Operational Challenges in Offensive C#

As offensive toolsets continue to move towards using C# as the language of choice for post-exploitation, I thought it’d be useful to think about some of the operational challenges associated with using C# offensively, especially as compared with PowerShell. PowerShell has many operational and convenience benefits for offensive operators that we lose when moving to C#. However, stealth should almost always take precedence over convenience during red team operations. With that being said, we always want our toolset to be as flexible and convenient as possible, while staying below the bar of detection.

More …

PowerShell ScriptBlock Logging Bypass

In Windows 10 / PowerShell 5.0, Microsoft introduced several new security features in PowerShell. These included the AMSI, Protected Event Logging, and maybe most importantly ScriptBlock logging. The comprehensive ScriptBlock logging now available in PowerShell has presented serious problems for attackers. Now, it is possible for defenders to have access to full logs recording all of an attacker’s malicious PowerShell activity. This has caused some to even suggest that the offensive community should move away from PowerShell altogether.

More …