Bypassing EPP — Chapter 1

6 min readAug 25, 2020


Cybersecurity is not just one operation that would be always threatened. Cybersecurity is a continuous process, which must be integrated into everyday activities. It begins with an understanding of the risks and threats; You must understand your opponents, their goals, and how they lead their attacks.

Imagine a business victim of a ransomware attack. The targeted attack seems to have a financial motivation, but the ransomware truly serves to conceal a completely different purpose. The hacker really wants to seize sensitive customer data or disrupt normal operations …

For the hacker to succeed, it is essential to plan certain activities and operations. The Kill Chain or the sequence of operations that lead to a kill or a success — involves five phases: Reconnaissance, Scanning, Gaining Access, Maintaining Access and Covering Tracks.

What happens to each phase of the Kill Chain?

Gathering information about your intended target is more than just the beginning step to any type of attack. The reconnaissance phase (a.k.a footprinting), which can be passive in nature or performed actively applying several tools and techniques, is the fundamental stage before any attack outbreak. It allows to assess available targets and networks after identifying their security flaws. Several footprinting techniques may be applied, starting from Whois footprinting, DNS footprinting, google hacking, to reconnaissance through social engineering. Once the hacker has understood the safeguards your company has put in place, he can choose the most suitable weapon to bypass them. The attack vector selected is often difficult to prevent or detect. It can be a 0-day exploit, a phishing campaign, or the corruption of an employee.

The next phase is to take the information discovered during reconnaissance and use it to examine the network. The tools that a hacker can leverage during the scanning phase can include dialers, port scanners, network mappers, and vulnerability scanners. Hackers look for information that can help them commit attacks, such as computer names, IP addresses, and user accounts. For instance, the disclosure of internal IP addresses reveals a substantial layout of the organizational network and may also lead to other attacks.

After the scanning phase, the hacker projects the target’s network using data collected during previous phases. This is the phase where real hacking takes place. Vulnerabilities discovered during the reconnaissance and analysis phases are now exploited to gain access. The connection method used by the hacker for an exploit can be a local area network (LAN or wireless), local access to a PC, Internet or offline.

Once a hacker has gained access, he will want to keep that access for future exploitation and attacks. Sometimes, hackers harden the system against other hackers or security personnel by securing their exclusive access with backdoors, rootkits and trojans. Once the hacker attains the system, he can use it as a base to launch additional attacks. In this case, the patented system is called a zombie.

After successfully obtaining and maintaining access, hackers cover their tracks to avoid being spotted by security personnel, to continue using the system and to eliminate any evidence. Hackers try to remove all traces of the attack; such as log files or Intrusion Detection System (IDS) alarms. Examples of activities during this phase of the attack include steganography, the use of tunneling protocols, and the modification of log files. The Hacker finally reaches the final phase of his mission. He was able to perform unwanted activities such as exfiltrating customer data, corrupting vital systems, and disrupting business operations.

Bypassing endpoint protection

This step-by-step guide illustrates endpoint evasion.

Endpoint protection is the cornerstone of cyber security. Nowadays, EPP solutions may rely on cutting-edge technology, hybrid and heuristic analysis to protect endpoints.

Besides, some sophisticated solutions combine the power of machine learning to protect against targeted cyber-attacks.

However, cyber ​​threats are evolving rapidly and the attacker is always one point ahead of the defenses.

The exploitation is the most crucial phase for the attacker since there are direct interaction with the target.

Most protection tools rely on signature matching to pinpoint malware examining executables for strings already known. Moreover, the use of some crypters and packers — which are used to hinder the analysis — is currently identified.

Thus, the best approach is to engrave custom payloads to be away from antivirus detection.

Regarding the bypass, we used meterpreter which is a Metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code, Furthermore, phantom_evasion was used to create the shell. Phantom-Evasion is an interactive evasion tool allowing the generation of fully undetectable (FUD) executable relying on Meterpreter to create stealth payload.

Before we can start working with Meterpreter, we need to get a Meterpreter shell. We will go through phantom evasion to generate the payload. With a few junk code injections, and basic memory virtualization, we will see how duping EPP solution may be easier than assumed. Some features, such strip, will hinder the reverse engineering as well while reducing the malicious file size.

Run phantom evasion and select windows reverse TCP Stager:

phantom_evasion has tab completion, so we don’t have to type the whole path when we’re entering a module. When we press the Tab key once we’ve entered a few characters, it will complete as much of the command as it can for us. We want to use the meterpreter/reverse_tcp module, creating a Meterpreter payload that will connect back to us. The reverse_tcp module takes two options: the local host (LHOST) and the port that the payload should connect back to. The port’s default value is 4444 and we are going to stick with that, so all we have to do is to set the LHOST variable to our IP address. Once we’ve set up the variables, we can set all the rest to default and create our shell as executable. Phantom evasion has now generated a file that we can transfer to a Windows box then run it as shown below:

From here, we need to copy our executable to a Windows box. Once it is on the system, we need to use Metasploit module to receive the connection back. When we use exploit/multi/handler we are running an exploit that doesn’t do anything but handle connections coming back to it. For that purpose, we need to run the following commands:

When our code runs, we should see a message indicating that it is listening for connections. Now we run our executable on the Windows box. This will cause the executable to connect back to our listener and open a shell. We now have a Meterpreter connection to run the script.

And as you can see the next-generation endpoint protection on it max security policies didn’t detect this type of viruses.

To conclude, this bypass leverages Phantom-Evasion Framework showing how easy is to achieve an invasion on a system. EPP solutions seem to rely on signature more than behavioral analysis. Phantom-Evasion allowed the creation of a stealth payload easily without getting caught by the majority of EPPs. The next chapter will show that even dynamic and advanced analysis techniques can be bypassed.


Follow us:

Facebook: @potechglobal Twitter: @potechglobal

YouTube: P.O.TECH — Paths of Technology
Linkedin: company/potechglobal

Medium: @potechglobal

If you liked this article, you may also like:




P.O.TECH is a group of 6 entities: Potech Consulting, Potech Academy, Potech Labs, Obsoft, Potech SOC and NIGMA Conseil.