![]() ![]() There are two options for getting around this. This HIDS was picking off the meterpreter stages, causing the the stage to fail. ![]() That is all well and good for AV, but Symantec also has a HIDS. By generating shellcode using msfvenom (or msfpayload if you’re behind the times), we can inject the first stage of a payload in memory and avoid AV. ![]() When psexec failed, my next idea was to use this beautiful dll / shellcode injector written by our very own steiner. There are probably other ways to skin this cat, but I learned something doing it this way so we will go with it! How to Bypass the SEP HIDS I was using them to gain access to other systems using psexec, but was thwarted by SEP in most cases (with a file not found error). So at this point I am most of the way there already, seeing as I had valid administrator credentials. A little bit of backstory: I was able to acquire a shared local administrator’s credentials during a pen test. I realize that this post is an edge case, but I recently used this method to bypass SEP (Symantec Endpoint Protection) during a pen test, so for my reference and that one person who runs into a similar scenario I am writing this. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |