Don’t Be Rude, Stay: Avoiding Fork&Run .NET Execution With InlineExecute-Assembly

By Shawn (@anthemtotheego)
securityintelligence.com
 13 days ago

Cover picture for the articleSome of you love it and some of you hate it, but at this point it should come as no surprise that .NET tradecraft is here to stay a little longer than anticipated. The .NET framework is an integral part of Microsoft’s operating system with the most recent release of .NET being .NET core. Core is the cross-platform successor to the .NET Framework that brings .NET to Linux and macOS as well. This now makes .NET more popular than ever for post exploitation tradecraft among adversaries and red teams. This blog will dive into a new Beacon Object File (BOF) that allows operators to execute .NET assemblies in process via Cobalt Strike versus the traditional built-in execute-assembly module, which uses the fork and run technique.

#Exe#Hackers#Inlineexecute Assembly#Macos#Background Cobalt Strike#Powershell#Cobalt Strike#Opsec#Beacon Object Files#Credbandit#Lsass#Bof#Clr
