The Art of bypassing endpoint protections for red teaming engagements

By Jameel Nabbo

Elevator Pitch

There was always a war between the anti-viruses and viruses. however, it’s a challenge as well for the Red Team to test the environments and find the holes. Since most of the companies are using end-point security products. this makes the red team life difficult and this is the purpose of this talk.


In many red teaming engagements, the red team faces an important issue that can make their life difficult in terms of lateral movements or bypassing antiviruses since we’re not in 2010. most of the organizations install antiviruses by design into their employee’s computers as well as servers.

The current modern red teaming techniques require more skills and effort for creating shellcodes and gaining access to systems without being detected.

In this talk, I’ll demonstrate (Advanced evasion techniques) that can by used by the red team in order to bypass modern end-point protection and signature-based detection along with shellcode development.

As some end-point protections now days uses machine learning algorithms at the top of signature-based detection and memory analysis. This makes our life as red teamers even harder when injecting a process or making syscalls.

Gaining access in certain stages, not that complex. However, maintaining our access to the compromised system makes the real challenge. Because this is exact path that Cybercriminals will follow when they gain access to any system.

In addition to the techniques of SMB related attacking techniques and methods. Running a malware and transferring files, running keyloggers is not done using only Meterpreter shells (This kind of post-exploitation just died) since all of the shellcodes are easily detectable even when msfvenum, empire shells, powershells are encoded. That’s why it becomes more important to find new techniques and methods along with with (FREE) tools to prevent being detected by the AV.

I’ll put the spots about using .NET for creating FUD executables along with an explanation about kernel API calls and cryptography algorithms to prevent the signature-based detection mechanisms.


I’ve created a technical blog to share the knowledge with the infosec community regarding binary exploitation techniques and methods can be found over and I always like to put things in practice. The AV evasion is always a problem during the Red Teaming engagement and in my opinion, this is needed by many security researchers to fill the gaps they suffer from during the assessments.