My first research and tool are finally out. If you want to deep dive into some CLR internals and understand how we can abuse it to blend-in within its own logic go check it out. Hope you'll enjoy the read.
https://t.co/FegHkegEE9
@Defte_ Stumble on this on an engagement a while back. IIRC using Shadow Copy allows you to retrieve the files despite the opened handle. Not the most opsec way of doing it but it's doable. Duplicating the process handle might be another suitable way of doing it, never tried it tho.
@SBousseaden Amazing and very neat work guys! I'm not super happy on seeing TAs using my own DirtyCLR but I suppose that's the drawback of publishing new research/techniques. Sooner or later I'll have to figure out some possible detection against it 🙃
@AndrewOliveau@Mandiant Great read and technique, it's super nice to see AppDomainManager Injection be used in so many different flavors. It's an old technique yet it's still so easily overlooked and with so much potential for further abuses that is mind-boggling if you ask me.
6 months before @porchetta_ind's events unfolded, I paused updating my FOSS tools, questioning their value. To rediscover this and shape future developments, I've opened a private server for ppl to share ideas or even just connect.
Interested? Join! https://t.co/muWpPJ0HPd
Also, biggest shoutout of all to @ShielderSec whose sponsored this research and made all of this a reality! Not every company allows you to do that, so if you want to uncover new stuff with us please reach out 🔥
My first research and tool are finally out. If you want to deep dive into some CLR internals and understand how we can abuse it to blend-in within its own logic go check it out. Hope you'll enjoy the read.
https://t.co/FegHkegEE9
Thanks everyone for the amazing replies, I'm flabbergasted by them.
I wanted to thanks my friends @Her0_IT, @Void_Sec, @KlezVirus and @naksyn for their support and peer-review on this blogpost.
🎁 GIVEAWAY TIME! 🎁 - I'm giving away 2 seats for my brand new "Hands-On Kusto Query Language (KQL) for Security Analysts" course!
Please follow @BluRavenSec , Comment, and Repost to participate.
👉 https://t.co/qoSTNy22HM
Two random winners will be announced on 5 December 2023.
#kql #microsoftsentinel #microsoftdefender #microsoftxdr #threathunting #dfir #detectionengineering