BSides Toronto 2019 Lee Kagan

hello can everybody hear me okay awesome how's everyone doing cool I like this little face mic thing I feel I should do like a Tony Robbins who's ready to get your life in order so thank you very much for having me speak thank you to all the speakers before this is called c-sharp run and we're gonna talk about c-sharp stuff so in the stock Rina go through just most of the slides actually are gonna be about what is dotnet to begin with kind of hear it a lot it's not always very clear to people so I'm gonna spend some time on that which is really boring content and then get into some demos about using it for offense

and then detecting some malicious c-sharp and then that's it this is a real current photo I'm the one in the middle waving at you so my name is Lee Kagan I'm the senior principal offense of R&D specialist at Symantec also the co-founder of red black security which is an offensive security shop here in Toronto and also the co-founder of the c3x which you heard about earlier I'm on LinkedIn but I ignore everyone that tries to contact me there so if you want to get in touch Twitter's the best place I'm pretty active on there and you can reach me at invoke threat guy all right so what is dotnet well really we're talking about the dotnet framework and a lot of other

moving pieces in it it's basically a software development framework goes back to around 2002 ish with the very first version that came out one of the big pieces of the.net framework you'll hear about even though there's many more pieces called the CLR the common language runtime and that kind of provides the runtime environment for a piece of c-sharp code to actually execute on your system when we're talking about c-sharp and a lot of other things that are targeting the dotnet framework we're talking about managed code and I'll kind of get into in a point or two about what that means but when you think of traditionally unmanaged programming languages C C++ stuff like that you're responsible for a

lot of things that you're supposed to do like garbage collection and dealing with memory and all that kind of you know fun stuff so when you're dealing with managed code it does a lot of that for you you don't have to figure out how to do all that specifically things like threading type safety garbage collection like mentioned those are all done for you behind the scenes with the magic that is dotnet you just write your fun little program and underneath the hood everything else is pretty much taken care for you another big piece that makes the dotnet framework one could argue almost the most important piece of it so it's called the framework class library when you write something in

c-sharp chances are almost everything you could think of has been written for you already in something called assemblies or classes so this framework class library this giant collection of stuff that Microsoft is already written for you third party people have added their stuff to things like NuGet package manager you can install fun little add-ons for your program it really makes this idea of reusable object-oriented programming very very easy to get into and work with and that's one of the reasons why I like it so when you hear assemblies we're not talking about assembly language or anything like that talking about these class libraries so when you compile a program C sharps like an exe or a DLL technically speaking

those are assemblies so it's just one thing that can trip people up when you're talking about it it's also not just for Windows this has been true for a long time but lately it's becoming really popular I'm sure on Twitter some of you have seen people who do these fun little like hey I'm running Windows which is running the Linux subsystem for Reno at Windows which is running PowerShell that I then installed dotnet core on and so it's no longer this kind of window specific realm to live in things like mono xamarin I don't even know if that's how you say it dot net core allows you to develop for other platforms so you're no longer in

this platform dependency with just having to build something that only works on Windows it supports also and this is like the shortest list of languages you can develop in c-sharp C++ you can still work with jscript vbscript powershell obviously and one of the big things right now is this idea of called bring your own interpreters bring your own languages like boo lang anton i mentioned earlier ironpython so anyone that's played with silent Trinity would might be familiar with this you can actually bring these new engines inside that inside of the dotnet framework and developing them it's really really cool I almost just left like a huge burp through the microphone so some terminology I just wanted to get

through these because I figure if you do like C sharp and dotnet and you get into it you're gonna kind of you're gonna come across these so may as well bang out a few the CLR thus saying a common language runtime as I mentioned before that's a biggie that's the thing we're gonna see in a diagram that actually handles the runtime execution of your program there's also the CLI not command-line interface stands for the common language infrastructure this is a standard made by Microsoft to allow for other languages to kind of adhere to the same design principles that you can work with them then there's thing called the MSI L or the CIL which is the MSI L is really

just Microsoft's version of this common intermediate language and of course Microsoft always has to do their own version and really that's what when you compile a program in c-sharp it's actually getting compiled down to il-2 this intermediate language then you have the global assembly cache this is kind of cool it's sort of we were talking about with assemblies and framework classes it's literally a folder that has all of this shareable classes and libraries that you want other programs or other applications to maybe borrow code from so if you wanted to put something in it you would put it in the GAC the other piece is that that makes it kind of cool is what's called the JIT

compiler the stands were just in time so when you compile something and then you want to run it the JIT compiler is actually gonna kind of compile again at runtime down to native code sit down to your machine language and then the framework class were a framer class library like I mentioned before and there are so many more dotnet framework really is a massive beast okay so there's it's funny it's 2008 I think this still stands true feel free to scream at me if it doesn't this is essentially how you write in some c-sharp you compile it with the.net compiler so if you're in Visual Studio you write out a nice little HelloWorld program you had build the dotnet

compiler is compiling that down into CIL so that's your bytecode right then when you want to run it the CLR kicks in and that's the common language runtime so it's literally an environment that your program is going to run in the just-in-time compiler is going to recompile that already compiled program down to machine code and that's what's actually letting it run so it's kind of a cool process there's a very basic example using visual studio of what a c-sharp program looks like and it's broken down pieces I hope that's okay to read I tried to blow it up as much as I could you have at the very top a using statement the using statement might

sound familiar to people who use Python like when you're doing an import you're essentially saying I would like to use the system class library and the system class library is the top root of this hierarchical collection of libraries so a lot of basic functionality is in the system top root level class like printing to the screen the thing underneath that is called namespace and the namespace is really how dotnet likes to structure and manage parts of code that are probably related to one another in some way but when you create your own solution and visual studio you give it a name and now that's the namespace for your application after that you have a default class which will probably say

something like program unless you've changed it and then in your program class you're gonna have your main method this is the entry point to your program and under that what we've now used used from our using statement is the console class and inside the console class is a method called write line and underneath that is another class called read key which just waits for you to hit a key and the program closes you compile that you run it and you get a little console application like this that says hello besides TL and that's really the basic building blocks of a c-sharp program okay right into some of the fun stuff now that we got that out of the way

c-sharp for attacking i'm i come from no programming development background whatsoever i kind of got a late start in that and c-sharp was the way i got into it because the barrier of entry for learning c-sharp is crazy simple I heard that Microsoft Virtual Academy is going away or either may already be away I did their free 101 c-sharp course and at the end of it I started writing offensive tools but before we get into that PowerShell so PowerShell isn't dead let me make that very clear it's just so heavily defensively researched that if long as you have the capabilities in your environment there's kind of very little excuses for you can't pick up on

malicious PowerShell I mean there's no shortage of rules and detections and research and all that stuff c-sharp isn't really quite the same there's not a lot of public research out there there's some shops that are hoarding information they want to use in their EDRs and all that other kind of stuff but generally speaking it's kind of open season right now which is why there is this insane rush of everyone porting their PowerShell tools over to c-sharp right and now that's gonna change when PowerShell boom hit everyone was freaking out we can't detect this it's living off the land we got no logs Microsoft fought back and you know with the PowerShell version five you know we

got script lock logging and all this other fun stuff so give it some time that will happen so like I said learning entry to writing c-sharp it is crazy easy if you want to get started with a programming language I kind of recommend it it's just very very simple porting your PowerShell over it's a c-sharp so you got a tool you love in PowerShell and you want to do in c-sharp it's pretty straightforward in fact for those of you that worked with PowerShell you have worked with the.net framework you have interacted with it and it's almost not all the time kind of one-to-one mapping so if you just take the line and PowerShell you really liked you can

almost just copy paste it in and I'm using that very loosely but it's not it's not a big stretch like PowerShell though from an offensive perspective we still get access to all that fun stuff the PowerShell provided which was so amazing access to win32 and windows api you can do p invoking which is dealing with unmanaged code in managed coats you've got to run some kind of c++ stuff you can and technically we're still living off the land we are now not just using the tools that are on a Microsoft environment or on a Microsoft System we're actually compiling for the languages they wanted people to use and there's so many different ways we can

kick off our malware with using c-sharp so yeah like I said you can still access the win32 API so you can still do your create threads create mouth remote threads load library's virtual Alex all that kind of stuff it's still available to the public marketplace for offensive c-sharp is massive I can't keep up with it like every two days on Twitter I see another tool another tool another tool but some most notable ones are the ghost pack is my probably my favorite collection C sharp offensive tooling it's written by the folks over at Specter ops and really what they did was take a lot of functionality and other tools in PowerShell and said let's just

make C sharp versions so you have you know the traditional Mimi Kats everyone's loves straight up using Mimi Katz these days depending on the environment you're going up against it's pretty risky touching Alsace is pretty risky if it's getting by that's definitely an organizational problem but it's kind of no real reason to have to rely on Mimi counts anymore so they have safety catch which is a port of just certain functionality in Mimi Kats not the whole thing you have Rubeus which is a part of k keeo another project from bend LP that does mimi cats and that deals mostly with kerberos abuses you have sharp view which is a port of power view power view is one of the best

collection of powershell modules for reconnaissance and all that stuff ever so now you have it in c-sharp and then you have seatbelt which is a really cool situational awareness program you can just run it and say full and it'll tell you all this cool stuff about the environment that you're in covenant is a really really cool new c to 2019 by the way is like the year of the command control framework releases they're just coming out of the woodwork everywhere it's still early in its inception but it is really awesome and I believe it's entirely written in dotnet components so not just C sharp but Donette core and all this other stuff then you have

cobalt strikes probably biggest addition it's had in the last little while which is execute assembly which allows you to take malicious exe you have on your system is the attacker and push it over your C to channel into memory of the target and have it run entirely in memory you just say execute assembly path to my thing go so it's a really really fun one there's also a lot of ways that you can run c-sharp code there's the obvious you can compile to an exe you compile to a DLL in those traditional senses but it starts to get a little funky as you explore the living off the land styles of getting things to run before the C sharp craze really hit

one way that when you're still using PowerShell for everything if you wanted to get some c-sharp code to run you could use what's called ad type and I'm gonna show a demo of this a little bit later where you literally add a whole new type of object into PowerShell and that's just a giant block of c-sharp code and it runs it for you my personal two favorite ways of doing it right now because it flies under the radar for a lot of stuff is wrapped in Lal Bend as a dot CS Progress build what the [ __ ] does that mean so what that means is when you when you use Visual Studio and you build

something in c-sharp you typically have the program of the file that has all your c-sharp code and that's called a dot CS file a dot CS proj is kind of like this XML structured metadata of the program it has all these traits and attributes about your program in there and someone figured out that you can actually talk in c-sharp code into that file and then what you can do with msbuild is get msbuild to compile and run your CS proj file so it's just kind of a neat quirky way to get c-sharp code to execute and then the way that I wanted to be able to demo for this but I'm actually building a new c-sharp rats or

hopefully released next year and this is gonna be one of the core delivery mechanisms you can push raw C sharp code so like the text that you would have in your program over the wire into memory of your compromised machine dynamically compile it in memory of the target and run it and there's very little to no artifacts that get late left on the system so you're not compiling anymore you're compiling it on target dynamically in memory only so what we are going to demonstrate offensively is I'm going to show you that CS proj technique with msbuild I'm gonna show you that you can still accomplish that fun stuff that you know for a while you kind of had to do with

things like C++ which is process injection specifically I'm going to show you the technique for cue user a PC and then also cobalt strikes assembly which isn't that fun to look at but just you can see how easy it is all right video time

not this one all right let's do the CS proj so I hope we can see this okay all right cool sooo it's gonna hit play this is the inside of a CS proj file and because what you're looking at is this kind of XML structured thing but what we're adding in is this thing called task Factory which is gonna add a build task to this file so that when we hit it with msbuild it's actually gonna compile this file itself and under that C data kind of in square bracers there's our straight c-sharp code that you would normally have in your dot c s file and then when we hit that with msbuild see it's doing

some process injection with virtual Alec and create thread and then that big kind of byte array up there that's our actual COBOL strike payload we just pass this file into msbuild it builds it we have our access here so there's the path to msbuild you say the path to your file because I'm injecting it to myself this particular window is just gonna hang there and stay as is that's some OPSEC you probably obviously want to change but there you go gets your shell it's pretty straightforward next up let's do a execute assembly and cobalt strike so this is a cobalt strike window if anyone's hasn't seen it before all the other stuff I'm going to show you is the

result from those beacons up there so we're gonna do here is just we have a compromised host and in the bottom left corner it says beacon I can type execute assembly and then the path on my local machine to what I want that to run and so in this case I think we're gonna do safety cats which is really cool mini port of mini cats so you can see it's saying we've tasked beacon to run a dotnet program I'm gonna scroll up there yeah so it's saying this is specifically you can't use this if it's not a dotnet PE does its immune cat's thing grab some credentials great what I love about safety cats is actually deletes the else

has been dumped at the end of it and we got our credentials let's do a PC injection is it so small okay fair enough so here's a little program I wrote that does a PC injection it's gonna kick off a process that I want to run that I want to inject into so I have these little or kind of organized way I like to do my programming so what we're gonna do is create suspended process with create process we're going to allocate some memory for it and then write our shell code into there then we are going to open a thread and we're going to set the memory protections on that to execute read not execute read write which is

clumsy OPSEC and then resume the thread and then that queue for those I don't know cues you're a PC call it's basically you can cue these little tasks within a thread and then it'll get around to kicking them off and we're just gonna run that to putty and there's our new shell a PC injection and then finally the one it's old but I love this so this is a PowerShell ad typing and for me and for anyone else that programs I think you're gonna find this cool if you've never seen it before so here's my C sharp program does some recon I use this to kind of check if I'm in an analysis machine or sandbox this is all

this code that's in it so you can see the code right now it does some kind of checks generates a unique identifier for the target and then it goes down to some anti VM checks and stuff like that looks for EDR processes but that's not the important part we have this PowerShell script here and when I open it up this is a PowerShell script this is not a c-sharp file so the very first thing atop a line that says dollar sign code that's a variable right it's just holding a bunch of text and that text is gonna hold is the entire contents of my c-sharp program and what makes this work is when we go all the way down at the

bottom some more powershell commandlets specifically here i have to give it one more assembly when we talked about that to use specifically the system dot management assembly because I'm using some WMI tradecraft in this too and it needs to specifically load that assembly in order to open up that class but other than that we just say add type a reference to any assemblies that are needed in my case just the one and then the type definition is c-sharp and here's what it looks like when you import that powershell script it's going to expose the methods and the classes to you so here's how you access them that's recon was our namespace if you remember correctly right environmental Keys was

one of my kind of other classes I had in my program let's go back to recon dot program then you do colon colon and it's now exposing my methods so I have a method called execute and we run that and that's c-sharp code running some reconnaissance techniques right there

okay cool so next detecting malicious c-sharp there are no silver bullets here like I said it's very young I shouldn't say very young not widely explored publicly in the.net framework four point eight which is not out yet I don't actually have an answer when that's truly gonna be released it's still as a development branch but you can download it and run it in your system just be aware that is in dev is anyone here familiar with a MSI throw your hand up if you know what that is yeah I know you guys know this so MSI stands for the anti-malware scanning interface from Windows for Microsoft I should say it's actually really cool it's a million and one bypasses coming

out for it all the times to like everything you know it's not a silver bullet but what AMS eye does is Microsoft and all their lovely glory I don't work for them so I don't I'm saying that has exposed an API so that if you're a security vendor or if you just feel like rolling your own kind of antivirus or anything like that the anti-malware scanning interface am seat will expose essentially this API too so you can have ANSI check stuff out and then report back to your tool it kind of allows you to hook into the way Microsoft more or less does things and by default the provider or actually the consumer for ANSI will be Windows

Defender doesn't have to be though so in 4.8 why do I mention this well in c-sharp I'm sorry in dotnet there was no real way to scan the code contents looking for malicious stuff unless you have some ADR tool or anything like that that that does that so the most common way and here's kind of the pitfall of anzi for.net is most malware will load itself from c-sharp using a class called system dot reflection and then system dot reflection underneath that you have what's called assembly dot load and you usually pass in a byte array and that's how you would load in like the byte array representation of a PE file that you want to inject into memory or

something like that so ANSI hooks assembly dot load and anytime assembly dot load gets used it crawls through what it's trying to load and says hey I think this is malware bad write another again these are not silver bullets managed code like dotnet you know heard like c-sharp running in an unmanaged process it's kind of weird all right so why is this unmanaged process you know maybe it's something written in whatever language all of a sudden has some managed stuff running into it in order for managed code to run in a non managed process it has to load some dotnet components like the CLR so you can pivot off these things another one like I

can't some point is event tracing for Windows so silky TW is really cool there's some native dotnet libraries that expose event tracing event tracing from Windows is like opening up a goddamn fire hose it is really really big if you think of Windows event logs there's a feature you can go to turn on analytic and debug logging and you'll just see your log file grow like ten times the size it's all those little analytical debug messages like anything else you can still hook those API calls all right because it's managed language sometimes to get to those unmanaged things like create your own thread and virtual a lock a lot of security tools hook those API calls and watch for

things trying to access them you can still do the same thing with c-sharp c-sharp can also be reverse engineered very very easily it's a managed language so even with packing encrypting and all that stuff I'm going to show you a demo of like a three click process to decompile a c-sharp right back to source code it's very it's not really reverse engineering at all yeah it just takes a very minimal effort alright so in this demo I'm going to show you a MSI kicking in right in Visual Studio as I'm coding and then I'm also just for shits and giggles on to c-sharp I'm gonna show you a lake Anton I did with silky TW just picking up a

little bit of stuff with image loading detecting the CLR with get CLR reflection process injection with get injected thread and then reverse engineering a dotnet PE with Eyal spy alright back to videos let's do let's do MC first because nothing says a good defensive demo like breaking it right after okay why are you doing that that's a little easier okay so this is a Visual Studio program that is designed to be an ansi bypass and then it downloads the thing that I want to run now that an sees out of the way so that harmless dot exe is actually me me cats dot exe no this will fail normally because you can't just load me me cats not exe this

way so we're gonna get two errors one that they this file doesn't work that's fine and the second is auntie kicking in but just by patching that line marshal copy that's actually applying the patch okay they get it they get it move on alright so gonna run our program we're gonna get some exceptions thrown first one is like I don't know what the hell this is but this inner exception check out the message on it that is a msi kicking in in dotnet 4.8 contains a virus it's not like that we use the word virus it seems so 80s and now we're just uncomment this one line redownload still gonna have an error about the program

but the ansi message goes away and what the patch is in this case in case you're wondering is we're beating MC to scanning the file because what happens with a masai is it returns a code saying bad we're just patching the code in ahead of time to saying all's good and a nancy goes okay there you go that's the whole patch and by the way this isn't probably should have a link in there bite bleeder I marchello from Black Hills info second the developer silent Trinity he came up with this PowerShell method I just ported it over so all credit due to mr. marchello cool there's that here is silk event tracing for Windows so I'm gonna

run that ANSI bypass as a compiled program right now and the reason why I am is it uses assembly dot load okay so I want to catch assembly dot loads with event tracing for Windows I run it and you'll see that'll jump up from five events captured it's like twelve there we go so we just caught a whole bunch of stuff and what's really cool about this this time I didn't download me me cats I was downloading a Rubeus let me speed this up a little here I know it's hard to read it's all this JSON shenanigans so we got an assembly load we see hey something called a semi bypass AMC bypass loaded and if we trace up a

little bit oh and another thing tried to load Rubeus so it's actually catching both events not just the normal executing program but also what it downloaded and loaded I'm gonna move real quickly here let's do I'll spy alright this is how hard it is to reverse-engineer a c-sharp program so I'll spy it's completely free I just have my program loaded right there we're gonna double-click something it's gonna say I'm decompiling and you can Bob that's source code right there that's literally what I wrote in the program so if you want to look like a really mastered reverse engineer just only do c-sharp and then you'll amaze people that's what I do and they think I'm good at this stuff and yeah you

could just deke and there's our biker there's our payload everything's just deconstructed poof right away and finally let's do some process injecting and seal our reflection detection this stuff's kind of cool all right so bottom screen is I have a couple a few payloads running and I want to see hey do I have anything injected on my system as any processes had something injected into them get injected thread is a really really great PowerShell script Anton Jared Atkinson Jared a Kansan developed it so right there it says hey msbuild which is what we kicked it off with has something injected into it so what I'm gonna do is say okay that's a good detection now let's dump this reflection

this this process injection using reflection help so next tool get seal our reflection we just run it we don't have to pass it a thing pass it the process it'll just know it'll grab it and what it does it spits out that hash file right there it says msbuild and then a hash so what we do is we take that and I'm just gonna dump that into like PE studio something real basic that's not msbuild that's the thing that it was executing that's my CS proj we can look at string as it's got IPs it's got create thread and virtual Alec and all that stuff I mean it's really this whole thing of finding at from a static

analysis perspective bad c-sharp is a one two three step process it's really straightforward alright key takeaways from this so at the end of my talk for the offense of folks shift over to c-sharp from your power Chanel stuff main reason it has Power Cells very easy to text she's sharp not so much operates exclusively in memory you can do the whole bring your own interpreter thing so for those of you it may be good with Python or go or boule never the Hettie goodness all this other stuff people are finding out all these ways that you can load those engines into your C sharp tool Taunton api's are super rich you almost don't need those win32 api is to do a lot of

stuff interoperability is massive working with comm working with other languages for the defensive souks don't lose sight that the usual suspects still apply process injection it's the process injection create mode thread is still create remote thread so look for those usual suspects something up created image loading CRT is being called application baselining is gonna be huge for this and I know awl application where this thing is very hard for people but it's worth going if you understand normal dotnet in your environment bad doughnut should stick out like a sore thumb the list of windows api is can still be hooked ANSI can help for it might take a while before it's in in Qi GA and understanding dotnet artifacts

what gets dropped what gets created what temp cop the files get made all that stuff from an offensive perspective will really help things stand out to you and that's it thank you all so much any questions no back again so one quick question I had was so you were saying about the interpreter you could bring your own interpreter or bring your own stuff so is it that you can run practically it's its own environment so for Python you can run your own Python script if you have a really good malicious Python code you can use c-sharp to just inject it straight through and run Python say on a Windows machine no work device it's not quite

what it means so I own specifically I use that example because what ironpython and I don't know who developed it its purpose was to take Python lovers and then people who want to work with c-sharp and net and kind of fuse the two languages together they created something called ironpython so if you bring the ironpython engine into your c-sharp project you can start coding in like quasi Python so you'll see things that'll look very familiar to a Python structure and how you'd code with it but it doesn't mean you add the Python engine just right and you start writing python there is Python support for Visual Studio which allows you to use that as an IDE and then write in

Python or something like that with some minimal caveats but the idea is that there's all these people out there who have been developing these kind of hybrid language engines as a means to bring you in to the dotnet world so it's not as straightforward as like check the Python box start coding it some the guy you really want to talk to is by Pleader like he's he found all this stuff and he's in the bloodhound slack and answers every question you could throw at him but there is an intermediate step they have to take so usually it's this engine that supports a little bit of functionality of the thing you want and then allows you to kind of work with it so it's not

so straightforward sadly hope that answers all right no don't give him the mic so I'm just gonna add next question yeah in terms of offensive security we obviously had a party for a real long time with PowerShell since everywhere and Microsoft was pretty slow to build in detections they seemed to be moving a lot faster when it comes to telemetry in dotnet in general not just c-sharp so how long do you think these tools are going to be viable and once they up their game what's the next move does it become like a whack-a-mole occupation game or does it rotate to yet another stack there's there's debate right now about like do we go deeper into Windows

like with dotnet and c-sharp and all that stuff for these extra interpreters or do we go so far off the map and do everything and go and that kind of thing or do we go right back to C or something like that um my the way I think this is gonna go in the next few years is exactly how PowerShell went and it's gonna be no different just a different thing I think the the visibility and the telemetry in the collection which is starting it's just going slow that's gonna catch up but even when that caught up for PowerShell there was a few reasons why people didn't just drop PowerShell I mean still I wouldn't

advise anyone to just drop PowerShell for your kid just be OPSEC minded about it so I think it's gonna look the same it's gonna go oh my god we can't catch this - hey we you know we kind of we can kind of see this stuff and then it's gonna be hey we have a thing you can install to catch all of this so it'll be like the C sharp urgent of transcript logging and whatever the hell the other ones are script lock logging and all that kind of stuff and then we're still gonna have that gap of well you can't just turn it on right so even with something like script block logging or transcription login which I

love transcript blogs just end up in some folder somewhere and then people feel better because they turned it on doesn't mean they're using the data in any single way so I think we're gonna have a nice long buffer of c-sharp that's catchable but not being caught and then when that runs out I mean here okay so here's one thing I'm paying attention to Microsoft is said in 2020 allegedly for general release the dotnet framework mono and dotnet core and maybe xamarin are all going away it's gonna all get rolled under one roof so what I think about that is do I stay on Windows with Visual Studio right and c-sharp or with some adaptation to you know dotnet

core type stuff and target TV OS or target Android as opposed like just changing the target dotnet version so like that to me rings how the hell are you gonna deal with that where you try to develop in one or two languages for almost every single platform there is like when that hits I think that's gonna be a game changer might work against us but I don't really know I think we're gonna have a nice long road of offensive c-sharp out of us to be honest like my hot take thanks Paul alright you're a good guy last question Oh making me work um why do you think it took this long to get to C sharp because it's kind of

funny for people who used to code c-sharp I saw PowerShell come up and I'm like well these EP eyes have existed for a while and I figured people were going through PowerShell because it was more compatible easier to code and what do you think going back and do you think it's gonna be more of a side grade there do you think this could be a lot of exciting possibilities with c-sharp today which is obviously much different than a couple years ago so I don't think it's going back from the offense perspective I think offensive people are just now being like oh we can do this in c-sharp - they didn't make the connection and I'm speaking very

generally it's like I said when you work with PowerShell you were working with dotnet you know all this stuff people saw to do with PowerShell just caught the attention of attackers being like oh this gives us all that fundamental access while we don't have to like you know compile a program we can just script it out blah blah blah and then when sort of people realizing like Oh C sharp does the same thing which makes sense you know like you can access run space PowerShell or power shell run space in c-sharp you can do the same in PowerShell for c-sharp like with ad type it's just like you only know anything once you know it and then you go oh now

I know this that's a thing so I think we a lot of you know offensive folks just were so enamored with PowerShell because it was so big for the last few years that when the c-sharp thing popped up it just seemed new new and we're now going over to it's solely for two reasons one it's just a new challenge writing in c-sharp and getting your weapons over there and this the fact that most PowerShell could be caught if you really stepped up the effort so this just seems like what PowerShell can catch or what malicious PowerShell you can catch right now in the public space you can catch this much c-sharp so it just makes sense

but you're right it's been around forever like it's I don't know why it's new it's just laziness that's really all it is cool all right thank you very much thank you all so much appreciate it [Applause]