CustomLoadImage .NET Assembly Loading Technique
CustomLoadImage enables stealthy reflective loading of .NET assemblies by directly calling AssemblyNative::LoadFromBuffer, bypassing hooks on RuntimeAssembly.nLoadImage for defense evasion.
The CustomLoadImage technique allows threat actors to bypass traditional security measures when loading .NET assemblies. By directly invoking the AssemblyNative::LoadFromBuffer function, it circumvents hooks that security products often place on RuntimeAssembly.nLoadImage. This direct invocation provides a stealthier method for loading malicious .NET assemblies into memory. This technique is relevant because it allows attackers to evade common detection strategies and execute malicious .NET code without triggering alerts based on standard assembly loading procedures. The tool is available on GitHub at the provided URL.
Attack Chain
- Attacker gains initial access to the target system (e.g., through phishing or exploiting a vulnerability).
- Attacker deploys a custom loader, implementing the CustomLoadImage technique, onto the target system.
- The custom loader uses
AssemblyNative::LoadFromBufferto load a malicious .NET assembly directly into memory. - This bypasses any hooks or checks that might be placed on
RuntimeAssembly.nLoadImage. - The malicious .NET assembly executes its intended payload within the compromised process.
- The payload may perform actions like credential theft, lateral movement, or data exfiltration.
- The attacker maintains persistence, potentially by scheduling the malicious .NET assembly to reload using CustomLoadImage after system restarts.
Impact
Successful exploitation of the CustomLoadImage technique allows attackers to execute arbitrary .NET code on a compromised system while evading common security defenses. This can lead to a variety of malicious outcomes, including data theft, system compromise, and further propagation within the network. The stealthy nature of this technique makes it harder to detect and remediate, increasing the potential for significant damage.
Recommendation
- Monitor process memory for the execution of .NET assemblies loaded from unusual locations or without corresponding file paths; investigate any anomalies (Generic detection capability).
- Implement endpoint detection rules that flag processes calling
AssemblyNative::LoadFromBufferdirectly, especially when originating from non-standard or untrusted processes (see Sigma rule examples below). - Inspect network traffic for unusual data patterns that may indicate exfiltration initiated by reflectively loaded assemblies.
Detection coverage 2
Detect AssemblyNative::LoadFromBuffer Call
highDetects calls to AssemblyNative::LoadFromBuffer, which is used by CustomLoadImage to bypass normal assembly loading procedures.
Detect .NET Assembly Loaded From Memory
mediumDetects .NET assemblies loaded from memory, potentially indicating reflective loading techniques like CustomLoadImage.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
url
| Type | Value |
|---|---|
| url | https://github.com/backdoorskid/CustomLoadImage |