This could be a pain, given we are using syringe to inject them so the second method is the one I used. Instead of breaking up our payload into multiple stages and reducing the size, we can use one of the new stageless payloads which has the entirety of meterpreter contained in them.
There are two options for getting around this. This HIDS was picking off the meterpreter stages, causing the the stage to fail. That is all well and good for AV, but Symantec also has a HIDS. By generating shellcode using msfvenom (or msfpayload if you’re behind the times), we can inject the first stage of a payload in memory and avoid AV. When psexec failed, my next idea was to use this beautiful dll / shellcode injector written by our very own steiner. There are probably other ways to skin this cat, but I learned something doing it this way so we will go with it! How to Bypass the SEP HIDS I was using them to gain access to other systems using psexec, but was thwarted by SEP in most cases (with a file not found error). So at this point I am most of the way there already, seeing as I had valid administrator credentials.
A little bit of backstory: I was able to acquire a shared local administrator’s credentials during a pen test. I realize that this post is an edge case, but I recently used this method to bypass SEP (Symantec Endpoint Protection) during a pen test, so for my reference and that one person who runs into a similar scenario I am writing this.
0 kommentar(er)
