Bypassing Next Gen AV For Fun and Profit

TacoRocketTacoRocket Member Posts: 497 ■■■■□□□□□□
Here's a little write up I did with one of the anti-viruses I'm having to look at. I hope this helps with anyone interested in how does some of the certs apply to real life. I'm glad to have this off my mind!

https://virtualizedcomputing.wordpress.com/2017/03/02/bypassing-next-gen-av-for-fun-and-profit/

Just hope that nobody is trying to get to your stuff!
These articles and posts are my own opinion and do not reflect the view of my employer.

Website gave me error for signature, check out what I've done here: https://pwningroot.com/

Comments

  • NetworkNewbNetworkNewb Member Posts: 3,298 ■■■■■■■■■□
    Nice website/blog
  • TacoRocketTacoRocket Member Posts: 497 ■■■■□□□□□□
    Thank you! I started it as a way to keep my progress publicly accountable. Now I think I know the stride I want to take with it.
    Nice website/blog
    These articles and posts are my own opinion and do not reflect the view of my employer.

    Website gave me error for signature, check out what I've done here: https://pwningroot.com/
  • chrisonechrisone Senior Member Member Posts: 2,205 ■■■■■■■■■□
    wow! impressive stuff! We are looking at Cylance, what is your take on it?
    Certs: CISSP, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2021 Goals
    Courses: eLearnSecurity - PTXv2 (complete), SANS 699: Purple Team Tactics (completed), PentesterLabs Pro (ongoing)
    Certs: eCPTXv2, AZ-500, SC-200 (fail 1st attempt), EnCE, Splunk Core Power User
  • TacoRocketTacoRocket Member Posts: 497 ■■■■□□□□□□
    Skeptical. I think they have a good product but I'm not a full believer. When its based on "Machine AI" it leads to higher false positives. Also a lot of your traditional AV has had to adapt because if they don't, signatures can get very outdated. I find it also a little silly when you have to tune an AV for false positives. Lastly I don't like their attitude on independent testing. They are openly hostile to independent testing and will let you know it. In the end my biggest concern is I concede that I am not a super security expert, but if I can get a system account within an hour or two, what happens when someone actually tries? It would be game over.

    Also after this was published and retweeted around 10 times, someone from Symantec reached out and they want me to test their product in depth. Even pointing out that I used an outdated (still has support for updates) version of SEP. How cool is that? While I still have to test the fact that they are open to taking criticism is great in my eyes.
    chrisone wrote: »
    wow! impressive stuff! We are looking at Cylance, what is your take on it?
    These articles and posts are my own opinion and do not reflect the view of my employer.

    Website gave me error for signature, check out what I've done here: https://pwningroot.com/
  • alias454alias454 Member Posts: 648
    That's pretty awesome; nice job. I see you had John Strand for your 504. I like watching him on Paul's startup security weekly. The guys from Black hills infosec also have some additional interesting youtube videos related to this very topic and can be eye opening for those that think AV is 100% good. https://www.youtube.com/watch?v=EYuHAqY0xSw

    I think at best AV might catch ~40% ish of the things(which is better than nothing) but definitely cannot be relied upon as the only protection.
    “I do not seek answers, but rather to understand the question.”
  • TacoRocketTacoRocket Member Posts: 497 ■■■■□□□□□□
    I agree completely. I still believe that we've become complacent to what AV does. So everyone looks for the next shiny thing when AV does great at detection and remediation.

    I had John Strand for the 504 OnDemand. Had another in person instructor. I listen to Security Weekly (and the sister shows) regularly! I want to start looking into what BHI does more often but with school and certs my backlog is full.
    alias454 wrote: »
    That's pretty awesome; nice job. I see you had John Strand for your 504. I like watching him on Paul's startup security weekly. The guys from Black hills infosec also have some additional interesting youtube videos related to this very topic and can be eye opening for those that think AV is 100% good. https://www.youtube.com/watch?v=EYuHAqY0xSw

    I think at best AV might catch ~40% ish of the things(which is better than nothing) but definitely cannot be relied upon as the only protection.
    These articles and posts are my own opinion and do not reflect the view of my employer.

    Website gave me error for signature, check out what I've done here: https://pwningroot.com/
Sign In or Register to comment.