– Deliver-Your-Personal-Script-Interpreter
– Leveraging the abuse of trusted functions, one is ready to ship a appropriate script interpreter for a Home windows, Mac, or Linux system in addition to malicious supply code within the type of the particular script interpreter of alternative. As soon as each the malicious supply code and the trusted script interpeter are safely written to the goal system, one might merely execute mentioned supply code through the trusted script interpreter.
– Leverages 13 scripting languages to carry out the above assault.
The next langues are wholly ignored by AV distributors together with MS-Defender: – tcl – php – crystal – julia – golang – dart – dlang – vlang – nodejs – bun – python – fsharp – deno
All of those languages had been allowed to fully execute, and set up a reverse shell by MS-Defender. We assume the listing is even longer, provided that languages similar to PHP are thought of “useless” languages.
– At the moment undetectable by most mainstream Endpoint-Detection & Response distributors.
The entire variety of distributors which can be unable to scan or course of simply PHP file varieties is 14, and they’re listed under:
- Alibaba
- Avast-Cellular
- BitDefenderFalx
- Cylance
- DeepInstinct
- Elastic
- McAfee Scanner
- Palo Alto Networks
- SecureAge
- SentinelOne (Static ML)
- Symantec Cellular Perception
- Trapmine
- Trustlook
- Webroot
And the entire variety of distributors which can be unable to precisely determine malicious PHP scripts is 54, and they’re listed under:
- Acronis (Static ML)
- AhnLab-V3
- ALYac
- Antiy-AVL
- Arcabit
- Avira (no cloud)
- Baidu
- BitDefender
- BitDefenderTheta
- ClamAV
- CMC
- CrowdStrike Falcon
- Cybereason
- Cynet
- DrWeb
- Emsisoft
- eScan
- ESET-NOD32
- Fortinet
- GData
- Gridinsoft (no cloud)
- Jiangmin
- K7AntiVirus
- K7GW
- Kaspersky
- Lionic
- Malwarebytes
- MAX
- MaxSecure
- NANO-Antivirus
- Panda
- QuickHeal
- Sangfor Engine Zero
- Skyhigh (SWG)
- Sophos
- SUPERAntiSpyware
- Symantec
- TACHYON
- TEHTRIS
- Tencent
- Trellix (ENS)
- Trellix (HX)
- TrendMicro
- TrendMicro-HouseCall
- Varist
- VBA32
- VIPRE
- VirIT
- ViRobot
- WithSecure
- Xcitium
- Yandex
- Zillya
- ZoneAlarm by Examine Level
- Zoner
With this in thoughts, and absolutely the shortcomings on figuring out PHP based mostly malware we got here up with the idea that the 13 recognized languages are additionally an oversight by these distributors, together with CrowdStrike, Sentinel1, Palo Alto, Fortinet, and so forth. We’ve got been in a position to determine that on the very least Defender considers these clearly malicious payloads as plaintext.
Disclaimer
We because the maintainers, are under no circumstances liable for the misuse or abuse of this product. This was revealed for legit penetration testing/crimson teaming functions, and for instructional worth. Know the relevant legal guidelines in your nation of residence earlier than utilizing this script, and don’t break the legislation while utilizing this. Thanks and have a pleasant day.
EDIT
In case you’re seeing all the default declarations, and questioning wtf guys. There’s a cause; this was constructed to be extra moduler for later variations. For now, benefit from the software and be at liberty to submit points. They will be addressed as shortly as doable.