CypherCon 2023
Evading EDR by DLL sideloading with C#
Gary Lobermier
Abstract:
Modern EDR systems will treat unknown exe files with a degree is skepticism. We’ll spend time finding an MS Signed exe that is vulnerable to a DLL sideloading, and then search for the functions within the expected DLL to determine how to build a working PoC. For added spice, we’ll write this DLL in C#, and explain why this managed bytecode from C# will still be executed within unmanaged code binaries.
Importance: Prevention systems like EDR are fantastic, but not perfect. As they continue to evolve, so will malware techniques. In the past year, I’ve noticed it’s much harder to write EXE shellcode runners, but significantly easier to get shellcode runners that bypass EDR if they’re loaded as a DLL. Using this technique can give Red Teamers an easy option to get execution that bypasses EDR.
For Blue Teamers, this means watching execution in a new or different way. Do you have insight into module loads? In this talk I’ll be using C#, which has the interesting trait of loading the CLR into processes that might not normally load it. If malware and Red Teamers shift towards DLL execution, how do we keep ourselves knowledgeable on those techniques?
Gary Lobermier
DLL, C, EDR, EXE, WOO!
Gary has 10 + years of experience in tech as a Network or Sys-Admin and IT Manager. He is currently a Red Teamer and Penetration Tester holding various OffSec and SANS/GIAC certifications, working primarily on the automation of a Purple Team framework for controls validation at Northwestern Mutual. In his free time, he is a musician and a recent 3d printer hobbyist.