23 Sep 2024
sysbraykr.com news - BYOSI
- Bring-Your-Own-Script-Interpreter
- Leveraging the abuse of trusted applications, one is able to deliver a compatible script interpreter for a Windows, Mac, or Linux system as well as malicious source code in the form of the specific script interpreter of choice. Once both the malicious source code and the trusted script interpeter are safely written to the target system, one could simply execute said source code via the trusted script interpreter.
PolyDrop
- Leverages thirteen scripting languages to perform the above attack.
The following langues are wholly ignored by AV vendors including MS-Defender: - tcl - php - crystal - julia - golang - dart - dlang - vlang - nodejs - bun - python - fsharp - deno
All of these languages were allowed to completely execute, and establish a reverse shell by MS-Defender. We assume the list is even longer, given that languages such as PHP are considered "dead" languages.
- Currently undetectable by most mainstream Endpoint-Detection & Response vendors.
The total number of vendors that are unable to scan or process just PHP file types is 14, and they are listed below:
Alibaba
Avast-Mobile
BitDefenderFalx
Cylance
DeepInstinct
Elastic
McAfee Scanner
Palo Alto Networks
SecureAge
SentinelOne (Static ML)
Symantec Mobile Insight
Trapmine
Trustlook
Webroot
And the total number of vendors that are unable to accurately identify malicious PHP scripts is 54, and they are listed below:
Acronis (Static ML)
AhnLab-V3
ALYac
Antiy-AVL
Arcabit
Avira (no cloud)
Baidu
BitDefender
BitDefenderTheta
ClamAV
CMC
CrowdStrike Falcon
Cybereason
Cynet
DrWeb
Emsisoft
eScan
ESET-NOD32
Fortinet
GData
Gridinsoft (no cloud)
Jiangmin
K7AntiVirus
K7GW
Kaspersky
Lionic
Malwarebytes
MAX
MaxSecure
NANO-Antivirus
Panda
QuickHeal
Sangfor Engine Zero
Skyhigh (SWG)
Sophos
SUPERAntiSpyware
Symantec
TACHYON
TEHTRIS
Tencent
Trellix (ENS)
Trellix (HX)
TrendMicro
TrendMicro-HouseCall
Varist
VBA32
VIPRE
VirIT
ViRobot
WithSecure
Xcitium
Yandex
Zillya
ZoneAlarm by Check Point
Zoner
With this in mind, and the absolute shortcomings on identifying PHP based malware we came up with the theory that the 13 identified languages are also an oversight by these vendors, including CrowdStrike, Sentinel1, Palo Alto, Fortinet, etc. We have been able to identify that at the very least Defender considers these obviously malicious payloads as plaintext.
Disclaimer
We are in no way responsible for the misuse or abuse of this product. This was published for legitimate penetration testing/red teaming purposes, and for educational value. Know the applicable laws in your country of residence before using this script, and do not break the law whilst using this. Thank you and have a nice day.
EDIT
In case you are seeing all of the default declarations, and wondering wtf guys. There is a reason; this was built to be more moduler for later versions. For now, enjoy the tool and feel free to post issues. They'll be addressed as quickly as possible.
source : https://www.kitploit.com/2024/09/polydrop-byosi-bring-your-own-script.html