.NET
.NET
.NET is a development framework—not just a language. It includes the Common Language Runtime (CLR), a vast class library, and support for multiple languages (e.g., C#, F#, VB.NET). Its deep integration with Windows internals makes it a powerful choice for red team tooling, loaders, and post-exploitation frameworks.
.NET & Red Teaming
.NET provides full access to native Windows APIs, making it ideal for crafting custom tools that operate at a low level. Offensive frameworks like SharpHound, Covenant, and Seatbelt leverage .NET for enumeration, credential theft, and lateral movement. Compared to PowerShell, .NET binaries often bypass some logging mechanisms, especially when custom-compiled and obfuscated.
However, modern AV/EDR platforms have become increasingly effective at monitoring .NET behavior. Unlike PowerShell, .NET lacks native in-memory script execution (i.e., no cradles), so payloads must be compiled and delivered as binaries, increasing friction and detection opportunities.
.NET vs PowerShell
Ease of Use
No compilation, easy scripting
Requires coding and compilation
Detection Surface
High (ScriptBlock, AMSI, logging)
Lower if custom; fewer built-ins
Delivery
Download-and-execute (trivial)
Requires binary drop or injection
Logging
Extensive (incl. Transcription)
Less structured, but process logging
Considerations
Obfuscation helps reduce static detections, but behavior-based EDR can still flag suspicious patterns. Testing in a sandboxed or lab environment is essential.
Codecepticon is a source-level obfuscator for C#/VB.NET:
Even with obfuscation, assume behavioral detection is in play—especially for common post-ex tools. For mature operations, consider custom development, sandbox testing, and minimal functionality per binary.
Last updated
Was this helpful?