AV Bypass

Viewing 4 reply threads
  • Author
    • #8288

      Thought I would share my recent blogpost..enjoy:

    • #52207

      Nice post. I’m getting back into C++ myself and appreciate the sample code.

      For whatever reason, Symantec only has an attack signature for Meterpreter’s reverse_tcp payload: http://www.symantec.com/security_response/attacksignatures/ It’s the stupidest thing in the world. Bind_tcp, reverse_https like you used, etc. work just fine.

      Depending on the configuration, you are sometimes unable to disable smc in that manner (I believe this is functionality that can be disabled via the management console), so it’s good to know about the alternate payloads.

      Also, SEP was catching default msfvenom exes, but using the -t option with pslist.exe got around that. Sometimes it’s just too easy.

    • #52208

      That’s funny, I was also on a recent engagement with a similar issue. The client was running SEP with various features enabled. I could get my payload on but the network detection piece would block me each time, and I thought I did try reverse_https as well as others with no luck. I already had credentials at this point so ended up modifying gsecdump and WCE and just used psexec to maneuver around and obtain more credentials 🙂 Worked perfectly.

      Nice write-up though, thanks. I’m going to take a closer look at this and do some playing around later.

    • #52209

      Yeah so….I actually used the reverse_tcp meterpreter payload and not https. Also I didn’t stop the Smc.exe process. That is still running.

      Stopping the Smc.exe process is smc -stop

      As opposed to a smc -disable -ntp that targets the ntp. And ntp doesnt stay dead for very long. It comes back online in 5 minutes. I timed it 🙂

      However even when it does it won’t kill your meterpreter session 🙂

      I tell you though I havn’t looked at c++ in a while though……

    • #52210

      Interesting post. Thanks for sharing. New bookmark acquired!  🙂

Viewing 4 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?