(S6:E56) Evading EDR by DLL sideloading with C# - Gary Lobermier - CypherCon 6.0 - Wisconsin
Evading EDR by DLL sideloading with C#
Modern EDR systems will treat unknown exe files with a degree is skepticism. We’ll spend time finding an MS Signed exe that is vulnerable to a DLL sideloading, and then search for the functions within the expected DLL to determine how to build a working PoC. For added spice, we’ll write this DLL in C#, and explain why this managed bytecode from C# will still be executed within unmanaged code binaries.
Importance: Prevention systems like EDR are fantastic, but not perfect. As they continue to evolve, so will malware techniques. In the past year, I’ve noticed it’s much harder to write EXE shellcode runners, but significantly easier to get shellcode runners that bypass EDR if they’re loaded as a DLL. Using this technique can give Red Teamers an easy option to get execution that bypasses EDR.
For Blue Teamers, this means watching execution in a new or different way. Do you have insight into module loads? In this talk I’ll be using C#, which has the interesting trait of loading the CLR into processes that might not normally load it. If malware and Red Teamers shift towards DLL execution, how do we keep ourselves knowledgeable on those techniques?
CypherCon is an annual Wisconsin hacker conference attracting over 1500 attendees held in Milwaukee, Wisconsin each spring. cyphercon.com
EXECUTIVE PRODUCER & SHOW ORGANIZER: Michael Goetzman
SOUND: Sean Schult
VIDEO PRODUCTION COMPANY: Flash Fire Productions
ADDITIONAL EDITING: David Holcombe
Thank you for watching, subscribing and your support.
✅ LET'S CONNECT:
🔴 WEBSITE: cyphercon.com
🟠 TWITTER: / cyphercon
🟡 FACEBOOK: / cypherconwisconsin
🟢 KZread: / @hackersofcyphercon
🔵 EMAIL: hello@cyphercon.com
Copyright © 2023 by Michael Goetzman (Monster) & CypherCon