Correlate

Level 16
Verified
As a penetration tester or a red teamer, if one has tried to execute a malicious payload during their engagements, an off the shelf payload generated by the common payload generation tools such as “msfvenom” or utilizing “mimikatz” to dump credentials from the LSASS is flagged almost immediately.
 

Vitali Ortzi

Level 20
Verified
Low quality post/article doesn't even mention os version no product version as well .

And yes Symantec endpoint protection is easily bypassable on default settings wich are just a baseline and shouldn't be used in a production environment(this is not a consumer product).

Anyway nothing special or maybe even meaningful has been shown here .
 

JoyousBudweiser

Level 9
Verified
If you enable the port scan detection in firewall any port scanning will get detected and prevent the attacker for another 600 seconds (default). I don't know what will happen for stealth scanning by nmap ( @ Vitali Ortzi please clarify on this). If you can not port scan or bypass the firewall how do you gain entry to system and inject code to memory (without an overt act from the part of a user...such as opening a payload from builtin outlook client)? So to me the bypassing of firewall and then injecting payload is a proper "bypassing" anything less is just waste of time.
 

Vitali Ortzi

Level 20
Verified
If you enable the port scan detection in firewall any port scanning will get detected and prevent the attacker for another 600 seconds (default). I don't know what will happen for stealth scanning by nmap ( @ Vitali Ortzi please clarify on this). If you can not port scan or bypass the firewall how do you gain entry to system and inject code to memory (without an overt act from the part of a user...such as opening a payload from builtin outlook client)? So to me the bypassing of firewall and then injecting payload is a proper "bypassing" anything less is just waste of time.
Yeah as long as the attacker doesn't scan 4 ports within 200 seconds Symantec shouldn't block in it's default settings.

But most ports aren't blocked in default configuration and a vector can abuse a system via 443 /80 or other common ports anyway.

Usually most attacks come from broswers / email clients wich are whitelisted even by a corporations to allow access .

If someone really cares about network based attacks a good IPS(snort is recommended) and a good IDS (Zeek is recommend because it has very good reporting) and of course good vlan Config + default deny can help a lot .

And remember some vectors don't depend upon inbound network activity as it could be delivered via a flash drive as well .