Jlaive is a project created to evade antivirus by creating batch files from .NET assemblies. The way it does it is very interesting and gives a new window of opportunities to actors to evade defenses and execute their payloads.
You can find the project on their official GitHub: https://github.com/ch2sh/Jlaive
This blog was made from the following sources.
Reference 1: https://vxug.fakedoma.in/zines/29a/29a7/Articles/29A-7.030.txt
Reference 2: https://twitter.com/pabraeken/status/998627081360695297
Reference 3: https://twitter.com/VakninHai/status/1517027824984547329
Reference 4: https://lolbas-project.github.io/lolbas/Libraries/Desk/
Recently some researchers have discovered a possible execution of binaries using the Windows Desktop Settings Control Panel utility located at C:\Windows\System32\desk.cpl or C:\Windows\SysWOW64\desk.cpl for 32-bit.
This utility allows executing a binary with a .scr extension by calling the InstallScreenSaver function.
The objective of this entry is focused only on identifying the visibility and detection of the operating system.
Tested on Windows 11 10.0.22000 N/A Build 22000.
During January I was investigating Windows 11 and some of the binaries that were installed by default to identify behaviors that could be used for malicious purposes.
The binary DeviceCensus.exe located in C:\Windows\System32, when is copied to another different path and it is executed, it tries to load more or less 11 DLLs in the directory where it was executed. Let's say that if you try to execute this binary from AppData path, then it tries to load the DLLs from AppData. However, if the DLL doensn't exists in AppData, then it tries to load from System32.
Then, if you copy this binary in AppData and create a DLL with the same name that tries to load, the DLL is loaded.