Friday, February 3, 2012

Is ForeFront Bypassable?

Is Microsoft's ForeFront bypassable? Maybe yes (not confirmed yet). During a penetration test of one of our clients (on my past job), ForeFront don't allow us to get meterpreter session (expected result lol), when meterpreter copied to disc, ForeFront denied (possible detect it as malicious) outgoing connections of meterpreter. But in another case, we inspect that when you execute your meterpreter executable over Network Share folder, you are bypassing(high possibility, i am not sure it's a feature or not) ForeFront and ForeFront will not check your executable.

Firstly we got an RDP session (we found local administrator password but we need mpreter for some local priv. escalations etc..), mount our local disk to target machine, run meterpreter executable from network share and BINGO! we have a session!

No comments:

Post a Comment