BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.com//orangecon-2026//speaker//DHLTBV
BEGIN:VEVENT
UID:pretalx-orangecon-2026-FZQTVC@pretalx.com
DTSTART:20260604T161000Z
DTEND:20260604T164000Z
DESCRIPTION:What happens when an attacker gains ASPX webshell access on an 
 IIS server locked to High or Medium Code Access Security (CAS) trust\, con
 figurations explicitly designed to prevent arbitrary code execution as `Pr
 ocess.Start` is blocked by default\, unmanaged code is denied\, and the sa
 ndbox restrictions holds. Our research proves otherwise. We systematically
  analysed the actual CAS policy files\, not just the Microsoft documentati
 on summaries\, and discovered that multiple distinct C2 channels can be es
 tablished using only managed .NET APIs that CAS permits. Under High trust 
 levels\, attackers get unrestricted file I/O\, full outbound TCP/HTTP/DNS\
 , and SQL connectivity. Under Medium Trust\, which is supposed to be the r
 estrictive option\, both DNS and SQL connections are still permitted — t
 wo overlooked outbound data channels that appear nowhere prominently in Mi
 crosoft's documentation. \n\nThis talk presents a functional multi-channel
  C2 functionalities embedded in a single ASPX page that operates entirely 
 within CAS boundaries\, spawns zero child processes\, generates no `cmd.ex
 e` execution telemetry\, and operates exclusively inside `w3wp.exe` worker
  process pool. \n\nWe cover the full journey: starting from building refle
 ctive loader leveraging full trust\, exploring limitation of CAS for ASP.N
 ET(4.x)\, and abusing lower trust's settings to establish multiple covert 
 C2 communication.
DTSTAMP:20260525T192735Z
LOCATION:Track 2
SUMMARY:Abusing ASP.NET Trust Levels For Covert C2 Communications Channels 
 - Lawrence Amer
URL:https://pretalx.com/orangecon-2026/talk/FZQTVC/
END:VEVENT
END:VCALENDAR