App Review Bypassing ESET NOD32 Antivirus using Fileless

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
D

Deleted member 65228

Not realistic in a normal environment most of the time because the network would already be compromised for this to work like that. And if your network is already compromised (Local Area Network - LAN) then it is already game over. -> time to reset your security for your network and check on your router

@daljeet I don't even see how ESET was "bypassed" either. All I see is processes being spawned, which aren't actually doing anything to bypass the ESET HIPS. Unless I am blind...

Even if you get a program to run automatically via this Metasploit attack, it isn't like ESET isn't aware of the process spawn. If the process tries to do something monitored by the HIPS then it'll still be intervened

You'll always find these sorts of videos. Just go on YouTube and look-up "Black Cipher", you'll find a guy making a video about every single AV product you can think of. I think that they are just haters of AV vendors and they couldn't make anything better than the current vendors themselves even if they tried. The attacks aren't realistic and they are just over-exaggerated drama in my opinion. "security experts" who followed a tutorial on setting up Metasploit and their skill-set usually doesn't surpass through writing a simple batch or Powershell script, likely have 0 clue how AV technology even works which is why they are spending their time making useless videos like that instead of working for a vendor or getting good pay at a security research company

You'll also see people doing it to bash products they dislike and make the ones they personally use look really good. Not to mention that the ESET HIPS needs to be configured to be used to its full potential which proves the author of the video doesn't even understand how to use ESET properly in my opinion.

I suggest you just ignore rubbish like that and focus on what is actually happening in the real world (realistic and prevalent attacks). Proof-Of-Concept attacks only become an issue once they've been abused in genuinely dangerous malware and attacks like this where you are already compromised prior to what was done in the video is unrealistic and is already a game over scenario. There's 1000000 ways to do something

@Andy Ful is a good member here with experience and he can use Metasploit and is really good with Powershell. He also owns a really useful project and a few tutorials about malware reversing. But you don't see him making useless bypass videos like this... which speaks for itself :) :)
 
Last edited by a moderator:

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
Where is bypassing ESET and this people have control using payload
Sorry but I don't see anything realted to Bypassing ESET
Please correct me I want to know what happend
I am assuming the .bat payload was a “simulated” email attachment, which the user launches. A lot of modern malware / ransomware attacks originate as batch files or powershell scripts, so in my opinion this part is realistic.

Probably the only obstacle the attacker would encounter would be, as Opcode pointed out, getting around the LAN… which a lot of pen testers insist, is not an issue…. assuming a targeted attack. As we have seen with recent attacks, this appears to be possible, in my opinion.

The other thing is… I really wish pen testers would quit launching notepad, calc (or other similar Windows processes) to demonstrate a bypass. They should drop a file to appdata and demonstrate that the dropped file can be launched.

So if the pen tester can demonstrate this test outside of the LAN, and drop and execute the payload from appdata, then it would be a true bypass.
 
D

Deleted member 65228

The other thing is… I really wish pen testers would quit launching notepad, calc (or other similar Windows processes) to demonstrate a bypass. They should drop a file to appdata and demonstrate that the dropped file can be launched.

So if the pen tester can demonstrate this test outside of the LAN, and drop and execute the payload from appdata, then it would be a true bypass.
100% agree with you :)

1. They should demonstrate malicious code execution which actually bypasses the behavioural mitigations
2. The LAN being compromised would be realistic for a planned, targeted attack only in my opinion

ESET isn't going to block notepad.exe from being spawned, it's a genuine Windows process. No malicious code was executing under notepad.exe either... The test was stupid in my opinion.
 

Emmanuellws

Level 3
Verified
Mar 11, 2017
132
Hi all! yep that's me on the demo on bypassing ESET NOD32. Well, I never wanted to do video demo bypassing ESET NOD32 but because a friend of mine love ESET NOD32 and he wanted me try bypass ESET NOD32 and so I did this video for my friend to demonstrate how hackers can actually bypassed and able to remotely execute programs. Yes, there is nothing malicious running notepad cmd and such..because I dont want to destroy the machine protected by ESET NOD32. I like ESET NOD32 lines of product too and to be fair it is tough to bypass but learning some methods from other pentest gurus from makes it possible. The trick is to obfuscate the batch files. Most of the times, all Antivirus fails to detect obfuscated powershell scripts. However, after that video I took to another level by taking over the machine as "System" and again I do not want to destroy the machine because I love ESET NOD32 as well. Being able to gain access into a machine protected by any Antivirus and running as system without being detected at all is already a GOLD! My friend then asked me to do bypass test on another ESET NOD32 product, but I told him I don't want to do another bypass on ESET NOD32 INTERNET SECURITY because it might take me another week to figure out how to bypass and I do not intend to spend time on doing that as I have other more important things to do especially preparations for Christmas :p Anyway, here is the video on me bypassing ESET NOD32 and gain access to the system as "System". I love ESET just that there is no 100% secure antivirus. When I do pentest, I know nothing is impossible...its only a matter of time and techniques to bypass any Antivirus protections. I bypassed Panda too and I can say it is easier than getting around ESET NOD32 product.



They key to bypassing any antivirus product is "Undetected", "Obfuscated" and "In-Memory". Remember n inreal world data breach...hackers don't really run malicous executables but steals data using copy-paste method. hackers can actually steals saved browser passwords, documents by just copying the data and download it back to the hackers machine.
 
Last edited:

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Hi all! yep that's me on the demo on bypassing ESET NOD32. Well, I never wanted to do video demo bypassing ESET NOD32 but because a friend of mine love ESET NOD32 and he wanted me try bypass ESET NOD32 and so I did this video for my friend to demonstrate how hackers can actually bypassed and able to remotely execute programs. Yes, there is nothing malicious running notepad cmd and such..because I dont want to destroy the machine protected by ESET NOD32. I like ESET NOD32 lines of product too and to be fair it is tough to bypass but learning some methods from other pentest gurus from makes it possible. The trick is to obfuscate the batch files. Most of the times, all Antivirus fails to detect obfuscated powershell scripts. However, after that video I took to another level by taking over the machine as "System" and again I do not want to destroy the machine because I love ESET NOD32 as well. Being able to gain access into a machine protected by any Antivirus and running as system without being detected at all is already a GOLD! My friend then asked me to do bypass test on another ESET NOD32 product, but I told him I don't want to do another bypass on ESET NOD32 INTERNET SECURITY because it might take me another week to figure out how to bypass and I do not intend to spend time on doing that as I have other more important things to do especially preparations for Christmas :p Anyway, here is the video on me bypassing ESET NOD32 and gain access to the system as "System". I love ESET just that there is no 100% secure antivirus. When I do pentest, I know nothing is impossible...its only a matter of time and techniques to bypass any Antivirus protections. I bypassed Panda too and I can say it is easier than getting around ESET NOD32 product.



They key to bypassing any antivirus product is "Undetected", "Obfuscated" and "In-Memory". Remember n inreal world data breach...hackers don't really run malicous executables but steals data using copy-paste method. hackers can actually steals saved browser passwords, documents by just copying the data and download it back to the hackers machine.


I think it's time to change my ESET NOD32 AV to another product.

So, in your opinion, which AV is the hardest to bypass?

Many thanks
 
  • Like
Reactions: Emmanuellws

Emmanuellws

Level 3
Verified
Mar 11, 2017
132
I think it's time to change my ESET NOD32 AV to another product.

So, in your opinion, which AV is the hardest to bypass?

Many thanks
So far, Kaspersky...gaining shell access as current user is easy...but gaining full access as "system" is very hard...and Kaspersky has the best HIPS so far able to detect Meterpreter session from Metasploit in the memory. I believe they used similar in-memory detection code from this GitHub - rvazarkar/antipwny: A host based IDS written in C# Targetted at Metasploit If your antivirus do not detect Metasploit meterpreter session, please notify your vendor. Tell them about this GitHub - rvazarkar/antipwny: A host based IDS written in C# Targetted at Metasploit C# code which detects Metasploit Meterpreter session and kills the process if it detects one.

Stick with ESET, install GitHub - rvazarkar/antipwny: A host based IDS written in C# Targetted at Metasploit and see if it causes any incompatibility. If it can run along, then it is good...but bear in mind this is 4 years old code but it still works well detecting and killing Metasploit Meterpreter session.

Other pentesters also share the same oppinions that Kaspersky's System Watcher is the real deal,
 

Emmanuellws

Level 3
Verified
Mar 11, 2017
132
Bear in mind...I do pentest because I want to be a better defender. If I know the weakness of my product, I sure know how to protect myself better with combination of security tools, policy and configurations. Of course, this video is done in LAN environment...but if I am not lazy to setup port forwarding in my router I would have done that in the demo. But, that's not important..the important thing is, the malicious code to initiate the meterpreter is not even detected regardless the connection is local or internet. ESET is a good product, I don't like to bash because they are one of the veteran players in Antivirus industry..they have one the largest antivirus database in the world other than Kaspersky. Of course my friend asked me to bypass ESET NOD32 on default settings. So I did that. By default if a product can protect you from this kind of attack is considered good enough. Still it took me 3 days to fully bypassed ESET NOD32. It is not that easy...but it is possible. NOD32 Internet Security on theother hand might take me weeks...so I wont go there and not my job to prove that. MY point of being able to do pentest on my beloved products and bypassed it, just to make me realized that no Antivirus is 100% secure. In configured correctly, and with other security policy in-place...you are safe from this similar attacks. It won't be easy for hackers...if it is not easy...then it would discouraged them.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
So far, Kaspersky...gaining shell access as current user is easy...but gaining full access as "system" is very hard...and Kaspersky has the best HIPS so far able to detect Meterpreter session from Metasploit in the memory. I believe they used similar in-memory detection code from this GitHub - rvazarkar/antipwny: A host based IDS written in C# Targetted at Metasploit If your antivirus do not detect Metasploit meterpreter session, please notify your vendor. Tell them about this GitHub - rvazarkar/antipwny: A host based IDS written in C# Targetted at Metasploit C# code which detects Metasploit Meterpreter session and kills the process if it detects one.

Stick with ESET, install GitHub - rvazarkar/antipwny: A host based IDS written in C# Targetted at Metasploit and see if it causes any incompatibility. If it can run along, then it is good...but bear in mind this is 4 years old code but it still works well detecting and killing Metasploit Meterpreter session.

Other pentesters also share the same oppinions that Kaspersky's System Watcher is the real deal,
Nice try.:)
Did you try to breach a system with blocked Windows Script Host, PowerShell set to Constrained Language mode, and disabled remote access (also remote shell and remote registry)?
I think that it will be still possible, but maybe a little harder.
 

Emmanuellws

Level 3
Verified
Mar 11, 2017
132

Yes this is just one of the techniques. Just to share with some of you who might think I rigged ESET NOD32, I am willing to share the tools used in creation of the payload. Pentesters and hackers alike have lots of tools at their disposal. I used "Venom" to create the payload to bypass ESET NOD32 in this video. Proof of concept? You download it and test it yourself GitHub - r00t-3xp10it/venom: venom (metasploit) shellcode generator/compiler/listener
 

Emmanuellws

Level 3
Verified
Mar 11, 2017
132
Nice try.:)
Did you try to breach a system with blocked Windows Script Host, PowerShell set to Constrained Language mode, and disabled remote access (also remote shell and remote registry)?
I think that it will be still possible, but maybe a little harder.
Yes, I admit, it makes it harder if you combine Windows Security Policy and the user is not part of an Admin group. That's how pentesting should make us smarter to protect our system.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
OK, some tools that can detect Metasploit Meterpreter session and kills the process if it detects one include the one suggested by @Emmanuellws

AntiPwny

GitHub - rvazarkar/antipwny: A host based IDS written in C# Targetted at Metasploit

Another is Antimeter, here

Files ≈ Packet Storm

from the below link

How to detect Meterpreter and similar malware?

and suggested using HIDS (like OSSEC) for behavior detection as listed in the above link

Home — OSSEC

One more tool here

Meterpreter Payload Detection - Tool for detecting Meterpreter in memory like IPS-IDS and Forensics tool - Hacking Vision
 
Last edited:

Emmanuellws

Level 3
Verified
Mar 11, 2017
132
oh well, I think I still gonna go do demo for port forwarding to demonstrate that this attack works through Internet not only local....
here is my settings....once completed.... i will record a video

PORT RANGE from 33331-33335

MAPPING
external port 33331 - localhost port 80
external port 33332 - localhost port 443
external port 33333 - localhost port 4444
external port 33334 - localhost port 5555
external port 33335 - localhost port 6666


Stay Tuned....
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top