you it is there to parse this if it is .NET source code you can use .NET actually download string for web client but it can be also a kind of byte array download data and you can convert this using encoding as well but that's an option file also shows you another option and reading a file or reading your content, writing your content so you now know that there is a kind of class for you for the file IO options so simply you have these options but you need also those functions in your code in the same name space so in this case compile .NET source the function I have shown you is here to compile and run the C sharp .NET source code of course references will be a kind of trouble so you need to adjust the references and you should make it a kind of array as well it is same for exact .NET assembly so it is up to you how to improve those but it will work for the simplest examples one more thing is important because our normal client will retrieve something and start working on it what if you want real-time communication actually that's our reason for web-circuit implant and this web-circuit implant is quite simple it creates a web-circuit client this time and it tries to connect a certain service given and if the web-circuit is open it receives the instruction it processes the instruction and after that it actually sends the data as a result that's actually a kind of pipe that means the server side needs a kind of menu to give this data implant needs to run this and send this back so we need a kind of communication like this the instruction process on the implant is the function we actually use it is the interactive menu you were looking for so you can put actually everything there and the instruction process will help you to do that the question is where can you find a kind of web-circuit server that is there actually in the same folder web-circuit C2 folder has program CS as well as the web-circuit service for you that means you can create a new web-circuit actually a kind of menu for the user and wait for the client arrive if any client arrives and you can start actually waiting for the input from the user whenever it arrives just pass this to the client the web-circuit service class is there for the general use but you need to customize this for SSI certificates and some other features as well so it is up to you so from this moment you have options and you can use that so let's compile them and see how would they work first things first RMCS which is the mono C-sharp compiler will help us to compile the web-collide in this case and now web-collide will be the web-collide is designed and it actually gives us some options for example running some additional features running some additional components in this case I'm showing you the C2 commands I have put in the repository so there is a kind of executable there.net binary so let's use web-collide to exit it simply says that URL ASM and after that the exact URI for the assembly so let's use that for example mono web-collide URL ASM and then that is the exact link of the executable I'm talking about the rolling by the way please don't get confused there when we get this it will load the assembly and it will run the output is coming from the assembly so we have something to start right so we can build something top of this it's up to us another one is also important because we have some multiple options as mentioned if you want to go to interactive patch web socket is a really good one to implement this and let's start using this example let's start working on the web socket implant the web socket implant as I actually demonstrated the code itself it is quite easy to understand if you understand the classes are coming from the .NET not you developed simply it will connect to the server but it will require a parameter this time it is using WS as the URI start what HTTP will work as well because that is how web socket class of .NET works we need to run the server in this time and the same folder has web socket C2 when you enter it and when you use .NET run it will actually start the web socket serves this means you can start listening to the port is hard coded you can change this as well port is localhost 50001 it's up to you and now we are looking for this part which is quite easy same URI and giving this as a parameter and of course use mono not like me and now we are connected to the C2 server the thing is C2 server will need to give commands and the implant needs to run them the commands are not implemented on the server side so the server says that yes there is a client arrived so I can give these commands on the client side we can also debug all these features so it is easy to understand this communication and echo a number it will be given by the client and run who am I it is coming from the client as well it is real time communication and whenever you hit exit the server as well as the client they will just stop working you can change the words and it can be good as well it's up to you so this is how it works this is how it works for different source types what you need to do is now enriching the switch cases and using branching your favor and you need some classes there and you need some code segments and they are in the chapter 2 folder so you can work on it and you can enrich it ok I will be on the discord of advisory village now so if you have any questions we can start working on it and how we can go further is in that folder as well as on discord thank you for your time and thank you for listening to the chapter 2 of this exercise and workshop hi I hope you enjoyed your chapter 2 exercises and I hope you already have a sort of implant working but this time chapter 3 will be a bit different because I don't know what type of implant you have and what type of features you are exactly working on that's why I will talk about some techniques or capabilities that you can add type of your implant so this will be more like a kind of instructive part but after that I will supply some code examples to you that you can utilize in your implant and some of those will be coming from the patak implant I have mentioned in my presentation so now let's start with the windows api and how we deal with that windows api in dotnet framework we use windows api through the platform invox which are also known as kimox platform invox are available on microsoft web page as well as the other web pages in a different way because microsoft web page actually defines how platform invox works and supplies some information but you need actually the platform actually the exports converted to that net environment simply it allows us to use exports of the unmanaged code but we need to understand what type of variables what type of content they expect what type of data is expected to do that we need to understand actually this as well as defining our code then we can use those functions as our internal functions such as this this one is a good example because it is using system runtime inter op services because this is how platform invox works and it is using actually user32dll which is an internal windows dll and it is used for windows api as well and it is simply using message box message box function so what we see here is the first one is the external simply defines that export for us simply we are looking for an export called message box in the dll named user32dll and those are the variables and data formats we expect so now we can add our own and we can make it working like that it is easy if it is only message box platform invox actually gives us more opportunities in different platforms for example if this could be a different platform such as mac we would use dynamic libraries just like the dll's so it is not so different we can still use private or public study external and we can just work on it the problem there is though if you start developing your tools apis, windows api or mac or linux simply start using unmanaged code in your environment it will change your code as well as programming perspective because it will be not a part of your code so it may not be present in the target environment in the victim environment so you need to make sure that the apis you need are available in the target operating system and they will be there and they will work on mac linux and windows when you start differing certain libraries things change it is same for linux as you already see it is this time libc share object 6 so simply you try to get getpid and it works just like this so things slightly gets complicated from this moment because we use one single dll actually export and if we want to go in different ways for example the process injection, shellcode injection, dll injection times then we need to use multiple exports, multiple windows apis using the right content if we use them improperly probably our application will crash and worst case the process or the target operating system will crash so we need to be very careful from this moment so where can we find this information though I mean how we can understand what data types are accepted by the targeted export, targeted unmanaged dll function in this case pmwork.net helps us to understand those apis and how we can use those dll's but we can also create all these using their tools as well this is another example this time it is going a bit complicated not so complicated but still you need to follow this up first things first this is a shellcode injection this is a good start let's focus on how we repair our initial part actually we need to prepare this part before using our functions so it is important to understand what apis we are planning to use in this case ritualLog will be used to create a memory space for us and we can create readWrite or readExecute or readWriteExecute permissions in this memory space createThread will allow us to create a new thread and therefore single object we will wait for single object will allow us to actually wait for it so let's start with that if we try to use ritualLog using page.readWriteExecute permissions it will create a memory space for us and it will return the function address so simply now we know that there is a memory space created for us and we have the address of the pointer of that part so we can start using it there are two options from this moment to pass data to that memory address one is the windows API I didn't use this in the example but it could be used for example writeProcessMemory the second one is the Marshall link Marshall copy that is an internal functionality in the Latinx the difference between those two is actually evasion we will discuss this in chapter 4 but this is a kind of simple evasion if the EDR or antivirus expects for example virtualLog then writeProcessMemory is a pattern we simply break this pattern we don't use writeProcessMemory in this example so this is one of the points that we can add for evasion but this is only for functionality and use for here and we use Marshall copy to push our shellcode the byte array to the given function pointer so simply we define that shellcode from the actually 0 and this function pointer and the length of the shellcode so simply our data is in the memory the problem there is we need to also create a thread pointing that part so the thread will start and it will execute our given shellcode in that memory space so create thread will help us to create a thread using that data that's why we use the functional address here and then we simply create a new thread in our own process and we wait for it and when it starts that's good, we have a new thread and the shellcode executed in the current running process if the process exists it dies, if the process has been killed it dies as well so this is really important to understand because it is still inline code execution if we go for remote process that will be different case this approach would be still called slightly safe because you are still in your current process you run code in your current process and it is a sort of normal application behavior when you start dealing with the remote processes things will change and EDRs and other things will identify you whenever you start using Kimbox and APIs like this EDRs will also catch you for the API perspective now there is another one but this time we are using Quser APC and as you imagine those functions the APIs also have their actually definitions before this function starts let's try to explain lines here it is important to understand the base64 content here normally most of the researchers or sample suppliers or proof of concept researchers they put the shell code in base64 format to the code or as a byte array and it is really easy to spot by the antivirus or maybe EDR tools we can change this approach because static analysis is also something and if you have the payload that's a bad thing simple evasion here is just placing a random string before the base64 content which will break the base64 and then replace it in the next line or maybe a few lines after simply you will decode this you will access the real data but under certain conditions you can make it conditional as well for example you can check the hostname you can check the cloud components you can check the device that will help you to understand what environment you are working in that is also chapter 4 evasion techniques when we deal with the other stuff it is similar as well for example in this case the process injection to a remote process works pretty much like this firstly we use another process but I'm not doing this to a remote process already running we create a new process that's the good part and that also helps us in a couple of different ways because we can groom it we can just use another process as its owner as well but that's another example in your folders anyway so you may actually spoof your current PID you can also change a couple of things while the process is suspended as well because you created this process it is suspended and it is ready for any manipulations so you know what state it is after that dealing with handler and creating a new memory space there using visual dialogue but this time using write process memory to push the data you can still use marshal copy but write process memory helps here again and get process ID and after that we have process ID we have threads PR using open thread for the thread itself and we recover the permissions of the memory space using virtual protect this time because initially we used read write using virtual alert but this time we make it read executable if we don't do that it will fail if we use read write execute that will be not good for the depth perspective so this is more accurate after that we use quser APC for this thread so simply the application will know that there is something waiting here and it will process it and it starts running then we resume the thread and it will work so this is how it will work in the code perspective so in this case you need some of those examples the good part here is the capabilities class is supplied in the chapter 3-4 folders so you can go to the attack capabilities to see those functionalities they are actually enriched they are actually changed for example they spoofed the parent PID and etc when you look at the code you will see some improvements there moreover as I mentioned some of the .NET features allow us to pass the parameters while running the assembly itself which is good and you can actually see that it is implemented in that code it is same for the source code component the exec gives you multiple options for the parameters so it is quite useful you can either way get this class itself as a part of you or you can copy that function but remember that you need the previous definitions because they are premocks and you can copy to your own code one by one because PATAC is in the MIT license so that is the point you can use it as a gadget so you can actually extract whatever functionality you need from that one in addition it can run the PowerShell but the PowerShell is running through the system automation system management automation data is deferred as well as necessary when you compile this and if you enabled or if you didn't remove this PowerShell automation class sorry, the function you need to compile with the difference of system management automation DLL which is a good example for you I put the DLL in the same directory so you can see it but if you target a specific framework version it may not work so you need to use nuggets to get the correct version of the system management automation DLL and then defer it if you want to use specifically that DLL to work with your implant then you can use actually some merging tools such as IL Merge so there will be one single binary with this DLL coming so simply it will be a part of your functionality and you don't need the system to have this management automation DLL so the exercises are slightly simple but also complex this time simple because you will add one or two functionalities I assume that you already have an implant and it can communicate with a web service using websockets or a web page using web client or a console application with the user and you already added some functionalities there when you looked at the chapter folders some of the functionalities now in this exercise you need to extract some of the functionalities from attack and use them as a gadget and you will understand what is missing when you try to extract that portion of code because the pinbox defined will be undefined in your coland the compiler will fail another thing is you can also add some additional functionalities that are not exactly available in the attack gadgets but they are available and also introduced to you is let's say encrypt and decrypt in the previous word actually chapters and you can make them a kind of ransomware for yourself for example encrypt a certain file, decrypt a certain file, use a key if you remember the encryption and how it can be used it can be dangerous as well for the ransomware operations right so let's start with that first things first let's work on our environment and walk through our source code sorry this is our source code environment so simply chapter 3 has examples of encryption as well as our capabilities and some pinbox the pinbox are here for you to copy and paste and to be used directly I also put the readme here in case of you need a kind of easy copy past for compile or to understand the functionalities one other thing is also the shellcode here and shellcode in bulk that will help you to actually inject a shellcode to the environment which will unlock, create thread wait for a single object these are the examples actually our examples previously mentioned and this can be actually utilized like normal console applications or any other example if you remember your hello example hello exe hello exe was actually running as an assembly from remote right if you understand that part you can also use this shellcode in bulk and it may accept the demo parameter as you see here it accepts parameters and if the argument the given parameter is demo it runs this functionality that means also if we send demo it will run this shellcode given using the exact shellcode 64 function and the shellcode is the shellcode of calc to run in your environment this would only work on the windows of course because process injection is not designed for Mac or actual Linux and it will require 64 bit so this will use the function that I will explain in a couple of minutes so if that is the case your implant can utilize this data this assembly from remote what I suggest is compile this make necessary modifications upload this to a remote location or use your python simple HTTP server or something like that and serve this data or you can use file IOR read as well read all bytes in the file will help you if that is the case the file will be loaded start using your own .NET code .NET assembly run code to run this assembly because this assembly will require parameter make sure that this parameter is passed through then you can observe for example will be loaded from remote to run as would inject the code now let's work on the code part as you see the base 64 content is there it is removed and replaced so the static binary may have less concerns I'm not saying zero deductions definitely the PE executable when you compile this will have already some indicators because we use pmbock here anyway the exec shellcode will actually accept the byte array to run this shellcode there is also raw demo I made it actually comments here you can uncomment this to see the deductions and the components because it is the same source actually same shellcode same bytes but this time it is not encoded it is the byte array itself so you can use it actually this will be also interesting for you so you can make it a kind of staged environment let's assume that you had already an implant and it was checking the CT command text on the github repository so you can download this dll from remote and given parameter would not be demo given parameter would be another raw dll pointing to the shellcode so simply you have multiple stages your first stage is the implant itself implant gets the second stage which is another .NET assembly given by the CT command text and this binary will also require the third one which is the shellcode in base 64 encoded or byte array format see multiple stages if you are making it also a purple team exercise place flags on them for example put some variables change variable names and make them a kind of flag for your blue team to identify the levels of the structure maybe they captured the first stage but not the second or maybe they have no idea about the payload coming you see what I mean you can flags and you can improve the decisions and you can help your blue teamers to understand this process and stage the approach because if you do not ship everything in one single monolithic file the detections will fail so it may help them to understand where they fail also this shellcode function is the function I have actually shown you so it is slightly simple attack capabilities on the other hand it is quite rich so you can exactly see how it will work and what actually variables it uses and what team works are already defined for what purpose when you scroll down you will start seeing the functionalities each function will have a different purpose in attacking plant in the repository you will understand the reasons as well as content but in this example this simply checks that the platform is win or not if it is not win-nose your implant will refuse to work or say that those functionalities are not available on win-nose please give me other functionalities so you can load another implant type specifically for Mac or Linux this time it is up to you exactly sharp assembly also now accepts arguments as well as thread support so you can actually give the arguments if it is not null it will work with the parameters and then it creates thread as well so it will work as a new thread it is similar for exact sharp code and this time sharp code will be slightly enriched but there is still room to improve this as you can see the references are hard-coded so you can actually create another array here or a list to add more references so if someone pushes sharp code a kind of C sharp code to be compiled they can also pass a list of references already required for this compile operation I am scrolling down and there is also exec here an exec is mentioned for execution for us so we can give some parameters to run this executable PowerShell automation is there to actually run this PowerShell through the system automation so it will use system automation if you give if you assign it, if you refer it and exec sharp code will run the to user APC sharp code injection so the content is here you can modify it or copy and paste whenever you deal with the Windows APIs though, like this you need to make sure that you also copy the definitions we already put before the code now, one more thing before leaving this fun there is also ransomware and ransomware is available here ransomware is a ransomware about goblin simply I have used this in the TA505 so it helps me to encrypt the file and decode it as well or decrypt it as well and it can help you to add some ransomware functionalities as you already see it has a menu that we already created normally using switch and if it says encrypt, it encrypts if it is decrypt, it decrypts that's it but it is using hard code keys to give the key or change the content so you can make it actually a good tool it is right here the key strings now, one more thing we have which is our repositories that we can actually improve things as mentioned, there are several different types of functionalities, codes and methods here so TA505 plus simulation pack also have all of those it has documentation and it has actually resources there as well the resources are developed for this exercise, there is a file and initial dropper and some other contents as well as some preparation commands shellcode you can use them but more important one is it comes with the videos if you concern that where we can find the videos for story exercise videos linked here and when you go you will see lots of different videos here and they will help you for each stage of this exercise design or replicating the exercise content the optimization phase is related to your development and after that delivery and lateral movement will be related to the other sections you are planning to run one final thing if you want to enrich your malware it is also MIT licensed so you can easily modify or copy code from there and go further now, chapter 3 is done and you can use those codes in your chapter 3 folder to add additional functionalities to your implant I don't know what you want to add so you have multiple options here feel free to copy and paste them based on your own requirements I hope this works for you and this is end of chapter 3 in chapter 4 we will discuss about evasion tactics and some of the advanced content but this time instead of exercises we will try to understand how researchers designed this and worked thank you for your time for the chapter 3 and see you in chapter 4 and I'm on discord by the way if you have any questions feel free to jump to discord and ask questions if I have any mistakes with the information or if I misinterpreted some of them please also remind me the correct information so everyone would fix this as well cheers welcome back this is chapter 4, the final version we will talk about evasion I hope now you have an implant working well with a c2 or a website with some functionalities it is our turn to make it evasive and we will talk about evasion now first things first we have simple security measures that can be implemented to avoid these type of detections as well as security control interception that's why we talk about a couple of basics first staging as I previously mentioned you can actually split things out the first thing is loader the second will be stage 1 and after that stage 2, stage 3 whenever you split things up that will help you to actually focus on different components moreover they will work together it will help you to implement flags and features for the blue timers and finally it will avoid the detections because most of the software and security controls they focus on everything in the same place but you can actually use a loader checking the environment if everything is alright it can move on, if it is not it can stop, this is not my target or you can implement another check for example I don't want to be actually a part of this environment can I escape or you can add another check for example is there any antivirus or certain process running if so or is there any mc for example if there is mc you can retrieve the mc bypass tool and it can bypass it then you can start loading things but if there is no mc you don't need to load anything from remote so you won't expose your code so simply staging helps you to split everything to different components and actually it is easier to maintain to the remote systems also deployment part would be a problem if you remember the chapter 2 and chapter 3 required you to download dls executables or some c-sharp source code from a remote web service the real life does not like this real life has some proxy controls the content filters as well as the network directions this means you need to change them base64 encoding xrxa encryption or whatever encryption you want to add they will help you to convert the content to a non-readable format you can add a garbage data before base64 to break it you can hide your content inside an image file you can do a lot of different things to hide your data because on the network it will not be visible if you don't implement any encryption or encoding feature this is same for the c2 communications so you need to add also similar things to your c2 communications instead of a direct communication channel you can implement actually encrypted channel you have encrypted and decrypt functions add them to your implant and send encrypted and decrypt data so the network interception will not work even though that will be an interception it will not work with your system either so it's a way another one is you may run in a restricted environment that could be a sandbox cloud or maybe an environment restriction so that will be because of reverse engineering or dynamic analysis or similar things so it's a kind of defensive security measure what you need to do is implement some security checks there for example check the device IDs check the device name and try to understand that the environment is virtual or real or fake then you can move on and sometimes you need to even actually define the target and try to detect the target there for example this IP is in scope or not this was used by also a nobelium sorry SolarWinds exercise campaign so bypassing MC will be in another phase because now you know that you escaped from the dynamic analysis environment you are in memory and you can still load some objects from remote that's a good part for you and you're at a good stage however the MC or as well as windows defender is on your shoulder so what you need to do is actually patch it and you can work on a couple of patches and this example is based on MC SCAM buffer MC SCAM buffer is actually discovered by cyberarc and also a good .NET example is supplied by Daniel Dargan also known as restaurants so his code is good actually if you are patching that memory space also it is necessary for us to say simple things to MC it is looking for the length of the memory space we simply say that 0 look at only the beginning not to me so the implementation here is actually slightly simple we actually load the MCDL it is already there we try to get the actually memory space actually the function pointer for the MC SCAM buffer and then we simply create a new one or work on the memory it depends on what we do MC has tampering protection so whenever you try to deal with the memory address directly it stops you but if you create a new memory space push your actually data there and then move the pointer that will work that's how it worked for Daniel Dargan's case as well so moon memory address was the solution for it however this patch is also detected because of the simple strings that's why the strings are also split up to different portions to avoid the detection but it is still detected so I have another example in your chapter 40 post-story and it worked for me in the TA505 plus I simply replaced the Marshall copy with the write process memory API and I also used handle to my own process and it's a different function so I used some obfuscation in your meaning and it worked so you may have a different point of view there and you can add more functionalities to make it work bypassing event tracing for windows is also important for .NET because event tracing for windows is developed for debugging performance monitoring for the applications however in .NET environment it gives a lot of information about our .NET assemblies to avoid this type of stuff we can actually take some precautions changing some environment variables pitching our binary and focusing on itw content that would really help us to change our detections even obfuscation would work for example some of the tools check out the name of the tool we use for example seedpelt or ghostpack tools they are identified very fast because of their names so you need to obfuscate them that we will discuss shortly silketw from Ruben it's a really good proof of concept tool developed for ETW and saying that ETW can be used to detect actually .NET binaries and applications and malicious code and tradecraft simply most of the EDRs started actually adding this feature to their products so it can be changed here so whatever you do for ETW you need to somehow evade this otherwise even proof of concept tools will understand you but now it is also EDRs monitoring you as well these are the blocks coming from different researchers they explain how they have solved this problem dynamic invoke is also important it is again coming from Ruben Boonen and Vova so simply we have some issues with platform invokes and this research is a solution for it whenever we use platform invoke we actually reveal our intent and the imports of the PE binary also includes those APIs we try to add that means even during the static analysis we reveal our intent and it simply says that these are the APIs this PE binary wants to use to solve this problem we can actually resolve them in memory this has been a solution for the C or assembly unmanaged binaries however in our C sharp world we don't have these type of functionalities on the other hand Ruben and the Vova have solved this problem partially and they focused on dynamic resolution so simply they are offering that why we are not resolving the same APIs in memory but it comes with the cost as well of course it focuses on delegation and the function pointers you can read the research try to understand this and its background or the other option if you don't like to understand everything you can use the nugget prepared by the Vova to implement this as well it is also a part of sharpsploit which is a lot of functionalities packed in a DLL all powersploit features as well as newly added features are a packed sharpsploit DLL so you can use this DLL as a part of your implant and you can start invoking all these APIs using this type of dynamic resolution so it relies on it relies on the delegate pointer now on the other hand .NET can also run some unsafe code for you that means you can run unmanaged code here but it will be highly sensitive as well as fragile so simply it can be broken and very platform specific you simply hard code things there so you need to be very careful about what exactly you are doing however that means supports this if you compile the application using the unsafe parameter it will allow you to run this type of stuff but again it depends on what you want to do there are examples here again so simply you can see how it works for you and if you want to add more assembly instructions there for example dynamic resolving of APEV for this environment block and then work on kernel 32 and finding it and then dynamic resolving the rest using get process 32 and then load library and move one and move one and move one running unmanaged coding .NET is also possible if you actually escape from this sandbox simply .NET is a managed environment and if you want to go unmanaged environment you need pointers and delegation simply you need to escape Adam Chester is a really good researcher and he found a couple of different ways that helps us to actually escape from the .NET managed code to unmanaged environment it is using actually method nescan pointers for the function pointers and it is very similar to dynamic invoke and get delegate for function pointer so simply the marshal get delegate for function pointer has been used to dynamically resolve the apis in the invoke research but this time we simply used other delegations in tachyline 2 call to escape from the managed environment unmanaged obfuscation is also required because whenever we use .NET we also know that this is bytecode and bytecode can be easily converted so it comes with a cost which means there is nothing to hide actually this is a good thing for us because it makes things easier but it is also a bad thing for our activities if we are developing advisory tradecraft for red team operations we need to go subtle and we should not reveal our intent and in that case we need to also change our point of view there are options for us to actually convert our code to non-readable format but also keeping because as is so code will work but also not easy to read we call this as obfuscation obfuscation can be implemented in different layers for example randomizing strings or adding some functionalities or maybe the performance optimizations can be rolled back simply the compiler performs some operations to actually simplify your code that's why the performance optimizations happen while compiling the binaries in this case you can actually use similar functions some unnecessary calculations or you can make the names as calculations as well this will help you if you don't want to do that manually which is understandable is the kind of long and accurate process there are some tools that help you to obfuscate your .NET applications Confuse or X to skater or similar tools such as for PowerWish that Chimeria would help you to add some obfuscation techniques for example offensive pipeline would be used to compile some open source .NET projects the tradecraft obfuscate them and then compile and push out so it would help you to actually automate some of your tool and tradecraft management if you implement this with your implant as well as C2 that would give you more flexibilities for example the implant would actually connect to the C2 start communicating whenever it is necessary the C2 will compile the public tool for example ghost pack tools by spectro ops and they can be supplied as a dynamic content so it's up to you and it's up to how complex your implant of course there are some general suggestions here as well because it is a kind of adversary environment we need to slide the simulate time so they need to be approximation or maybe one-to-one simulation so it is really up to us how we should follow this path getting a kind of signing certificate some of those already exposing the one stealing or reusing some of those in our binaries making it legitimate one is a kind of option or implementing a kind of driver that will be another case for us we can deliver some of the content using the webdav and we can actually deliver the content inside stages using webdav as well and there are some C2 webdav implementations that you can use if not you can still always use some other binaries or Python files that can be compiled for Windows legitimate binaries are also important because I can give you a lot of heads upstairs and actually exercise will get longer and longer and the workshop would not end but LOL means Living of the Land Binaries will help you to load your .NET applications so there are several different ways to side load your .NET application to legitimate binaries that includes MS build, install utility but there are also some other .NET binaries can be actually loading your binary using only the configs that you can add in the same folder so it's another research for you for as a kind of homework other things are also common for example common hijacking common hijacking actually common hijacking sorry common hijacking is also a kind of common vector for the persistency and lateral movement we discussed about this a bit actually during the registry manipulations so common hijacking would allow you to influence the other processes and other applications and their execution style simply you can create some registry keys in your current user environment as they will be available in the .HAK route the applications will find the .CLS ID you created and it will actually run the commands you have given those are quite useful tactics if you want to run your loader without a relationship to the starter for example the excel files MC is important you need to deal with MC as mentioned you can actually patch it or you can just unhook it or you can dynamically resolve your APIs it's really up to you I didn't talk about EDR unhooking techniques here but they can be still useful in .NET environment if you want to go to unhooking environment .NET is a good environment and it can provide some of those but not all of course there is no kernel driver in C-sharp as far as I know but it can also help you to create some other tools in this environment as well this means your trade craft will be enriched using .NET but if .NET is not your favorite please use the other language whatever you prefer to reach out this type of data I supplied some examples in your chapter 4 folder to actually work on all these so using this information now you can actually make your implant working with advanced features implement different types of injections in your implant and actually add some invasions for example your your APIs will be dynamically resolved or you can get the shellcode from remote with some encryption you can check some sandbox you can check your target those are good things and if you implement them and make them simple classes that will be really good for the environment or you can make them small assemblies called gadgets and you can call it from remote and your initial loader will not have those functionalities and it will try to get for example the remote gadget of check windows or check target assembly it's coming from remote if sandbox doesn't have any remote connection it will fail and you are safe anyway dynamic analysis will not work if you get this from remote for example an online sandbox that is also possible and you can check windows and your cloud check will be coming from cloud and internet as well this has a cost though if the client has no internet connection your implant will not work so it's a kind of trade off you can just work on this type of stuff conclusion so we had a large set of exercises today and you try to build your implant you try to enrich your capabilities you try to implement this using a C2 and try to get some invasion tactics here as well so there are good things but you need also a home block so you are looking for next steps these are my suggested next steps for you there are some C2s and implants developed in C sharp in the wild and they are developed by really great guys and I suggest to follow these guys on Twitter visit their github repositories and try to use their tools and understand their techniques such as Adam Chester, Dale Tiger and they are there and they generate a lot of different content for that net as well as advisory impairments so they can be useful and thank you for your time and joining me in this workshop the next phase for chapter 4 is your homework so feel free to take your time understand this rewatch the exercises as well as all this presentation try to understand how it works and what you missed and after that we can just make it better as well I will take actually questions through the discord of advisory village so simply please place your questions through the advisory village discord channel I will be online even though this recording will help you serve you for online purposes and thank you for your time thank you for joining me I will wait for your questions