- Leveraging the abuse of trusted applications, one is able to deliver a compatible script interpreter for a Windows, Mac, or Linux system as well as malicious source code in the form of the specific script interpreter of choice. Once both the malicious source code and the trusted script interpeter are safely written to the target system, one could simply execute said source code via the trusted script interpreter.
The following langues are wholly ignored by AV vendors including MS-Defender:
- tcl
- php
- crystal
- julia
- golang
- dart
- dlang
- vlang
- nodejs
- bun
- python
- fsharp
- deno
All of these languages were allowed to completely execute, and establish a reverse shell by MS-Defender. We assume the list is even longer, given that languages such as PHP are considered "dead" languages.
The total number of vendors that are unable to scan or process just PHP file types is 14, and they are listed below:
- Alibaba
- Avast-Mobile
- BitDefenderFalx
- Cylance
- DeepInstinct
- Elastic
- McAfee Scanner
- Palo Alto Networks
- SecureAge
- SentinelOne (Static ML)
- Symantec Mobile Insight
- Trapmine
- Trustlook
- Webroot
And the total number of vendors that are unable to accurately identify malicious PHP scripts is 54, and they are listed below:
- Acronis (Static ML)
- AhnLab-V3
- ALYac
- Antiy-AVL
- Arcabit
- Avira (no cloud)
- Baidu
- BitDefender
- BitDefenderTheta
- ClamAV
- CMC
- CrowdStrike Falcon
- Cybereason
- Cynet
- DrWeb
- Emsisoft
- eScan
- ESET-NOD32
- Fortinet
- GData
- Gridinsoft (no cloud)
- Jiangmin
- K7AntiVirus
- K7GW
- Kaspersky
- Lionic
- Malwarebytes
- MAX
- MaxSecure
- NANO-Antivirus
- Panda
- QuickHeal
- Sangfor Engine Zero
- Skyhigh (SWG)
- Sophos
- SUPERAntiSpyware
- Symantec
- TACHYON
- TEHTRIS
- Tencent
- Trellix (ENS)
- Trellix (HX)
- TrendMicro
- TrendMicro-HouseCall
- Varist
- VBA32
- VIPRE
- VirIT
- ViRobot
- WithSecure
- Xcitium
- Yandex
- Zillya
- ZoneAlarm by Check Point
- Zoner
With this in mind, and the absolute shortcomings on identifying PHP based malware we came up with the theory that the 13 identified languages are also an oversight by these vendors, including CrowdStrike, Sentinel1, Palo Alto, Fortinet, etc. We have been able to identify that at the very least Defender considers these obviously malicious payloads as plaintext.
We as the maintainers, are in no way responsible for the misuse or abuse of this product. This was published for legitimate penetration testing/red teaming purposes, and for educational value. Know the applicable laws in your country of residence before using this script, and do not break the law whilst using this. Thank you and have a nice day.
In case you are seeing all of the default declarations, and wondering wtf guys. There is a reason; this was built to be more moduler for later versions. For now, enjoy the tool and feel free to post issues. They'll be addressed as quickly as possible.