IronPython... omfg presented at DerbyConVIIIEvolution 2018

by Marcello Salvati,

Summary : Over the course of the last few years, PowerShell has been the number one way of conducting essentially any type of offensive operation on Active Directory networks and Windows endpoints. It allows offensive personnel to execute implants completely in memory, stealthily conduct situational awareness, and dynamically leverage the underlying power of .NET. Due to recent protections put in place by Microsoft, PowerShell is becoming increasingly less viable to use offensively. These protections are "baked in" to the latest versions of the Windows operating systems and allow AV/EDR/Logging solutions to gain an overwhelming amount of insight into PowerShell execution, and even, in some cases, completely shut down any type of malicious PowerShell tooling/tradecraft. It’s been a good run, and PowerShell has served us well. However, the future is upon us, and it's our job to adapt; we have to go deeper! With that in mind, what if I told you that everything PowerShell does can also be done with Python--without dropping anything to disk and bypassing every protection that Microsoft has put in place for PowerShell? Welcome to the wonderful world of IronPython, where rainbows and unicorns *still* gallivant as if it were 2009! In this talk, we will be looking at my approach to solving the tradecraft problem of gaining complete, unrestricted, and dynamic access to the .NET runtime without going through PowerShell in any way. I'm going to be walking through the entire process of how I discovered this possibility existed, starting from "not knowing what I'm doing" and going to a "somewhat understanding of what I'm doing". The talk will cover the progression from creating an initial weaponization PoC all the way up to building an Implant/C2 framework around it and all the success/failures/roadblocks I encountered along the way. Finally, at the end of the talk, I will be releasing the implant/C2 framework which I named SILENTTRINITY to the infosec community.