Reviving DotNetToJScript to bypass AVs

0xDEADBEEF · July 17, 2022, 12:48am

Hello everyone recently i tried to revive an old technique used to .NET executables in memory directly from JScript.

The procedure is public and pretty well explained

Here is the repo: (https://github.com/tyranid/DotNetToJScript)

So, we are in 2022 and using that plain-clean version of DotNetToJScript wont help for sure to bypass antiviruses, so the first step i did is obfuscating the output jscript file with the .NET executable encoded inside.

I managed to bypass some antiviruses (one of them is BitDefender, yes, bypasses with DotNetToJScript obfuscated)

So, i managed to bypass some antiviruses, fine, but then why im writing this?

Well because I am struggling to bypass the latest Windows Defender.

Why is it getting detected? I think here is pretty well explained: [https://www.microsoft.com/security/blog/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/](Generically detecting fileless techniques)

So, the detection im getting is from amsi of course and is named Trojan:JS/SharpShooter.A and obviously its a behavior detection.

So… obfuscating the script is not an option, adding random junk code / calling random functions between the code isnt an option too… is there a way to bypass this detection just by jscript?

Any idea will be helpful!

nightwolf · July 17, 2022, 2:00am

You’ll need to bypass AMSI. Most of the bypasses I’ve seen have been focused around PowerShell but I would image there are options for JScript as well. This blog post is from 2018 and what it describes probably isn’t ideal but worked at the time. I haven’t tested if it works currently. I do recall a comment elsewhere that not using eval() may keep AMSI from scanning the code at all. That was from a while ago though so your millage may vary.

0xDEADBEEF · July 17, 2022, 2:11am

Unfortuntaly cause of other circumstances i must use eval(). Anyways i found intresting that post, but unfortunatly doesnt give a praticable solution for my case.

nightwolf · July 17, 2022, 3:03am

It sounds like your best option then is to work on developing a JScript based AMSI bypass.

dmcxblue · July 17, 2022, 4:21pm

Just wondering why not use GadgetToJScript

0xDEADBEEF · July 17, 2022, 5:31pm

Well, GadgetToJScript is another intresting alternative but lacks of some features like specific method invoking, argument passing etc.

Also, its just matter of time and this will be detected too, it use a different behavior, but has no real amsi bypasses implemented inside.

nightwolf · July 18, 2022, 3:11am

I have a friend that has done a decent amount of work with JScript based tooling. They said that they haven’t really run into AMSI at all with JScript so they thought something else might be going on. They did also suggest trying GadgetToJScript as well.

The detection you mentioned, I was assuming that occurred on execution of the file not simply scanning the file itself. Was I correct in that assumption?

0xDEADBEEF · July 18, 2022, 12:13pm

Exactly. Scanning the file returns no detection. Even by using online scanner is about 0/63. The problem comes when i execute it, doesnt matter how and how much is the script obfuscated. Its a detection based on behvior detection (probably checking for called functions, DynamicInvoke, CreateInstance etc).

system · November 15, 2022, 4:49pm

This topic was automatically closed after 121 days. New replies are no longer allowed.