{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/reflective-loading/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[".NET Framework"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion",".net","reflective-loading"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe CustomLoadImage technique allows threat actors to bypass traditional security measures when loading .NET assemblies. By directly invoking the \u003ccode\u003eAssemblyNative::LoadFromBuffer\u003c/code\u003e function, it circumvents hooks that security products often place on \u003ccode\u003eRuntimeAssembly.nLoadImage\u003c/code\u003e. This direct invocation provides a stealthier method for loading malicious .NET assemblies into memory. This technique is relevant because it allows attackers to evade common detection strategies and execute malicious .NET code without triggering alerts based on standard assembly loading procedures. The tool is available on GitHub at the provided URL.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eAttacker deploys a custom loader, implementing the CustomLoadImage technique, onto the target system.\u003c/li\u003e\n\u003cli\u003eThe custom loader uses \u003ccode\u003eAssemblyNative::LoadFromBuffer\u003c/code\u003e to load a malicious .NET assembly directly into memory.\u003c/li\u003e\n\u003cli\u003eThis bypasses any hooks or checks that might be placed on \u003ccode\u003eRuntimeAssembly.nLoadImage\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious .NET assembly executes its intended payload within the compromised process.\u003c/li\u003e\n\u003cli\u003eThe payload may perform actions like credential theft, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence, potentially by scheduling the malicious .NET assembly to reload using CustomLoadImage after system restarts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the CustomLoadImage technique allows attackers to execute arbitrary .NET code on a compromised system while evading common security defenses. This can lead to a variety of malicious outcomes, including data theft, system compromise, and further propagation within the network. The stealthy nature of this technique makes it harder to detect and remediate, increasing the potential for significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process memory for the execution of .NET assemblies loaded from unusual locations or without corresponding file paths; investigate any anomalies (Generic detection capability).\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection rules that flag processes calling \u003ccode\u003eAssemblyNative::LoadFromBuffer\u003c/code\u003e directly, especially when originating from non-standard or untrusted processes (see Sigma rule examples below).\u003c/li\u003e\n\u003cli\u003eInspect network traffic for unusual data patterns that may indicate exfiltration initiated by reflectively loaded assemblies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T16:22:00Z","date_published":"2024-01-09T16:22:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-custom-load-image/","summary":"CustomLoadImage enables stealthy reflective loading of .NET assemblies by directly calling AssemblyNative::LoadFromBuffer, bypassing hooks on RuntimeAssembly.nLoadImage for defense evasion.","title":"CustomLoadImage .NET Assembly Loading Technique","url":"https://feed.craftedsignal.io/briefs/2024-01-custom-load-image/"}],"language":"en","title":"CraftedSignal Threat Feed - Reflective-Loading","version":"https://jsonfeed.org/version/1.1"}