I really appreciate Joe Desimone ( @dez_ ) and EndGame making this available open source.
First, check this DerbyCon 2017 Talk out, it will help you have the necessary background.
The code can be found here:
I've had some time to experiment with this code the last few days.
Lets look at the tool. Its pretty straight forward to deploy for your testing.
I wanted to show you how this tool can disrupt the MSBuild attacks I have been working on.
The feature that I have abused in the past execute .NET assemblies in memory, is called Inline Tasks
Lets see what happens when we try to run Mimikatz Inside MSBuild:
I will do another post in the future to go over the internals and some bypasses (I may have found a one or two :-) ).
This is a great training tool. When you find bypasses to this type of defense, it will lead you to better capabilities as an attacker. I encourage you to dig in and learn from this prototype. Really good stuff.
This is one of the first tools, I've seen to directly challenge the tactics I am using in .NET to block the capability.
Here is an analogy.
This tool, is NOT an Over-The-Horizon Tool.
Sometimes, you have to get in their face a bit, kick in some doors. Write mitigations that directly disrupt the attacks. Kick in some doors, if you will.
Both tactics have their place.
This tool is designed for the tactical hunt. To get inline with attackers.
Thats all for today. Great Work Joe, keep it up.