• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Offense > How to Bypass SEP with Admin Access

How to Bypass SEP with Admin Access

July 13, 2015 By Mark Wolters

I realize that this post is an edge case, but I recently used this method to bypass SEP (Symantec Endpoint Protection) during a pen test, so for my reference and that one person who runs into a similar scenario I am writing this. A little bit of backstory: I was able to acquire a shared local administrator’s credentials during a pen test. I was using them to gain access to other systems using psexec, but was thwarted by SEP in most cases (with a file not found error). So at this point I am most of the way there already, seeing as I had valid administrator credentials. There are probably other ways to skin this cat, but I learned something doing it this way so we will go with it!

How to Bypass the SEP HIDS

When psexec failed, my next idea was to use this beautiful dll / shellcode injector written by our very own steiner. By generating shellcode using msfvenom (or msfpayload if you’re behind the times), we can inject the first stage of a payload in memory and avoid AV. That is all well and good for AV, but Symantec also has a HIDS. This HIDS was picking off the meterpreter stages, causing the the stage to fail.

hids
HIDS blocking meterpreter stage

There are two options for getting around this. The first is to use a stageless payload. Instead of breaking up our payload into multiple stages and reducing the size, we can use one of the new stageless payloads which has the entirety of meterpreter contained in them. This could be a pain, given we are using syringe to inject them so the second method is the one I used. I generated the payload as usual but I changed the handler to EnableStateEncoding. This encodes each of the stages and in this instance bypasses the SEP HIDS.stagedEncoding

 

How to Disable SEP

Now for disabling SEP. This requires RDP to be open, although you could enable that through psexec_command. To do so, it needs to have the registry key LocalAccountTokenFilterPolicy set to 1. To test it out set your remote desktop settings to not allow connections.

rdpNo

 

Then open up metasploit and use the auxiliary/admin/smb/psexec_command exploit. Set the SMBPass, SMBUser, and SMBDomain to whatever is correct for your system. Then do the following command:

set COMMAND ‘reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0’

Now run!

rdpEnable

Which should produce the following result.

rdpYes

 

 

You may need to allow it through the firewall so run the following commands against the system:

  • netsh firewall set service remoteadmin enable
  • netsh firewall set service remotedesktop enable

Once you can RDP into the system, do so and bring up SEP. Go to change settings > tamper protection. Unselect the box that says “Protect Symantec security software from being tampered with or shut down”.

sepOptions

Then go to the command line and run “C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\smc.exe -stop”. Voila, it’s disabled! Now you can go about your business!

stopSEP

Pretty simple. Hopefully you will find something of value in this post, despite the limited use case. As always, keep hacking!

References

https://github.com/securestate/syringe

https://warroom.rsmus.com/index.php/author/steiner/

https://community.rapid7.com/community/metasploit/blog/2014/12/09/good-bye-msfpayload-and-msfencode

https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads

http://serverfault.com/questions/8805/psexec-access-is-denied

http://community.spiceworks.com/how_to/35529-enable-rdp-through-cmd-line

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Mark Wolters

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.