Bring-Your-Own-Script-Interpreter (BYOSI) - RELOADED
Bring-Your-Own-Script-Interpreter (BYOSI) - RELOADED
”// It gets funnier as time passes…” — Nightmare-Eclipse
Introduction
The saga continues, now with a brand-new trick for an old technique. Two years ago, a group of security researchers published this technique on Github, while simultaneously calling out every single Anti-Virus (AV) and Endpoint Detection and Response (EDR) vendor in the Cybersecurity Industry. While the feedback from the Hacking and Information Security (InfoSec) community was abundant and rather positive, the publication seemed completely overlooked by the Incident Response (IR) and EDR communities. What started as a curiosity conquest became one of the most successful techniques leveraged by threat actors and professional red-teamers. As time went on, the researchers joined Kaiju Security to educate corporations about this technique by exploiting blind spots within our industries’ most trusted security solutions.
What is BYOSI?
The Bring-Your-Own-Script-Interpreter (BYOSI) technique is performed exactly as the name implies; an attacker can bring their own portable script interpreter to detonate any custom malware written in the corresponding language. Let’s take Python, for example. Python is portable, and you could simply download the portable Python binary application, trusted and signed by Python.org, then leverage it to execute any malicious Python code written to the compromised system. Python is just one well-known example, where the BYOSI researchers have discovered several portable scripting languages that can be leveraged for this attack technique.
The weakness exploited by this technique is simple: AV and EDR software don’t read source code! Those solutions have been trained since their conception to detect and respond to known malicious applications and/or malicious behavior performed on a compromised system. But this only solves half the problem of detecting malware. What these vendors are missing is the key component that makes malware malicious in the first place… its source code!
Software is just a series of functions that execute a specific task designed by the developer; malware is just a series of functions that execute malicious tasks designed by the adversary. They are inherently the same because it all comes down to one thing - what is in the source code.
A binary application has its own source code compiled and translated into Assembly, and the instructions are only understood by the Operating System where it is executed. This has been the standard for all popular applications, good, bad, and ugly, and has been the modus operandi of developers for decades, even the malicious ones. This all comes to a head when we look at the fundamental methodology for detecting malware:
- An unknown application is executed on the computer;
- That application matches the signature of a known strain of malware;
- The security software halts execution of the unknown application, flags it as malicious, and quarantines or removes the application from the device;
- An interpreted application translates provided source code in real-time, line-by-line, during runtime.
This means the only binary application executing on the device is not malicious at all, but rather is a trusted and signed script interpreter, such as Python, Golang, PHP, etc. Each of these script interpreter applications have been vetted and trusted by our entire industry as if the consensus were: “Python is a trusted scripting language. No one would ever execute malicious code with it!” These famous last words gave light to a simple and devious idea - what if…?
Conception
Let’s rewind the tape to two years ago, where we find our researchers tag-teaming a month-long Red Team engagement. Nearing the end of the engagement, having exhausted all known bypass techniques against CrowdStrike Falcon, one of the researchers asked a simple question, “What about PHP?” The team began researching portable solutions for PHP to be deployed on their target Windows environment and discovered a portable executable of the PHP script interpreter. They then grabbed a copy of PentestMonkey’s PHP reverse shell and edited the code to connect to their listener while executing Windows Command Prompt. Once all the pieces were in place, they executed the PHP script using the PHP interpreter and gained shell access, bypassing CrowdStrike’s onboard agent.
The researchers contacted their client to report the bypass, who then put them in touch with a representative from CrowdStrike. The team was excited to disclose this glaring vulnerability to the actual EDR vendor directly. Unfortunately, the representative who met them on the call was not very tech-savvy, and didn’t truly understand what was being demonstrated. The representative asked to record the meeting while the researchers demonstrated the attack flawlessly.
Weeks went by without further response from CrowdStrike, so the researchers contacted the representative directly requesting an update. The response was comical, as the technical team requested a copy of the executable that performed the attack. Needless to say, much face-palming was performed at that moment. The researchers replied stating that PHP.exe was the only executable, and the real malicious code was in the PHP script. A copy of the modified PentestMonkey reverse shell script was provided along with the exact commands executed to perform the technique… a new technique the researchers called BYOSI.
PolyDrop
The researchers never heard back from CrowdStrike (or any other EDR vendor) despite calling out each organization publicly on social media and Github. The technique would continue to remain viable as the researchers pressed on with engagement after engagement, leveraging BYOSI to bypass every EDR product they came up against. The researchers formed their own collective called the MalwareSupportGroup, aiming to spread awareness of the latest offensive techniques bypassing EDR by storm, and as their Github and X account implies: ℳ𝒶𝓀ℯ ℳ𝒶𝓁𝓌𝒶𝓇ℯ 𝒩ℴ𝓉 𝒲𝒶𝓇. This collective would go onto publish PolyDrop, showcasing thirteen different portable script interpreters that can be leveraged to perform the BYOSI attack technique.
PolyDrop is written in Rust for portability purposes, so that anyone leveraging the tool could compile it for many different operating systems and take it on the go - perfect for a Red Teamer’s toolkit. It generates a simple Proof-of-Concept (PoC) in the languages supported by the tool, and generates an equivalent Windows, Mac, or Linux stager script to perform the BYOSI technique. Since publication, PolyDrop has gained over one hundred stars on Github, has been published alongside different toolsets in popular Github repositories, and mentioned in numerous blogs across the internet. Fast-forward two years later today, and the technique is just as successful as the day it was conceived.
BYOSI RELOADED - Introducing Bash.exe for Windows
As with the conception of BYOSI, the same question came about, however, reimagined through a different lens:
“Are there only 13 languages? Could there be more?”
The short answer is “YES”, but keeping to the original ruleset applied to PolyDrop: each language must be portable and not require administrative privileges to drop or execute on the target system. By this time, the researchers had joined forces with Kaiju Security and began entertaining this very idea all over again. As any serendipitous moment comes to fruition, our researcher, while having lunch, had an epiphany: “Wait… what about Bash!?”.
Quickly, they returned to their workstation and began researching a known portable version of Bash from Git where the website advertises portable versions of “Git” for Windows, Mac, and Linux. Looking into the Windows installers, they found the Git for Windows/x64 Portable (“thumbdrive edition”). After inspecting the link to the portable version, they discovered that this installer exists on Github under the “git-for-windows” repository. As simple as that, they downloaded the portable installer and began investigating its contents.
The files offered on the repository show many different formats; the primary version of interest is the 7zip auto-extractor application, ending in “*.7z.exe”. Executing the program opens a Save-File dialog where the user can choose the location of the extracted archive. After a bit of research and help from free-tier AI, our team found that after providing specific command line arguments, the application can extract silently to a destination of our choosing. Finally, once the files were extracted, we discovered the exact location of bash.exe. After a quick search for a simple reverse shell one-liner in Bash, we executed the bash.exe application by leveraging the provided one-liner and received a Bash shell - from a Windows machine! We couldn’t believe it was that simple or how we missed it after all this time! Thus, we just had to say something… again.
BYOSI-Bash is available for all to see and learn from on our public Github. It’s a very small project, with an even smaller proof-of-concept, written in PowerShell. It had been recently tested against popular EDR solutions such as CrowdStrike Falcon Complete, Microsoft Defender, and Sophos, remaining undetected as of the publishing of this blog post. For technical details as to why Bash for BYOSI is so awesome, check out the README on the repository.
A message to AV and EDR vendors
Ok, look- for all of you who have read this far and are thinking that we’re dogging on EDR vendors and poking fun at their terrible products: you’re only half-right. This industry is FULL of snake-oil and terrible “solutions” to problems that these vendors barely understand. There are plenty of reputable vendors out there, and while we’ve been picking on a few of them, we ask to not let our view of their products shine a negative light on their corporation as a whole. That said, this is something we specialize in over here at Kaiju Security; helping our customers better tune their existing exceptional security products while leaving their snake-oil counterparts as quickly as possible. The goal of all security research is to increase awareness of emerging threats and techniques to better prepare our organizations to defend against an adversary we’ve never seen before.
Resources
Shoutout to the MalwareSupportGroup for partnering with Kaiju Security and helping us spearhead your research! - https://github.com/MalwareSupportGroup/PolyDrop
BYOSI-Bash - https://github.com/KaijuSecurity/BYOSI-Bash