A Conduit for Subtle Threats in the Enterprise Landscape

In the ever-evolving cat-and-mouse game between attackers and defenders, it’s often the simplest tools that evade the deepest scrutiny. Our research highlights such simple yet powerful features within PowerShell that’s not widely used, and hence can be overlooked by standard AV/EDR settings. One of these features is PowerShell’s “Add-Type” cmdlet, which offers a native and compact mechanism to compile and execute .NET code at runtime, a feature that is often missed by defenders due to its simplicity and signed-by-design nature. While Add-Type PowerShell cmdlet is recognized to be frequently abused for dynamically compiling and loading C# code, even granular functionalities exist within the.NET ecosystem, like, System.Reflection.Emit.AssemblyBuilder.DefineDynamicAssembly and System.Reflection.Assembly::Load() provide low-level control over dynamic code generation and in-memory assembly loading, enabling evasive attack chains. Leveraging these primitives, attackers and threat actors can construct capable lightweight payloads. Our research analyzes the creation and utility of in-memory “gadgets” (which are modular C# constructs) using PowerShell to orchestrate remote process code injection, memory patching of telemetry interfaces (including ETW and AMSI) and in-memory execution of .NET assemblies. Our study references real-world APT tactics and red team implementations, demonstrating that these primitives can be readily adapted by adversaries to bypass defenses. Along with working examples, we will highlight how defenders can detect and mitigate such abuses while also discussing the current gaps in EDR engines when handling trusted runtime abuse.

‍