Advice Request Bypassing Symantec Endpoint Protection for Fun & Profit (Defense Evasion)

Please provide comments and solutions that are helpful to the author of this topic.

[correlate]

Level 18
Thread author
Top Poster
Well-known
May 4, 2019
801
As a penetration tester or a red teamer, if one has tried to execute a malicious payload during their engagements, an off the shelf payload generated by the common payload generation tools such as “msfvenom” or utilizing “mimikatz” to dump credentials from the LSASS is flagged almost immediately.
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
For those serious Pen Testers (who actually find things) and can use a some cash may be interested here:

HackerOne

Previously one would have to be either an employee or a freelancer at places like EndGame, but now such opportunities are open to the Masses.
 

Vitali Ortzi

Level 22
Verified
Top Poster
Well-known
Dec 12, 2016
1,147
Low quality post/article doesn't even mention os version no product version as well .

And yes Symantec endpoint protection is easily bypassable on default settings wich are just a baseline and shouldn't be used in a production environment(this is not a consumer product).

Anyway nothing special or maybe even meaningful has been shown here .
 

Brahman

Level 16
Verified
Top Poster
Well-known
Aug 22, 2013
799
If you enable the port scan detection in firewall any port scanning will get detected and prevent the attacker for another 600 seconds (default). I don't know what will happen for stealth scanning by nmap ( @ Vitali Ortzi please clarify on this). If you can not port scan or bypass the firewall how do you gain entry to system and inject code to memory (without an overt act from the part of a user...such as opening a payload from builtin outlook client)? So to me the bypassing of firewall and then injecting payload is a proper "bypassing" anything less is just waste of time.
 

Vitali Ortzi

Level 22
Verified
Top Poster
Well-known
Dec 12, 2016
1,147
If you enable the port scan detection in firewall any port scanning will get detected and prevent the attacker for another 600 seconds (default). I don't know what will happen for stealth scanning by nmap ( @ Vitali Ortzi please clarify on this). If you can not port scan or bypass the firewall how do you gain entry to system and inject code to memory (without an overt act from the part of a user...such as opening a payload from builtin outlook client)? So to me the bypassing of firewall and then injecting payload is a proper "bypassing" anything less is just waste of time.
Yeah as long as the attacker doesn't scan 4 ports within 200 seconds Symantec shouldn't block in it's default settings.

But most ports aren't blocked in default configuration and a vector can abuse a system via 443 /80 or other common ports anyway.

Usually most attacks come from broswers / email clients wich are whitelisted even by a corporations to allow access .

If someone really cares about network based attacks a good IPS(snort is recommended) and a good IDS (Zeek is recommend because it has very good reporting) and of course good vlan Config + default deny can help a lot .

And remember some vectors don't depend upon inbound network activity as it could be delivered via a flash drive as well .
 

Brahman

Level 16
Verified
Top Poster
Well-known
Aug 22, 2013
799
This again is a misleading title. The hacker has physical access to the hacked system. Seldom happens in real world. It can not be treated as a bypass.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top