In memory .NET Assembly Execution

.NET defines a binary file format, or assembly, that is used to fully describe and contain .NET programs. Assemblies are used for the programs themselves as well as any dependent libraries. A .NET program can be executed as one or more assemblies, with no other required artifacts, beyond the appropriate .NET implementation.

Running a .NET Assembly in-memory from Core Impact

To run .NET assembly executables in the context of an Impact agent we created a new module .NET Assembly Execution.

The ".NET Assembly Execution" module is compatible with extensions commonly employed by Cobalt Strike users, providing an opportunity to broaden the reach of Core Impact. Any executions that employ the execute-assembly command in Cobalt Strike can be used as a shared resource when using both products for a testing engagement.

This module accepts a path to a local executable assembly and runs it on a given target. You may pass arbitrary arguments, quoted or not, to this program as if you ran it from a command shell. It can be executed in a sacrificial process using the fork and run technique or inline in the agent process.

Parameters

LOCAL EXECUTABLE ASSEMBLY FILE - .NET Assembly Executable file path (local).

ARGUMENTS - Arguments passed to this assembly as if it were run from a Windows command-line interface.

USE SACRIFICIAL PROCESS - If enabled, the module uses the fork and run technique, which is to generate a new sacrificial process, inject the post-exploitation code into that new process, execute the code and when finished, kill the new process. Otherwise, the code will be executed in-process.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
21.7 | 202504070612 | April 2025