Back in April 2017, James Forshaw (hail) released a tool called DotNetToJScript which was capable of generating JScript, VBA and VBScript that could run an arbitrary .NET assembly (mostly) from memory. Although not its intended purpose, it was quickly picked up by tool developers, pentesters, red teamers, bad guys etc and used to deliver .NET-based payloads via methods such as HTA.

Microsoft and other AV vendors started writing signatures for DN2JS, and we all know how that makes James feel (Exhibits A and B). Microsoft even went as far as to make some under-the-hood changes from Windows 10 / 2K16 to mitigate the use of DN2JS payloads, as evidenced by these notes in Covenant:

These factors seem to have resulted in a decline in prevalence for these payloads, or at least, they’re not hyped about so much.

Enter GadgetToJScript by Mohamed El Azaar. This tool generates .NET serialized gadgets that can trigger assembly load/execution when deserialized via BinaryFormatter from JScript, VBScript or VBA. So it once again, allows for a similar tradecraft as was originally provided by DN2JS and it works on Windows 10.

Continue reading

Author's picture

Rasta Mouse

Taylor Swift fan, wannabe Red Teamer & 1337 hax0r (in that order).

Penetration Tester