Finding .NET Assemblies
Techniques for hunting malicious .NET assemblies - detecting in-memory execution, assembly loading, and CLR-based attacks.
Originally published on Medium
Read the full article: Finding .NET Assemblies
Why .NET Matters
.NET assemblies are increasingly used by attackers:
- In-memory execution
- Reflection-based loading
- CLR hijacking
- Managed code implants
Detection Challenges
.NET attacks are hard to detect because:
- Assemblies can load in memory
- No files touch disk
- Legitimate .NET usage is ubiquitous
- Limited native logging
ETW for .NET
Event Tracing for Windows provides .NET visibility:
Microsoft-Windows-DotNETRuntime
Captures:
- Assembly loads
- Method invocations
- JIT compilation
Assembly Load Events
index=etw Provider="Microsoft-Windows-DotNETRuntime"
EventID=154
| stats count by AssemblyName, ProcessNameHunting Strategies
Unusual Assembly Names
Look for:
- Random strings
- No version info
- Loaded from memory
Suspicious Loaders
Monitor processes loading assemblies unexpectedly:
- PowerShell loading offensive tools
- Office applications loading assemblies
- System processes with unusual CLR activity
Tools
- SilkETW - ETW consumer for .NET visibility
- dotnet-trace - .NET diagnostic tool
- ProcMon - Process Monitor with .NET filters
Read the full guide: Finding .NET Assemblies
Related Modules
Atomics on a Friday
Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.
Bootloaders.io
A curated list of known malicious bootloaders for various operating systems. Track and catalog bootloader threats with detection rules and hash prevention.