Video Review Bypassing ESET NOD32 Antivirus using Fileless

Discussion in 'Video Reviews' started by amico81, Nov 30, 2017.

  1. amico81

    amico81 Level 6

    Jan 10, 2017
    296
    1,195
    Germany
    Windows 10
    G-Data
    Video Uploaded by:
    Emmanuel LWS
    Disclaimer:
    Due to the small number of samples used in this tests, you should take results with a grain of salt. I encourage you to compare these results with others and take informed decisions on what security products to use.


    Found this interesting video

    Important Note: Hips with default settings
     
  2. daljeet

    daljeet Level 5

    Jun 14, 2017
    241
    2,394
    india
    Linux Ubuntu
    Where is bypassing ESET and this people have control using payload
    Sorry but I don't see anything realted to Bypassing ESET
    Please correct me I want to know what happend
     
  3. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,270
    Caille
    Windows 10
    #3 Opcode, Nov 30, 2017
    Last edited by a moderator: Nov 30, 2017
    Not realistic in a normal environment most of the time because the network would already be compromised for this to work like that. And if your network is already compromised (Local Area Network - LAN) then it is already game over. -> time to reset your security for your network and check on your router

    @daljeet I don't even see how ESET was "bypassed" either. All I see is processes being spawned, which aren't actually doing anything to bypass the ESET HIPS. Unless I am blind...

    Even if you get a program to run automatically via this Metasploit attack, it isn't like ESET isn't aware of the process spawn. If the process tries to do something monitored by the HIPS then it'll still be intervened

    You'll always find these sorts of videos. Just go on YouTube and look-up "Black Cipher", you'll find a guy making a video about every single AV product you can think of. I think that they are just haters of AV vendors and they couldn't make anything better than the current vendors themselves even if they tried. The attacks aren't realistic and they are just over-exaggerated drama in my opinion. "security experts" who followed a tutorial on setting up Metasploit and their skill-set usually doesn't surpass through writing a simple batch or Powershell script, likely have 0 clue how AV technology even works which is why they are spending their time making useless videos like that instead of working for a vendor or getting good pay at a security research company

    You'll also see people doing it to bash products they dislike and make the ones they personally use look really good. Not to mention that the ESET HIPS needs to be configured to be used to its full potential which proves the author of the video doesn't even understand how to use ESET properly in my opinion.

    I suggest you just ignore rubbish like that and focus on what is actually happening in the real world (realistic and prevalent attacks). Proof-Of-Concept attacks only become an issue once they've been abused in genuinely dangerous malware and attacks like this where you are already compromised prior to what was done in the video is unrealistic and is already a game over scenario. There's 1000000 ways to do something

    @Andy Ful is a good member here with experience and he can use Metasploit and is really good with Powershell. He also owns a really useful project and a few tutorials about malware reversing. But you don't see him making useless bypass videos like this... which speaks for itself :) :)
     
    Umbra, upnorth, ZeroDay and 10 others like this.
  4. danb

    danb From VoodooShield
    Developer

    May 31, 2017
    465
    2,138
    Overland Park, KS
    Windows 8.1
    I am assuming the .bat payload was a “simulated” email attachment, which the user launches. A lot of modern malware / ransomware attacks originate as batch files or powershell scripts, so in my opinion this part is realistic.

    Probably the only obstacle the attacker would encounter would be, as Opcode pointed out, getting around the LAN… which a lot of pen testers insist, is not an issue…. assuming a targeted attack. As we have seen with recent attacks, this appears to be possible, in my opinion.

    The other thing is… I really wish pen testers would quit launching notepad, calc (or other similar Windows processes) to demonstrate a bypass. They should drop a file to appdata and demonstrate that the dropped file can be launched.

    So if the pen tester can demonstrate this test outside of the LAN, and drop and execute the payload from appdata, then it would be a true bypass.
     
  5. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,270
    Caille
    Windows 10
    100% agree with you :)

    1. They should demonstrate malicious code execution which actually bypasses the behavioural mitigations
    2. The LAN being compromised would be realistic for a planned, targeted attack only in my opinion

    ESET isn't going to block notepad.exe from being spawned, it's a genuine Windows process. No malicious code was executing under notepad.exe either... The test was stupid in my opinion.
     
  6. Evjl's Rain

    Evjl's Rain Level 28
    Trusted AV Tester

    Apr 18, 2016
    1,781
    13,084
    Vietnam
    Windows 8.1
    Avast
    hopefully the author of the video can join the discussion. He also demonstrated in the past that Panda adaptive defense managed to pass all of his tests including the same exploit used in this video
    perhaps can you test again with the maximized HIPS setting?
    @Emmanuellws
     
  7. iron2

    iron2 Level 1

    Jun 3, 2015
    26
    78
    why not use internet security?
     
  8. Emmanuellws

    Emmanuellws Level 3

    Mar 11, 2017
    115
    263
    Malaysia
    Windows 7
    Panda
    #8 Emmanuellws, Dec 13, 2017
    Last edited: Dec 13, 2017
    Hi all! yep that's me on the demo on bypassing ESET NOD32. Well, I never wanted to do video demo bypassing ESET NOD32 but because a friend of mine love ESET NOD32 and he wanted me try bypass ESET NOD32 and so I did this video for my friend to demonstrate how hackers can actually bypassed and able to remotely execute programs. Yes, there is nothing malicious running notepad cmd and such..because I dont want to destroy the machine protected by ESET NOD32. I like ESET NOD32 lines of product too and to be fair it is tough to bypass but learning some methods from other pentest gurus from makes it possible. The trick is to obfuscate the batch files. Most of the times, all Antivirus fails to detect obfuscated powershell scripts. However, after that video I took to another level by taking over the machine as "System" and again I do not want to destroy the machine because I love ESET NOD32 as well. Being able to gain access into a machine protected by any Antivirus and running as system without being detected at all is already a GOLD! My friend then asked me to do bypass test on another ESET NOD32 product, but I told him I don't want to do another bypass on ESET NOD32 INTERNET SECURITY because it might take me another week to figure out how to bypass and I do not intend to spend time on doing that as I have other more important things to do especially preparations for Christmas :p Anyway, here is the video on me bypassing ESET NOD32 and gain access to the system as "System". I love ESET just that there is no 100% secure antivirus. When I do pentest, I know nothing is impossible...its only a matter of time and techniques to bypass any Antivirus protections. I bypassed Panda too and I can say it is easier than getting around ESET NOD32 product.



    They key to bypassing any antivirus product is "Undetected", "Obfuscated" and "In-Memory". Remember n inreal world data breach...hackers don't really run malicous executables but steals data using copy-paste method. hackers can actually steals saved browser passwords, documents by just copying the data and download it back to the hackers machine.
     
  9. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,293
    5,740
    Far East
    I think it's time to change my ESET NOD32 AV to another product.

    So, in your opinion, which AV is the hardest to bypass?

    Many thanks
     
    Emmanuellws likes this.
  10. Evgeny

    Evgeny Level 6

    May 1, 2015
    283
    1,859
    Krym
    Set hips on manual, problem solved, eset has one of the best hips. :confused:
     
    Emmanuellws, harlan4096 and shmu26 like this.
  11. Emmanuellws

    Emmanuellws Level 3

    Mar 11, 2017
    115
    263
    Malaysia
    Windows 7
    Panda
    So far, Kaspersky...gaining shell access as current user is easy...but gaining full access as "system" is very hard...and Kaspersky has the best HIPS so far able to detect Meterpreter session from Metasploit in the memory. I believe they used similar in-memory detection code from this GitHub - rvazarkar/antipwny: A host based IDS written in C# Targetted at Metasploit If your antivirus do not detect Metasploit meterpreter session, please notify your vendor. Tell them about this GitHub - rvazarkar/antipwny: A host based IDS written in C# Targetted at Metasploit C# code which detects Metasploit Meterpreter session and kills the process if it detects one.

    Stick with ESET, install GitHub - rvazarkar/antipwny: A host based IDS written in C# Targetted at Metasploit and see if it causes any incompatibility. If it can run along, then it is good...but bear in mind this is 4 years old code but it still works well detecting and killing Metasploit Meterpreter session.

    Other pentesters also share the same oppinions that Kaspersky's System Watcher is the real deal,
     
  12. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,293
    5,740
    Far East
  13. Emmanuellws

    Emmanuellws Level 3

    Mar 11, 2017
    115
    263
    Malaysia
    Windows 7
    Panda
    Bear in mind...I do pentest because I want to be a better defender. If I know the weakness of my product, I sure know how to protect myself better with combination of security tools, policy and configurations. Of course, this video is done in LAN environment...but if I am not lazy to setup port forwarding in my router I would have done that in the demo. But, that's not important..the important thing is, the malicious code to initiate the meterpreter is not even detected regardless the connection is local or internet. ESET is a good product, I don't like to bash because they are one of the veteran players in Antivirus industry..they have one the largest antivirus database in the world other than Kaspersky. Of course my friend asked me to bypass ESET NOD32 on default settings. So I did that. By default if a product can protect you from this kind of attack is considered good enough. Still it took me 3 days to fully bypassed ESET NOD32. It is not that easy...but it is possible. NOD32 Internet Security on theother hand might take me weeks...so I wont go there and not my job to prove that. MY point of being able to do pentest on my beloved products and bypassed it, just to make me realized that no Antivirus is 100% secure. In configured correctly, and with other security policy in-place...you are safe from this similar attacks. It won't be easy for hackers...if it is not easy...then it would discouraged them.
     
  14. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,070
    4,542
    business
    Poland
    Windows 10
    Microsoft
    Nice try.:)
    Did you try to breach a system with blocked Windows Script Host, PowerShell set to Constrained Language mode, and disabled remote access (also remote shell and remote registry)?
    I think that it will be still possible, but maybe a little harder.
     
  15. Emmanuellws

    Emmanuellws Level 3

    Mar 11, 2017
    115
    263
    Malaysia
    Windows 7
    Panda
    Yes this is just one of the techniques. Just to share with some of you who might think I rigged ESET NOD32, I am willing to share the tools used in creation of the payload. Pentesters and hackers alike have lots of tools at their disposal. I used "Venom" to create the payload to bypass ESET NOD32 in this video. Proof of concept? You download it and test it yourself GitHub - r00t-3xp10it/venom: venom (metasploit) shellcode generator/compiler/listener
     
    HarborFront and harlan4096 like this.
  16. Emmanuellws

    Emmanuellws Level 3

    Mar 11, 2017
    115
    263
    Malaysia
    Windows 7
    Panda
    Yes, I admit, it makes it harder if you combine Windows Security Policy and the user is not part of an Admin group. That's how pentesting should make us smarter to protect our system.
     
  17. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,293
    5,740
    Far East
    More cases of AV being bypassed here inclusive of ESET NOD32

    Peerlyst
     
  18. Emmanuellws

    Emmanuellws Level 3

    Mar 11, 2017
    115
    263
    Malaysia
    Windows 7
    Panda
    well, they also mentioned about the same tools i mentioned earlier to detect and kill meterpreter in the memory. I wonder why most AVs dont have these yet as of now...except Kaspersky.
     
    HarborFront, amico81 and harlan4096 like this.
  19. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,293
    5,740
    Far East
    #19 HarborFront, Dec 13, 2017
    Last edited: Dec 13, 2017
    OK, some tools that can detect Metasploit Meterpreter session and kills the process if it detects one include the one suggested by @Emmanuellws

    AntiPwny

    GitHub - rvazarkar/antipwny: A host based IDS written in C# Targetted at Metasploit

    Another is Antimeter, here

    Files ≈ Packet Storm

    from the below link

    How to detect Meterpreter and similar malware?

    and suggested using HIDS (like OSSEC) for behavior detection as listed in the above link

    Home — OSSEC

    One more tool here

    Meterpreter Payload Detection - Tool for detecting Meterpreter in memory like IPS-IDS and Forensics tool - Hacking Vision
     
  20. Emmanuellws

    Emmanuellws Level 3

    Mar 11, 2017
    115
    263
    Malaysia
    Windows 7
    Panda
    oh well, I think I still gonna go do demo for port forwarding to demonstrate that this attack works through Internet not only local....
    here is my settings....once completed.... i will record a video

    PORT RANGE from 33331-33335

    MAPPING
    external port 33331 - localhost port 80
    external port 33332 - localhost port 443
    external port 33333 - localhost port 4444
    external port 33334 - localhost port 5555
    external port 33335 - localhost port 6666


    Stay Tuned....
     
    Andy Ful, harlan4096 and Sunshine-boy like this.
Loading...
Similar Threads Forum Date
Video Review "Bypassing" NoVirusThanks EXE Radar Pro Video Reviews Apr 16, 2017
Bypassing Emsisoft (Video) Emsisoft Apr 15, 2017
Facebook is now bypassing ad blockers on desktop News Archive Aug 9, 2016