– Carry-Your-Personal-Script-Interpreter
– Leveraging the abuse of trusted functions, one is ready to ship a suitable script interpreter for a Home windows, Mac, or Linux system in addition to malicious supply code within the type of the precise script interpreter of alternative. As soon as each the malicious supply code and the trusted script interpeter are safely written to the goal system, one might merely execute stated supply code by way of the trusted script interpreter.
– Leverages 13 scripting languages to carry out the above assault.
The next langues are wholly ignored by AV distributors together with MS-Defender: – tcl – php – crystal – julia – golang – dart – dlang – vlang – nodejs – bun – python – fsharp – deno
All of those languages have been allowed to fully execute, and set up a reverse shell by MS-Defender. We assume the record is even longer, provided that languages corresponding to PHP are thought of “lifeless” languages.
– Presently undetectable by most mainstream Endpoint-Detection & Response distributors.
The whole variety of distributors which can be unable to scan or course of simply PHP file varieties is 14, and they’re listed beneath:
- Alibaba
- Avast-Cell
- BitDefenderFalx
- Cylance
- DeepInstinct
- Elastic
- McAfee Scanner
- Palo Alto Networks
- SecureAge
- SentinelOne (Static ML)
- Symantec Cell Perception
- Trapmine
- Trustlook
- Webroot
And the full variety of distributors which can be unable to precisely determine malicious PHP scripts is 54, and they’re listed beneath:
- Acronis (Static ML)
- AhnLab-V3
- ALYac
- Antiy-AVL
- Arcabit
- Avira (no cloud)
- Baidu
- BitDefender
- BitDefenderTheta
- ClamAV
- CMC
- CrowdStrike Falcon
- Cybereason
- Cynet
- DrWeb
- Emsisoft
- eScan
- ESET-NOD32
- Fortinet
- GData
- Gridinsoft (no cloud)
- Jiangmin
- K7AntiVirus
- K7GW
- Kaspersky
- Lionic
- Malwarebytes
- MAX
- MaxSecure
- NANO-Antivirus
- Panda
- QuickHeal
- Sangfor Engine Zero
- Skyhigh (SWG)
- Sophos
- SUPERAntiSpyware
- Symantec
- TACHYON
- TEHTRIS
- Tencent
- Trellix (ENS)
- Trellix (HX)
- TrendMicro
- TrendMicro-HouseCall
- Varist
- VBA32
- VIPRE
- VirIT
- ViRobot
- WithSecure
- Xcitium
- Yandex
- Zillya
- ZoneAlarm by Test Level
- Zoner
With this in thoughts, and absolutely the shortcomings on figuring out PHP based mostly malware we got here up with the speculation that the 13 recognized languages are additionally an oversight by these distributors, together with CrowdStrike, Sentinel1, Palo Alto, Fortinet, and so on. We’ve been capable of determine that on the very least Defender considers these clearly malicious payloads as plaintext.
Disclaimer
We because the maintainers, are on no account chargeable for the misuse or abuse of this product. This was revealed for reliable penetration testing/pink teaming functions, and for academic worth. Know the relevant legal guidelines in your nation of residence earlier than utilizing this script, and don’t break the regulation while utilizing this. Thanks and have a pleasant day.
EDIT
In case you’re seeing the entire default declarations, and questioning wtf guys. There’s a purpose; this was constructed to be extra moduler for later variations. For now, benefit from the instrument and be happy to put up points. They will be addressed as rapidly as doable.