Advice Request Bypassing Symantec Endpoint Protection for Fun & Profit (Defense Evasion)

Please provide comments and solutions that are helpful to the author of this topic.

[correlate]

[correlate]

Level 18
Thread author
Verified
Top Poster
Well-known
May 4, 2019
825
As a penetration tester or a red teamer, if one has tried to execute a malicious payload during their engagements, an off the shelf payload generated by the common payload generation tools such as “msfvenom” or utilizing “mimikatz” to dump credentials from the LSASS is flagged almost immediately.
Click to expand...
cognosec.com

Bypassing Symantec Endpoint Protection for Fun & Profit (Defense Evasion) - Cognosec

A quick demonstration of bypassing Symantec Endpoint, dumping credentials from memory and highlighting how to get a quick win against antivirus products.
cognosec.com cognosec.com
 
  • Like
  • Applause
Reactions: Moonhorse, Vitali Ortzi, upnorth and 6 others
cruelsister

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
For those serious Pen Testers (who actually find things) and can use a some cash may be interested here:

HackerOne

Previously one would have to be either an employee or a freelancer at places like EndGame, but now such opportunities are open to the Masses.
 
  • Like
  • +Reputation
  • Thanks
Reactions: upnorth, harlan4096, Moonhorse and 3 others
Vitali Ortzi

Vitali Ortzi

Level 24
Verified
Top Poster
Well-known
Dec 12, 2016
1,364
Low quality post/article doesn't even mention os version no product version as well .

And yes Symantec endpoint protection is easily bypassable on default settings wich are just a baseline and shouldn't be used in a production environment(this is not a consumer product).

Anyway nothing special or maybe even meaningful has been shown here .
 
  • Like
Reactions: Protomartyr, Moonhorse, [correlate] and 2 others
Brahman

Brahman

Level 18
Verified
Top Poster
Well-known
Aug 22, 2013
886
If you enable the port scan detection in firewall any port scanning will get detected and prevent the attacker for another 600 seconds (default). I don't know what will happen for stealth scanning by nmap ( @ Vitali Ortzi please clarify on this). If you can not port scan or bypass the firewall how do you gain entry to system and inject code to memory (without an overt act from the part of a user...such as opening a payload from builtin outlook client)? So to me the bypassing of firewall and then injecting payload is a proper "bypassing" anything less is just waste of time.
 
  • Like
Reactions: Protomartyr, [correlate] and roger_m
Vitali Ortzi

Vitali Ortzi

Level 24
Verified
Top Poster
Well-known
Dec 12, 2016
1,364
JoyousBudweiser said:
If you enable the port scan detection in firewall any port scanning will get detected and prevent the attacker for another 600 seconds (default). I don't know what will happen for stealth scanning by nmap ( @ Vitali Ortzi please clarify on this). If you can not port scan or bypass the firewall how do you gain entry to system and inject code to memory (without an overt act from the part of a user...such as opening a payload from builtin outlook client)? So to me the bypassing of firewall and then injecting payload is a proper "bypassing" anything less is just waste of time.
Click to expand...
Yeah as long as the attacker doesn't scan 4 ports within 200 seconds Symantec shouldn't block in it's default settings.

But most ports aren't blocked in default configuration and a vector can abuse a system via 443 /80 or other common ports anyway.

Usually most attacks come from broswers / email clients wich are whitelisted even by a corporations to allow access .

If someone really cares about network based attacks a good IPS(snort is recommended) and a good IDS (Zeek is recommend because it has very good reporting) and of course good vlan Config + default deny can help a lot .

And remember some vectors don't depend upon inbound network activity as it could be delivered via a flash drive as well .
 
  • Like
Reactions: Protomartyr, [correlate] and Brahman
Brahman

Brahman

Level 18
Verified
Top Poster
Well-known
Aug 22, 2013
886
Correlate said:
medium.com

How I Bypass Crowdstrike Restriction

Crowdstrike is a set of advanced EDR (endpoint detection and response) applications and techniques to provide an industry-leading NGAV…
medium.com medium.com
Click to expand...
This again is a misleading title. The hacker has physical access to the hacked system. Seldom happens in real world. It can not be treated as a bypass.
 
  • Like
  • Thanks
Reactions: Protomartyr, Vitali Ortzi, [correlate] and 1 other person

Similar threads

Bot
    • Like
    • +Reputation
Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning
Replies
1
Views
2,626
Microsoft Defender
ForgottenSeer 85179
F
Bot
    • Like
  • Locked
Office VBA + AMSI: Parting the veil on malicious macros
Replies
17
Views
2,474
Microsoft Defender
shmu26
shmu26
Bot
    • Like
  • Locked
Windows 10 platform resilience against the Petya ransomware attack
Replies
7
Views
3,473
Microsoft Defender
DeepWeb
DeepWeb

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top