Why Attackers Are Using C# For Post-PowerShell Attacks

An anonymous Slashdot reader summarizes an article by a senior security researcher at Forecepoint Security Labs: Among cyber criminals, there has been a trend in recent years for using more so called ‘fileless’ attacks. The driver for this is to avoid detection by anti-virus. PowerShell is often used in these attacks. Part of the strategy behind fileless attacks is related to the concept of ‘living off the land’, meaning that to blend in and avoid detection, attackers strive for only using the tools that are natively available on the target system, and preferably avoiding dropping executable files on the file system.

Recently, C# has received some attention in the security community, since it has some features that may make it more appealing to criminals than PowerShell. [Both C# and Powershell use the .NET runtime.] A Forcepoint researcher has summarized the evolvement of attack techniques in recent years, particularly looking at a recent security issue related to C# in a .NET utility in terms of fileless attacks.


From the article: A recent example of C# being used for offensive purposes is the PowerShell/C# ‘combo attack’ noted by Xavier Mertens earlier this month in which a malware sample used PowerShell to compile C# code on the fly. Also, a collection of adversary tools implemented in C# was released. Further, an improved way was published for injecting shellcode (.NET assembly) into memory via a C# application…. Given recent trends it seems likely that we’ll start to see an increased number of attacks that utilize C# — or combinations of C# and PowerShell such as that featured in Xavier Mertens’ SANS blog — in the coming months.