Executing .NET assemblies without triggering alerts

After developing a shellcode loader that bypassed Falcon and MDE and writing a blog about it, I decided to take on the next challenge. I wanted to see if I could develop a loader that worked for Elastic, as well as perform post-exploitation. My first thought was being able to execute .NET assemblies without triggering any alerts, so that's what I decided to do.

I wanted to use this short and sweet post just to demo my new tool Inline-EA, a Beacon Object File (BOF) built to not trigger any alerts when executing .NET assemblies.

Here is the demo video for Elastic. Also I apologize for it being sped up, I had to get it under 100MB haha

Here is the demo video for CrowdStrike Falcon.

Lastly, here is the demo video for Microsoft Defender for Endpoint (MDE).

Wrapping Up

I definitely could not have accomplished this alone without standing on the shoulders of those who released public tools and conducted research. Special thanks to:

• InlineExecute-Assembly by AnthemToTheEgo - Provided a base template for inline executing .NET assemblies in C in a BOF. I just had to port it from C to C++.
• Maldev Academy - Contained a great module for inline executing .NET assemblies in C++ as a normal program, but not as a BOF. I combined this and AnthemToTheEgo's project to execute .NET assemblies in C++ as a BOF.
• Unmanaged .NET Patching by Kyle Avery - A resource on how to patch System.Environment.Exit.
• New AMSI Bypass Technique Modifying CLR.DLL in Memory by Practical Security Analytics LLC - Patching a string in clr.dll to bypass AMSI.
• EAT Hooking by Jimster480 - I came up with the idea to bypass ETW by EAT Hooking advapi32.dll!EventWrite and found this general EAT Hooking code snippet, which worked great.

I hope this tool proves useful and highlights how security products can be bypassed. It is our responsibility in the security industry to stay vigilant and defend against emerging threats.