Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Antivirus Evasion
Reconstructed -
Veil 3.0
@ChrisTruncer
Christopher Truncer
Previous Sys Admin turned Red
Red Team Lead
Open Source Developer
EyeWitness
Veil Framework :)
What’s this talk about?
◈ Veil-Framework History
◈ Veil-Framework 2.0
◈ Problems with Veil
◈ Veil-Framework 3.0
⬥All the n...
Veil - 1.0
The Inception
◈ The idea for Veil came after many pen tests
◈ The problem - time
◈ Will Schroeder and myself began develop...
Veil 1.0
◈ This was probably my second script, ever
◈ It was just one giant file
◈ Tons of random functions
◈ Easy for me ...
Veil 1.0
◈ At this point, Will began combining both
codebases
◈ We wanted a framework to allow drag and
drop payloads
⬥Jus...
Veil - 2.0
Veil 2.0
◈ This is the Veil (Veil-Evasion) that everyone
knows today
◈ Original Veil 2.0 didn’t include really any of
our ...
Veil 2.0
◈ We largely wanted to focus on usability
⬥Seems funny, but it’s important
⬥If you can’t use it, then it’s worthl...
Veil 2.0
◈ Veil was designed to be language agnostic
⬥Write payloads in any language we can!
◈ Currently support 7 differe...
Problems I’ve
Encountered
Shellcode and Metasploit
◈ Veil can generate shellcode for its payloads
within the tool
⬥That whole usability thing…
◈ But...
Shellcode and Metasploit
◈ This happened one time early on after Veil
2.0’s release
⬥It completely broke Veil’s ability to...
Shellcode and Metasploit
◈ Doesn’t seem widely used, but it has its
advantages for us
⬥I control the output, so no unfores...
AV Trying to Signature Veil
AV Signature
◈ About a year after Veil 2.0’s release, we
received word of a signature
Veil 3.0
Veil 3.0
◈ Veil 3.0 has multiple changes in the tool
when compared to version 2.0
⬥First and foremost, Veil has been compl...
Veil 3.0
◈ Refactoring the codebase while updating to
Python 3 was a challenge
⬥It went beyond just changing print stateme...
Veil 2.0
Veil 3.0
Veil 2.0
Veil 3.0
Veil 3.0
Python 3
◈ Why else did I choose Python3?
⬥I discovered some AntiVirus companies are trying
to flag Veil Python payloads s...
Python 3
◈ How did I determine this?
⬥Generated payload - caught
⬥Removed shellcode - caught
⬥Renamed CTypes - caught
⬥Com...
Python 3
Python 3
◈ Next…
⬥Use the same payload source code
⬥Copied it to Windows VM
⬥“Compiled” the Python code in Windows using
P...
Python 3
Python 3
◈ Updating the version of Python used changes
the environmental signature it was
“compiled” in
◈ Easily bypass th...
Veil 3.0 Menu
Shellcode Generation
◈ MSFVenom is still available to generate
shellcode
⬥Supports all of the payload built into MSF
⬥Stil...
Ordnance Payloads
◈ Veil-Ordnance Payloads
⬥reverse_tcp
⬥reverse_http
⬥reverse_https
⬥reverse_tcp_dns
⬥reverse_tcp_all_por...
Ordnance Encoder
◈ Veil-Ordnance does have a single encoder
⬥Thanks to @sixdub
◈ This can be used when needing to avoid ba...
Veil 3.0
◈ So… what else is new with Veil payloads?
Environmental Checks
◈ Nearly all payloads now have the ability to
set pre-execution environmental checks
◈ Set just one, ...
Environmental Checks
◈ Current supported environmental checks:
⬥Computer domain
⬥System hostname
⬥Payload expiration
⬥Numb...
Environmental Checks
◈ These are here to try to combat a few things:
⬥Prevent analysis of the end payload by an
automated ...
New Languages
◈ While we’re at it, let’s add two new languages
⬥AutoIt3
⬥Lua
◈ Lua - currently generates source code
⬥Can’...
Future Work
◈ Add in additional environmental checks
◈ Always looking for new languages and
payloads to support
◈ Addition...
Questions?
◈ Questions?
◈ Veil - https://github.com/Veil-
Framework/Veil
◈ Get in touch!
⬥@ChrisTruncer
⬥@VeilFramework
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
Upcoming SlideShare
Loading in …5
×

AntiVirus Evasion Reconstructed - Veil 3.0

7,442 views

Published on

This is the talk given at NullCon 2017. This talk give s history of the Veil Framework, and showcases the differences between 2.0 and the newly released 3.0. Veil 3.0 is released in this talk

Published in: Internet
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

AntiVirus Evasion Reconstructed - Veil 3.0

  1. 1. Antivirus Evasion Reconstructed - Veil 3.0 @ChrisTruncer
  2. 2. Christopher Truncer Previous Sys Admin turned Red Red Team Lead Open Source Developer EyeWitness Veil Framework :)
  3. 3. What’s this talk about? ◈ Veil-Framework History ◈ Veil-Framework 2.0 ◈ Problems with Veil ◈ Veil-Framework 3.0 ⬥All the new stuff :) ◈ Public Release ◈ Questions
  4. 4. Veil - 1.0
  5. 5. The Inception ◈ The idea for Veil came after many pen tests ◈ The problem - time ◈ Will Schroeder and myself began developing different toolsets, and I released Veil ◈ First choice for developing payloads? ⬥Python
  6. 6. Veil 1.0 ◈ This was probably my second script, ever ◈ It was just one giant file ◈ Tons of random functions ◈ Easy for me to develop with, but probably no one else ◈ Not extensible, would be a pain to add new features
  7. 7. Veil 1.0 ◈ At this point, Will began combining both codebases ◈ We wanted a framework to allow drag and drop payloads ⬥Just create your own private module and the framework will pick it up! ◈ We wanted something that was easy to use and fast
  8. 8. Veil - 2.0
  9. 9. Veil 2.0 ◈ This is the Veil (Veil-Evasion) that everyone knows today ◈ Original Veil 2.0 didn’t include really any of our own research ⬥Why reinvent the wheel? ⬥We just packaged existing research into the framework ◈ But we slowly started to add our own flair
  10. 10. Veil 2.0 ◈ We largely wanted to focus on usability ⬥Seems funny, but it’s important ⬥If you can’t use it, then it’s worthless ◈ Included some of the basics such as: ⬥Tab completion ⬦Payloads ⬥Error checking ⬦Users….. :) ◈ Wanted to be able to easily help people
  11. 11. Veil 2.0 ◈ Veil was designed to be language agnostic ⬥Write payloads in any language we can! ◈ Currently support 7 different languages, plus native executables and auxiliary modules ⬥C, C#, Go, Perl, PowerShell, Python, and Ruby ◈ Anything that can access Windows functions can be used as a stager ◈ Built in native compilation everywhere we could
  12. 12. Problems I’ve Encountered
  13. 13. Shellcode and Metasploit ◈ Veil can generate shellcode for its payloads within the tool ⬥That whole usability thing… ◈ But Veil simply invokes msfvenom ⬥It’s not created within Veil ◈ This makes our life easier.. ◈ … until msfvenom gets updated...
  14. 14. Shellcode and Metasploit ◈ This happened one time early on after Veil 2.0’s release ⬥It completely broke Veil’s ability to receive/parse shellcode from msfvenom ◈ This was pretty easily fixed once we understood the new output format ⬥But it identified a problem ◈ We needed to remove complete reliance on msfvenom
  15. 15. Shellcode and Metasploit ◈ Doesn’t seem widely used, but it has its advantages for us ⬥I control the output, so no unforeseen changes ⬥It supports what we believe are the most widely used payloads ⬥It’s faster for use vs. using msfvenom ⬥Simply patching the shellcode allows for an immediate return of results
  16. 16. AV Trying to Signature Veil
  17. 17. AV Signature ◈ About a year after Veil 2.0’s release, we received word of a signature
  18. 18. Veil 3.0
  19. 19. Veil 3.0 ◈ Veil 3.0 has multiple changes in the tool when compared to version 2.0 ⬥First and foremost, Veil has been completely rewritten in Python 3 ⬥Python 3 is the way forward with using Python ⬥I did not want to refactor the code in Python 2 now, to need to update to Python 3 when Py2 is end-of-life (2020)
  20. 20. Veil 3.0 ◈ Refactoring the codebase while updating to Python 3 was a challenge ⬥It went beyond just changing print statements into functions ◈ Handling shellcode in Python 3 is completely different from Python 2 ◈ Creating a Python payload that injects shellcode into memory is different
  21. 21. Veil 2.0
  22. 22. Veil 3.0
  23. 23. Veil 2.0
  24. 24. Veil 3.0
  25. 25. Veil 3.0
  26. 26. Python 3 ◈ Why else did I choose Python3? ⬥I discovered some AntiVirus companies are trying to flag Veil Python payloads simply by the environment it was compiled in
  27. 27. Python 3 ◈ How did I determine this? ⬥Generated payload - caught ⬥Removed shellcode - caught ⬥Renamed CTypes - caught ⬥Commented Windows function calls - caught ⬦From 1 to all of them ⬥Deleted EVERYTHING and did a hello world program - ...take a guess...
  28. 28. Python 3
  29. 29. Python 3 ◈ Next… ⬥Use the same payload source code ⬥Copied it to Windows VM ⬥“Compiled” the Python code in Windows using Pyinstaller ⬥Scanned the new executable
  30. 30. Python 3
  31. 31. Python 3 ◈ Updating the version of Python used changes the environmental signature it was “compiled” in ◈ Easily bypass this detection method ◈ Try to get AV to go the smarter route and actually analyze the executable vs. develop poor signatures
  32. 32. Veil 3.0 Menu
  33. 33. Shellcode Generation ◈ MSFVenom is still available to generate shellcode ⬥Supports all of the payload built into MSF ⬥Still requires instantiating the “simple” framework object ◈ Veil-Ordnance is the default choice ⬥Quickly generate shellcode ⬥In the event msfvenom output changes again, this is a fallback (or use it by default :))
  34. 34. Ordnance Payloads ◈ Veil-Ordnance Payloads ⬥reverse_tcp ⬥reverse_http ⬥reverse_https ⬥reverse_tcp_dns ⬥reverse_tcp_all_ports ⬥bind_tcp
  35. 35. Ordnance Encoder ◈ Veil-Ordnance does have a single encoder ⬥Thanks to @sixdub ◈ This can be used when needing to avoid bad characters ◈ I’d love to have more encoders added into Ordnance ⬥Send any my way! :)
  36. 36. Veil 3.0 ◈ So… what else is new with Veil payloads?
  37. 37. Environmental Checks ◈ Nearly all payloads now have the ability to set pre-execution environmental checks ◈ Set just one, or all of the checks ◈ All checks need to pass in order for the payload to execute ⬥All or nothing ◈ Each check developed in its respective language
  38. 38. Environmental Checks ◈ Current supported environmental checks: ⬥Computer domain ⬥System hostname ⬥Payload expiration ⬥Number of processors ⬥Current username ◈ There’s room for more checks to be added in ⬥Want to find an easy way to contribute, add a new environmental check!
  39. 39. Environmental Checks ◈ These are here to try to combat a few things: ⬥Prevent analysis of the end payload by an automated malware analysis solution ⬥If payload is run in sandbox prior to execution, it will (hopefully) prevent malicious detection ⬥Allow the end user to create highly targeted malware
  40. 40. New Languages ◈ While we’re at it, let’s add two new languages ⬥AutoIt3 ⬥Lua ◈ Lua - currently generates source code ⬥Can’t do native compilation, yet ◈ AutoIt3 - Generates code and can be compiled within Linux
  41. 41. Future Work ◈ Add in additional environmental checks ◈ Always looking for new languages and payloads to support ◈ Additional encoders to Ordnance
  42. 42. Questions? ◈ Questions? ◈ Veil - https://github.com/Veil- Framework/Veil ◈ Get in touch! ⬥@ChrisTruncer ⬥@VeilFramework

×