2025-10-17 –, Tramshed Tech
Join as we discuss how to hijack trusted .NET binaries and find the perfect binary for your Red Team engagement.
Specifically, this talk will cover the background on:
- How to build your own .NET hijacking tool to launch malicious DLLs on Windows systems.
- Leveraging VirusTotal to identify the perfect trusted .NET binary for your target environment.
AppDomainManager injection can be used to force any .NET binary to load a malicious library. This is a highly useful technique when trying to launch an implant that can evade modern Endpoint Detection and Response (EDR). Red Team operators and threat actors (ab)use this technique often combined with a ClickOnce deployment to gain initial access to a target organisation.
Both techniques are a powerful method for any Red Team operator looking to launch their implant. However, they require identifying a .NET application, or ClickOnce deployment that is signed, trustworthy, and relevant to the target environment. VirusTotal (and other similar multiscanners) absorb thousands of files from endpoints worldwide. Learn how to leverage these massive data sets to find the perfect .NET binary to integrate into your campaigns.
Blue Teams and organisations will also benefit from this talk: learn about the underlying injection and ClickOnce techniques in order to create detection logic, and monitor your environments.
This will be an abridged version of our talk covered at MCTTP: https://www.mcttp.de/2025-talk-spicer-sully
Paul Spicer is a Senior Red Team Consultant based in Mandiant’s UK office. As part of Mandiants APT66, Paul primarily works on red and purple team assessments and adversary simulations. Paul has experience delivering a variety of red team scenarios including external attack, assumed compromise and phishing.
Paul has led and participated on multiple red and purple team style engagements with a variety of high-profile clients based in the public sector, private sector and financial services, including multiple threat intelligence lead CBESTs. Paul's red team experience has covered various different attack services from traditional Active Directory environments, to clients with a cloud-first approach.
Outside of red teams Paul spent time working in a security hardware testing and research laboratory. During this time Paul conducted physical attacks on electronic devices by identifying initial access points via hidden debug interfaces, hardware teardowns and performing signal and RF analysis.
Paul Spicer and Dave Sully are both Senior Red Team Consultants for Google Mandiant. As part of Mandiant’s APT66, they primarily work on red and purple team assessments and adversary simulations. Dave has over 25 years of experience in the IT sector with an extensive background in information technology across a wide range of roles prior to specialising in Cyber Security in 2016.