Interesting new tool in development: https://github.com/endgameinc/ClrGuard Casey Smith recently tested it against an exploited MSBuild exec with Mimikatz Inside CLRGuard - Let's Kick the Door Down. Part One http://subt0x10.blogspot.com/
This is not recommended for production systems yet but has tremendous potential for blocking many .NET/C# related application whitelisting bypasses which are typically nearly impossible to control. I've been playing with ClrGuard for a couple of days now and following with a good amount of curiosity.
Like these new experimental concepts. The more the merrier. @WildByDesign is quite right it has excellent potential!
The concept behind CLRGuard is good. Its current execution method is not. Nor is it new or unique. Zemana Anti-logger loads its hook .dll into at process startup via AppInitDll reg. key. Anything sitting in AppInitDll reg. key is a security risk and Microsoft deprecated its use some time ago. Malware can and has modified settings in that reg. key including removal of security software hooks resident there. Enhancements are need to set the hook dynamically and only in vulnerable Windows processes such as system utilities that are currently being abused by malware developers. The most common tactic being to hide the UAC evaluation request.
This is a summary of most of the MSBuild bypasses: https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/ . Of note is MSBuild's use of PShell
A nice article about capturing details of in memory .NET attacks and some coverage of ClrGuard as well. Hunting For In-Memory .NET Attacks Link: https://www.endgame.com/blog/technical-blog/hunting-memory-net-attacks
I am somewhat distressed over the AV vendors lack of attention to .Net based malware. I hope CLRGuard will at least point then in the right direction. Also using dynamic versus static hooking since permanent hooks can be disabled.
Even if .Net malware can be eventually successfully detected, you can be attacked prior to .Net process execution: http://subt0x10.blogspot.com/2017/06/attacking-clr-appdomainmanager-injection.html
Updated build today to add a hook for the LoadModule function as it was recently shown to have abuse potential as discovered by Matt Graeber.(@mattifestation). Link: https://github.com/endgameinc/ClrGuard/tree/master/dist Regarding: https://twitter.com/dez_/status/980809640161267717 * see thread and go to top The real meat and potatoes: https://gist.github.com/mattifestation/8958b4c18d8bca9e221b29252cfee26b A stealthier method of loading a .NET PE in memory - via the Assembly.LoadModule method