Advice Request Bypassing Symantec Endpoint Protection for Fun & Profit (Defense Evasion)

Please provide comments and solutions that are helpful to the author of this topic.
[correlate]

[correlate]

Level 18
Thread author
Verified
Top Poster
Well-known
Forum Veteran
May 4, 2019
792
9,574
1,670
New York
As a penetration tester or a red teamer, if one has tried to execute a malicious payload during their engagements, an off the shelf payload generated by the common payload generation tools such as “msfvenom” or utilizing “mimikatz” to dump credentials from the LSASS is flagged almost immediately.
Click to expand...
cognosec.com

Bypassing Symantec Endpoint Protection for Fun & Profit (Defense Evasion) - Cognosec

A quick demonstration of bypassing Symantec Endpoint, dumping credentials from memory and highlighting how to get a quick win against antivirus products.
cognosec.com cognosec.com
 
  • Like
  • Applause
Reactions: Moonhorse, Vitali Ortzi, upnorth and 6 others
For those serious Pen Testers (who actually find things) and can use a some cash may be interested here:

HackerOne

Previously one would have to be either an employee or a freelancer at places like EndGame, but now such opportunities are open to the Masses.
 
  • Like
  • +Reputation
  • Thanks
Reactions: upnorth, harlan4096, Moonhorse and 3 others
Low quality post/article doesn't even mention os version no product version as well .

And yes Symantec endpoint protection is easily bypassable on default settings wich are just a baseline and shouldn't be used in a production environment(this is not a consumer product).

Anyway nothing special or maybe even meaningful has been shown here .
 
  • Like
Reactions: Protomartyr, Moonhorse, [correlate] and 2 others
If you enable the port scan detection in firewall any port scanning will get detected and prevent the attacker for another 600 seconds (default). I don't know what will happen for stealth scanning by nmap ( @ Vitali Ortzi please clarify on this). If you can not port scan or bypass the firewall how do you gain entry to system and inject code to memory (without an overt act from the part of a user...such as opening a payload from builtin outlook client)? So to me the bypassing of firewall and then injecting payload is a proper "bypassing" anything less is just waste of time.
 
  • Like
Reactions: Protomartyr, [correlate] and roger_m
JoyousBudweiser said:
If you enable the port scan detection in firewall any port scanning will get detected and prevent the attacker for another 600 seconds (default). I don't know what will happen for stealth scanning by nmap ( @ Vitali Ortzi please clarify on this). If you can not port scan or bypass the firewall how do you gain entry to system and inject code to memory (without an overt act from the part of a user...such as opening a payload from builtin outlook client)? So to me the bypassing of firewall and then injecting payload is a proper "bypassing" anything less is just waste of time.
Click to expand...
Yeah as long as the attacker doesn't scan 4 ports within 200 seconds Symantec shouldn't block in it's default settings.

But most ports aren't blocked in default configuration and a vector can abuse a system via 443 /80 or other common ports anyway.

Usually most attacks come from broswers / email clients wich are whitelisted even by a corporations to allow access .

If someone really cares about network based attacks a good IPS(snort is recommended) and a good IDS (Zeek is recommend because it has very good reporting) and of course good vlan Config + default deny can help a lot .

And remember some vectors don't depend upon inbound network activity as it could be delivered via a flash drive as well .
 
  • Like
Reactions: Protomartyr, [correlate] and Brahman
Correlate said:
medium.com

How I Bypass Crowdstrike Restriction

Crowdstrike is a set of advanced EDR (endpoint detection and response) applications and techniques to provide an industry-leading NGAV…
medium.com medium.com
Click to expand...
This again is a misleading title. The hacker has physical access to the hacked system. Seldom happens in real world. It can not be treated as a bypass.
 
  • Like
  • Thanks
Reactions: Protomartyr, Vitali Ortzi, [correlate] and 1 other person

You may also like...