Bypassing EPP — Chapter 3

5 min readNov 12, 2020


Evading endpoint security requires several steps and leverages numerous tools that allow to carry out ample sophisticated attacks, on larger scales, and considerably faster. The results depend certainly on the skills of the invader, but also on the scope and the time allocated to each analysis step. The cyber kill chain is generally common by all, but relies on many tools to implement it. Some only expose the weaknesses or provide an overview of the network at a very specific point in time, but, the added value resides in the ability to integrate these different kits and make them interact with each other.

There are various tools to assist in here: From traceroute for network mapping, port scanning with nmap, OpenVAS for vulnerability management, to the use of Metasploit which is truly the most widely used penetration testing framework in the world that automates large amounts of tedious tasks.

Other set includes Burp Suite for Web Application Pentesting, Wireshark as network protocol analyzer, Hydra for raw online password forcing, Owasp-zap to detect vulnerabilities in web applications, Sqlmap to exploit SQL injection vulnerabilities.

After leveraging the techniques above to invade a certain system, the post exploitation process is increasing in complexity due to protection controls such as: IPS, NDR, and EDR specifically.

This step-by-step guide illustrates endpoint evasion, in post exploitation phases, using Shellter that has proved to be the first dynamic infector for PE (Portable Executable) file format of Windows 32-bit applications.

Using Shellter

Shellter is capable of re-encoding any native 32-bit standalone Windows application. Since we are trying to avoid AV detection, we need avoid anything that might look suspicious to AV software such as packed applications or applications that have more than one section containing executable code.

Figure 1: Shellter

We used Shellter to encode many small “.exe” program files like “cpuz.exe”, “google.exe”; we tried even naming a small file as the same name of the EDR “EDR.exe”.

Figure 2: Exploits quarantined

At this stage, the EDR blocked all the exploits and the threats; we can see different software encoded with different methods, all of them got blocked and quarantined (Figure 2).

To sidestep that, we used Shellter to encode the EDR Installation Software “EDRUnifiedSetup.exe” embedding inside of it a payload permitting to access the machine.

Figure 3: Reverse TCP Metasploit exploit

Figure 3 highlights Metasploit exploit and the options needed to attack the victim machine and Figure 4 shows the reverse TCP Handler started.

Figure 4: Starting reverce TCP handler

After running the “EDRUnifiedSetup .exe” file on the victim machine we got a shell. The EDR solution did not detect it!

Figure 5: Metasploit — active channels

As we can see, we got a full admin access into the machine.

Figure 6: Exploit running with admin privileges
Figure 7: Resource monitor

Maintaining access

In order to maintain access, we added a second user on the machine.

Figure 8: User ‘Test’ added

The new user ‘Test’ with a password has been added to the victim system.

Lateral Movement using PsExec

We have tried also to gain a shell access from an external machine using a software called “PsExec” and we succeeded!

PsExec is a portable tool from Microsoft that allows you to run processes remotely using the credentials of any user. You can use PsExec not only to manage processes on the remote computer, but also to redirect the console output of an application to your local computer, making the process appear to be running locally.

Figure 9: Remote access to the victim machine

EDR Bypassed

Several system commands can be executed from psexec session. When we escalate privileges, we have full authority on the system, even though it is an unauthorized system access. We can now change, delete create new malicious files, temper with system-wide settings, disclose confidential information, etc.

The EDR did not detect any malicious activity; we have gained access easily to the system in an easy way without any restriction, and conducted seamless privilege escalation. Hence, behavioral analysis is still lacking in the EDR’s arsenal.

To end, the volume of online attacks has been growing for years, but lately we have seen a notable increase in certain categories stating that almost 70% of outbreaks pass through terminals: laptops, workstations, mobile devices, etc. Endpoints protection are still wide-open to attacks despite tech advancements and major malware breaches are most likely predicted to occur in the next few years.


Follow us:

Facebook: @potechglobal Twitter: @potechglobal

YouTube: P.O.TECH — Paths of Technology
Linkedin: company/potechglobal

Medium: @potechglobal

If you liked this article, you may also like:




P.O.TECH is a group of 6 entities: Potech Consulting, Potech Academy, Potech Labs, Obsoft, Potech SOC and NIGMA Conseil.