Lawrence Amer
Cybersecurity expert with deep experience in red team operations, penetration testing, and security research. I began my research work in 2013 and have been recognized by leading technology companies including Sony, Microsoft, SAP, Facebook, and Yahoo for responsibly identifying and reporting security vulnerabilities. I currently work as a Red Team Specialist at Resillion and actively contribute to open‑source security projects on 0xsp Labs. My research has been referenced by industry publications such as Threatpost and BleepingComputer.
Session
What happens when an attacker gains ASPX webshell access on an IIS server locked to High or Medium Code Access Security (CAS) trust, configurations explicitly designed to prevent arbitrary code execution as Process.Start is blocked by default, unmanaged code is denied, and the sandbox restrictions holds. Our research proves otherwise. We systematically analysed the actual CAS policy files, not just the Microsoft documentation summaries, and discovered that multiple distinct C2 channels can be established using only managed .NET APIs that CAS permits. Under High trust levels, attackers get unrestricted file I/O, full outbound TCP/HTTP/DNS, and SQL connectivity. Under Medium Trust, which is supposed to be the restrictive option, both DNS and SQL connections are still permitted — two overlooked outbound data channels that appear nowhere prominently in Microsoft's documentation.
This talk presents a functional multi-channel C2 functionalities embedded in a single ASPX page that operates entirely within CAS boundaries, spawns zero child processes, generates no cmd.exe execution telemetry, and operates exclusively inside w3wp.exe worker process pool.
We cover the full journey: starting from building reflective loader leveraging full trust, exploring limitation of CAS for ASP.NET(4.x), and abusing lower trust's settings to establish multiple covert C2 communication.