Cyber adversaries have found a novel method to bypass Endpoint Detection and Response (EDR) systems by leveraging Bring Your Own Scripting Interpreter (BYOSI). This technique ingeniously avoids engaging with any monitored APIs, presenting a significant challenge to traditional security measures.

Understanding the BYOSI Technique

EDR systems often overlook script files, considering them harmless text files. This oversight provides an advantage, as flashy evasion methods like memory residence or thread injection attract considerable surveillance. Without a certified signature, executing binaries is quite arduous. However, every scripting interpreter is signed and trusted by its creator, circumventing the need for such a signature.

The Power of Scripts

Testing in actual environments has shown surprising results: even crowds of signature-laden scripts, such as those written in PHP, managed to run undetected on systems monitored by top EDR solutions like CrowdStrike and Trellix. These scripts successfully established external connections without raising alerts, as EDRs are tuned to monitor binaries rather than scripts.

High Level Example of Operational Steps for the Evasion Method

The BYOSI approach accomplishes evasion through a concise PowerShell script performing these steps:

  1. Retrieve the PHP archive for Windows and extract it into a new directory named 'php' within 'C:\Temp'.
  2. Download the implant PHP script or shell, saving it in the same 'C:\Temp\php' directory.
  3. Execute the implant or shell using the whitelisted PHP binary, which avoids typical execution restrictions.

These simple actions result in acquiring a functioning shell on systems monitored by EDR, like CrowdStrike. Due to EDRs generally ignoring PHP file types, even tools such as Sentinel One could miss these activities entirely.

Implications and Response

This evasion showcases a glaring vulnerability in current EDR setups. Practitioners must acknowledge these blind spots and adjust accordingly. Microsoft Defender has started marking some PHP scripts as malicious, yet the PowerShell script continues to operate without hindrance. Companies need to update their current approach to target these loopholes effectively.

The BYOSI tactic represents a considerable security gap that cybersecurity professionals must address. Strengthening script file scrutiny within EDR systems is crucial to counter such simple bypass methods.

Source: https://github.com/oldkingcone/BYOSI

The link has been copied!