AV Bypass

This topic contains 4 replies, has 4 voices, and was last updated by  m0wgli 6 years, 8 months ago.

  • Author
    Posts
  • #8288
     Dark_Knight 
    Participant

    Hi,
    Thought I would share my recent blogpost..enjoy:
    http://sector876.blogspot.com/2013/03/av-bypass-symantec-endpoint-protection.html

  • #52207
     dynamik 
    Participant

    Nice post. I’m getting back into C++ myself and appreciate the sample code.

    For whatever reason, Symantec only has an attack signature for Meterpreter’s reverse_tcp payload: http://www.symantec.com/security_response/attacksignatures/ It’s the stupidest thing in the world. Bind_tcp, reverse_https like you used, etc. work just fine.

    Depending on the configuration, you are sometimes unable to disable smc in that manner (I believe this is functionality that can be disabled via the management console), so it’s good to know about the alternate payloads.

    Also, SEP was catching default msfvenom exes, but using the -t option with pslist.exe got around that. Sometimes it’s just too easy.

  • #52208
     BillV 
    Participant

    That’s funny, I was also on a recent engagement with a similar issue. The client was running SEP with various features enabled. I could get my payload on but the network detection piece would block me each time, and I thought I did try reverse_https as well as others with no luck. I already had credentials at this point so ended up modifying gsecdump and WCE and just used psexec to maneuver around and obtain more credentials 🙂 Worked perfectly.

    Nice write-up though, thanks. I’m going to take a closer look at this and do some playing around later.

  • #52209
     Dark_Knight 
    Participant

    Yeah so….I actually used the reverse_tcp meterpreter payload and not https. Also I didn’t stop the Smc.exe process. That is still running.

    Stopping the Smc.exe process is smc -stop

    As opposed to a smc -disable -ntp that targets the ntp. And ntp doesnt stay dead for very long. It comes back online in 5 minutes. I timed it 🙂

    However even when it does it won’t kill your meterpreter session 🙂

    I tell you though I havn’t looked at c++ in a while though……

  • #52210
     m0wgli 
    Participant

    Interesting post. Thanks for sharing. New bookmark acquired!  🙂

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?