Bypassing Symantec Endpoint Protection for Fun & Profit (Defense Evasion)
Bypassing Antivirus Solutions

Bypassing Symantec Endpoint Protection for Fun & Profit (Defense Evasion)

As a penetration tester or a red teamer, if one has tried to execute a malicious payload during their engagements, an off the shelf payload generated by the common payload generation tools such as “msfvenom” or utilizing “mimikatz” to dump credentials from the LSASS is flagged almost immediately.

Common AV products such as Symantec Endpoint Protection will flag the malicious payload as soon as it hits the disk by static analysis, such generic payloads are even caught on runtime as their signatures are picked up by vendors or due to suspicious behavior.

Generating payloads with Metasploit Framework
Identifying Windows Defender malicious signatures

Many different techniques have been known to bypass Antivirus products, Windows Defender etc. Most common being “Hiding Metasploit Shellcode to Evade Windows Defender” or using tools such as “Veil Evasion” which usually focus on encrypting the payload and decrypting it in the memory thus preventing the shellcode from static scanning by the detection engines. However, process memory & runtime monitoring would still pick it up, in most cases.

In this post, we will be highlighting a way to fly under the AV radar and execute our malicious payloads, in a nutshell, we will be conducting the following steps to evade detection,

1. Generate a malicious C# payload (we’ll be using Covenant C2 Framework)

Generating a Launcher from Covenant C2

2. Convert the .NET payload to position independent code using Donut

Converting C2 Launcher to Position Independent Shellcode

3. Use a custom .NET loader to execute our PIC.

Compiling the Loader on Linux

4. Utilize a LOLBin – InstallUtil.exe to execute our loader which in turns executes the malicious shellcode in memory that spawns a reverse connection back to our C2.

Dumping System Credentials without Detection

This was a quick win against Symantec Endpoint Protection, demonstrating how it was possible to bypass the detection, furthermore dump credentials from the compromised system without generating an alert.

References:
1. https://github.com/matterpreter/DefenderCheck
2. https://github.com/cobbr/Covenant
3. https://github.com/TheWover/donut
4. Custom Loader inspired from SubTee’s work on .NET PE Loader
5. https://gist.github.com/xorrior/bbac3919ca2aef8d924bdf3b16cce3d0
6. Melvin L for his project BetterSafetyKatz

This Post Has 6 Comments

  1. Ian Tibble

    Or compromising the host by compromising SEP, there’s another route 🙂

    1. Zubin

      That sure does sound interesting! 🙂

  2. Moin

    Hi Zubin,

    What version of SEP did you try this get through? Sounds amazing.

    Cheers,
    Moin

    1. Zubin

      Hi Moin,
      SEP version is 14.2.
      Thanks.

Leave a Reply