SlideShare a Scribd company logo

AntiVirus Evasion Reconstructed - Veil 3.0

C
CTruncer

This is the talk given at NullCon 2017. This talk give s history of the Veil Framework, and showcases the differences between 2.0 and the newly released 3.0. Veil 3.0 is released in this talk

Internet
1 of 60
Download to read offline
Antivirus Evasion Reconstructed - Veil 3.0 @ChrisTruncer
Christopher Truncer Previous Sys Admin turned Red Red Team Lead Open Source Developer EyeWitness Veil Framework :)
What’s this talk about? ◈ Veil-Framework History ◈ Veil-Framework 2.0 ◈ Problems with Veil ◈ Veil-Framework 3.0 ⬥All the new stuff :) ◈ Public Release ◈ Questions
Veil - 1.0
The Inception ◈ The idea for Veil came after many pen tests ◈ The problem - time ◈ Will Schroeder and myself began developing different toolsets, and I released Veil ◈ First choice for developing payloads? ⬥Python
Veil 1.0 ◈ This was probably my second script, ever ◈ It was just one giant file ◈ Tons of random functions ◈ Easy for me to develop with, but probably no one else ◈ Not extensible, would be a pain to add new features
Veil 1.0 ◈ At this point, Will began combining both codebases ◈ We wanted a framework to allow drag and drop payloads ⬥Just create your own private module and the framework will pick it up! ◈ We wanted something that was easy to use and fast
Veil - 2.0
Veil 2.0 ◈ This is the Veil (Veil-Evasion) that everyone knows today ◈ Original Veil 2.0 didn’t include really any of our own research ⬥Why reinvent the wheel? ⬥We just packaged existing research into the framework ◈ But we slowly started to add our own flair
Veil 2.0 ◈ We largely wanted to focus on usability ⬥Seems funny, but it’s important ⬥If you can’t use it, then it’s worthless ◈ Included some of the basics such as: ⬥Tab completion ⬦Payloads ⬥Error checking ⬦Users….. :) ◈ Wanted to be able to easily help people
Veil 2.0 ◈ Veil was designed to be language agnostic ⬥Write payloads in any language we can! ◈ Currently support 7 different languages, plus native executables and auxiliary modules ⬥C, C#, Go, Perl, PowerShell, Python, and Ruby ◈ Anything that can access Windows functions can be used as a stager ◈ Built in native compilation everywhere we could
Problems I’ve Encountered
Shellcode and Metasploit ◈ Veil can generate shellcode for its payloads within the tool ⬥That whole usability thing… ◈ But Veil simply invokes msfvenom ⬥It’s not created within Veil ◈ This makes our life easier.. ◈ … until msfvenom gets updated...
Shellcode and Metasploit ◈ This happened one time early on after Veil 2.0’s release ⬥It completely broke Veil’s ability to receive/parse shellcode from msfvenom ◈ This was pretty easily fixed once we understood the new output format ⬥But it identified a problem ◈ We needed to remove complete reliance on msfvenom
Shellcode and Metasploit ◈ Doesn’t seem widely used, but it has its advantages for us ⬥I control the output, so no unforeseen changes ⬥It supports what we believe are the most widely used payloads ⬥It’s faster for use vs. using msfvenom ⬥Simply patching the shellcode allows for an immediate return of results
AV Trying to Signature Veil
AV Signature ◈ About a year after Veil 2.0’s release, we received word of a signature
Veil 3.0
Veil 3.0 ◈ Veil 3.0 has multiple changes in the tool when compared to version 2.0 ⬥First and foremost, Veil has been completely rewritten in Python 3 ⬥Python 3 is the way forward with using Python ⬥I did not want to refactor the code in Python 2 now, to need to update to Python 3 when Py2 is end-of-life (2020)
Veil 3.0 ◈ Refactoring the codebase while updating to Python 3 was a challenge ⬥It went beyond just changing print statements into functions ◈ Handling shellcode in Python 3 is completely different from Python 2 ◈ Creating a Python payload that injects shellcode into memory is different
Veil 2.0
Veil 3.0
Veil 2.0
Veil 3.0
Veil 3.0
Python 3 ◈ Why else did I choose Python3? ⬥I discovered some AntiVirus companies are trying to flag Veil Python payloads simply by the environment it was compiled in
Python 3 ◈ How did I determine this? ⬥Generated payload - caught ⬥Removed shellcode - caught ⬥Renamed CTypes - caught ⬥Commented Windows function calls - caught ⬦From 1 to all of them ⬥Deleted EVERYTHING and did a hello world program - ...take a guess...
Python 3
Python 3 ◈ Next… ⬥Use the same payload source code ⬥Copied it to Windows VM ⬥“Compiled” the Python code in Windows using Pyinstaller ⬥Scanned the new executable
Python 3
Python 3 ◈ Updating the version of Python used changes the environmental signature it was “compiled” in ◈ Easily bypass this detection method ◈ Try to get AV to go the smarter route and actually analyze the executable vs. develop poor signatures
Veil 3.0 Menu
Shellcode Generation ◈ MSFVenom is still available to generate shellcode ⬥Supports all of the payload built into MSF ⬥Still requires instantiating the “simple” framework object ◈ Veil-Ordnance is the default choice ⬥Quickly generate shellcode ⬥In the event msfvenom output changes again, this is a fallback (or use it by default :))
Ordnance Payloads ◈ Veil-Ordnance Payloads ⬥reverse_tcp ⬥reverse_http ⬥reverse_https ⬥reverse_tcp_dns ⬥reverse_tcp_all_ports ⬥bind_tcp
Ordnance Encoder ◈ Veil-Ordnance does have a single encoder ⬥Thanks to @sixdub ◈ This can be used when needing to avoid bad characters ◈ I’d love to have more encoders added into Ordnance ⬥Send any my way! :)
Veil 3.0 ◈ So… what else is new with Veil payloads?
Environmental Checks ◈ Nearly all payloads now have the ability to set pre-execution environmental checks ◈ Set just one, or all of the checks ◈ All checks need to pass in order for the payload to execute ⬥All or nothing ◈ Each check developed in its respective language
Environmental Checks ◈ Current supported environmental checks: ⬥Computer domain ⬥System hostname ⬥Payload expiration ⬥Number of processors ⬥Current username ◈ There’s room for more checks to be added in ⬥Want to find an easy way to contribute, add a new environmental check!
Environmental Checks ◈ These are here to try to combat a few things: ⬥Prevent analysis of the end payload by an automated malware analysis solution ⬥If payload is run in sandbox prior to execution, it will (hopefully) prevent malicious detection ⬥Allow the end user to create highly targeted malware
New Languages ◈ While we’re at it, let’s add two new languages ⬥AutoIt3 ⬥Lua ◈ Lua - currently generates source code ⬥Can’t do native compilation, yet ◈ AutoIt3 - Generates code and can be compiled within Linux
Future Work ◈ Add in additional environmental checks ◈ Always looking for new languages and payloads to support ◈ Additional encoders to Ordnance
Questions? ◈ Questions? ◈ Veil - https://github.com/Veil- Framework/Veil ◈ Get in touch! ⬥@ChrisTruncer ⬥@VeilFramework

Recommended

The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
CTruncer
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
VeilFramework
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level Malware
CTruncer
 
Pentester++
Pentester++Pentester++
Pentester++
CTruncer
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
CTruncer
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-Ordnance
VeilFramework
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
CTruncer
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
CTruncer
 

Recommended

The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
CTruncer
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
VeilFramework
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level Malware
CTruncer
 
Pentester++
Pentester++Pentester++
Pentester++
CTruncer
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
CTruncer
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-Ordnance
VeilFramework
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
CTruncer
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
CTruncer
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirus
CTruncer
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
VeilFramework
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
CTruncer
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
CTruncer
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
midnite_runr
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant Security
Brandon Arvanaghi
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted Malware
Brandon Arvanaghi
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data Exfiltration
CTruncer
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
snyff
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
CTruncer
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBG
Cory Foy
 
Who’s afraid of WinDbg
Who’s afraid of WinDbgWho’s afraid of WinDbg
Who’s afraid of WinDbg
Dror Helper
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)
RGKelley5
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for Pentesters
Anant Shrivastava
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
snyff
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Chris Gates
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010
Chris Gates
 
0d1n
0d1n0d1n
0d1n
Antonio Costa aka Cooler_
 
Mpeg guide
Mpeg guideMpeg guide
Mpeg guide
kimsach
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
RightScale
 

More Related Content

What's hot

ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
Mario Heiderich
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Chris Gates
 

What's hot (20)

Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirus
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant Security
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted Malware
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data Exfiltration
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBG
 
Who’s afraid of WinDbg
Who’s afraid of WinDbgWho’s afraid of WinDbg
Who’s afraid of WinDbg
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for Pentesters
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010
 
0d1n
0d1n0d1n
0d1n
 

Similar to AntiVirus Evasion Reconstructed - Veil 3.0

Similar to AntiVirus Evasion Reconstructed - Veil 3.0 (20)

Mpeg guide
Mpeg guideMpeg guide
Mpeg guide
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
 
Making kubernetes simple for developers
Making kubernetes simple for developersMaking kubernetes simple for developers
Making kubernetes simple for developers
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
 
Greach 2016 dockerize your grails
Greach 2016 dockerize your grailsGreach 2016 dockerize your grails
Greach 2016 dockerize your grails
 
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
 
Container Days
Container DaysContainer Days
Container Days
 
Dev Environments: The Next Generation
Dev Environments: The Next GenerationDev Environments: The Next Generation
Dev Environments: The Next Generation
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
G3 Summit 2016 - Dockerize your Grails!
G3 Summit 2016 - Dockerize your Grails!G3 Summit 2016 - Dockerize your Grails!
G3 Summit 2016 - Dockerize your Grails!
 
Understanding and building Your Own Docker
Understanding and building Your Own DockerUnderstanding and building Your Own Docker
Understanding and building Your Own Docker
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docx
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
 
GR8Conf US 2017 - Dockerize your Grails!
GR8Conf US 2017 - Dockerize your Grails!GR8Conf US 2017 - Dockerize your Grails!
GR8Conf US 2017 - Dockerize your Grails!
 
Os dev tool box
Os dev tool boxOs dev tool box
Os dev tool box
 
What is Docker
What is DockerWhat is Docker
What is Docker
 
Docker. Micro services for lazy developers
Docker. Micro services for lazy developersDocker. Micro services for lazy developers
Docker. Micro services for lazy developers
 
Dockerize your Symfony application - Symfony Live NYC 2014
Dockerize your Symfony application - Symfony Live NYC 2014Dockerize your Symfony application - Symfony Live NYC 2014
Dockerize your Symfony application - Symfony Live NYC 2014
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 

More from CTruncer

More from CTruncer (7)

BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI
BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMIBlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI
BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI
 
Aggressive Autonomous Actions - Operating with Automation
Aggressive Autonomous Actions - Operating with AutomationAggressive Autonomous Actions - Operating with Automation
Aggressive Autonomous Actions - Operating with Automation
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and More
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
EyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolEyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage Tool
 

Recently uploaded

Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
Monica Sydney
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024
SOFTTECHHUB
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
F
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
AS
 

Recently uploaded (20)

Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
 

AntiVirus Evasion Reconstructed - Veil 3.0

  • 2. Christopher Truncer Previous Sys Admin turned Red Red Team Lead Open Source Developer EyeWitness Veil Framework :)
  • 3. What’s this talk about? ◈ Veil-Framework History ◈ Veil-Framework 2.0 ◈ Problems with Veil ◈ Veil-Framework 3.0 ⬥All the new stuff :) ◈ Public Release ◈ Questions
  • 5. The Inception ◈ The idea for Veil came after many pen tests ◈ The problem - time ◈ Will Schroeder and myself began developing different toolsets, and I released Veil ◈ First choice for developing payloads? ⬥Python
  • 6.
  • 7. Veil 1.0 ◈ This was probably my second script, ever ◈ It was just one giant file ◈ Tons of random functions ◈ Easy for me to develop with, but probably no one else ◈ Not extensible, would be a pain to add new features
  • 8. Veil 1.0 ◈ At this point, Will began combining both codebases ◈ We wanted a framework to allow drag and drop payloads ⬥Just create your own private module and the framework will pick it up! ◈ We wanted something that was easy to use and fast
  • 10.
  • 11. Veil 2.0 ◈ This is the Veil (Veil-Evasion) that everyone knows today ◈ Original Veil 2.0 didn’t include really any of our own research ⬥Why reinvent the wheel? ⬥We just packaged existing research into the framework ◈ But we slowly started to add our own flair
  • 12. Veil 2.0 ◈ We largely wanted to focus on usability ⬥Seems funny, but it’s important ⬥If you can’t use it, then it’s worthless ◈ Included some of the basics such as: ⬥Tab completion ⬦Payloads ⬥Error checking ⬦Users….. :) ◈ Wanted to be able to easily help people
  • 13.
  • 14. Veil 2.0 ◈ Veil was designed to be language agnostic ⬥Write payloads in any language we can! ◈ Currently support 7 different languages, plus native executables and auxiliary modules ⬥C, C#, Go, Perl, PowerShell, Python, and Ruby ◈ Anything that can access Windows functions can be used as a stager ◈ Built in native compilation everywhere we could
  • 16. Shellcode and Metasploit ◈ Veil can generate shellcode for its payloads within the tool ⬥That whole usability thing… ◈ But Veil simply invokes msfvenom ⬥It’s not created within Veil ◈ This makes our life easier.. ◈ … until msfvenom gets updated...
  • 17. Shellcode and Metasploit ◈ This happened one time early on after Veil 2.0’s release ⬥It completely broke Veil’s ability to receive/parse shellcode from msfvenom ◈ This was pretty easily fixed once we understood the new output format ⬥But it identified a problem ◈ We needed to remove complete reliance on msfvenom
  • 18.
  • 19.
  • 20.
  • 21. Shellcode and Metasploit ◈ Doesn’t seem widely used, but it has its advantages for us ⬥I control the output, so no unforeseen changes ⬥It supports what we believe are the most widely used payloads ⬥It’s faster for use vs. using msfvenom ⬥Simply patching the shellcode allows for an immediate return of results
  • 22. AV Trying to Signature Veil
  • 23. AV Signature ◈ About a year after Veil 2.0’s release, we received word of a signature
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 33. Veil 3.0 ◈ Veil 3.0 has multiple changes in the tool when compared to version 2.0 ⬥First and foremost, Veil has been completely rewritten in Python 3 ⬥Python 3 is the way forward with using Python ⬥I did not want to refactor the code in Python 2 now, to need to update to Python 3 when Py2 is end-of-life (2020)
  • 34. Veil 3.0 ◈ Refactoring the codebase while updating to Python 3 was a challenge ⬥It went beyond just changing print statements into functions ◈ Handling shellcode in Python 3 is completely different from Python 2 ◈ Creating a Python payload that injects shellcode into memory is different
  • 40. Python 3 ◈ Why else did I choose Python3? ⬥I discovered some AntiVirus companies are trying to flag Veil Python payloads simply by the environment it was compiled in
  • 41. Python 3 ◈ How did I determine this? ⬥Generated payload - caught ⬥Removed shellcode - caught ⬥Renamed CTypes - caught ⬥Commented Windows function calls - caught ⬦From 1 to all of them ⬥Deleted EVERYTHING and did a hello world program - ...take a guess...
  • 43. Python 3 ◈ Next… ⬥Use the same payload source code ⬥Copied it to Windows VM ⬥“Compiled” the Python code in Windows using Pyinstaller ⬥Scanned the new executable
  • 45. Python 3 ◈ Updating the version of Python used changes the environmental signature it was “compiled” in ◈ Easily bypass this detection method ◈ Try to get AV to go the smarter route and actually analyze the executable vs. develop poor signatures
  • 47.
  • 48.
  • 49. Shellcode Generation ◈ MSFVenom is still available to generate shellcode ⬥Supports all of the payload built into MSF ⬥Still requires instantiating the “simple” framework object ◈ Veil-Ordnance is the default choice ⬥Quickly generate shellcode ⬥In the event msfvenom output changes again, this is a fallback (or use it by default :))
  • 50. Ordnance Payloads ◈ Veil-Ordnance Payloads ⬥reverse_tcp ⬥reverse_http ⬥reverse_https ⬥reverse_tcp_dns ⬥reverse_tcp_all_ports ⬥bind_tcp
  • 51. Ordnance Encoder ◈ Veil-Ordnance does have a single encoder ⬥Thanks to @sixdub ◈ This can be used when needing to avoid bad characters ◈ I’d love to have more encoders added into Ordnance ⬥Send any my way! :)
  • 52. Veil 3.0 ◈ So… what else is new with Veil payloads?
  • 53.
  • 54. Environmental Checks ◈ Nearly all payloads now have the ability to set pre-execution environmental checks ◈ Set just one, or all of the checks ◈ All checks need to pass in order for the payload to execute ⬥All or nothing ◈ Each check developed in its respective language
  • 55. Environmental Checks ◈ Current supported environmental checks: ⬥Computer domain ⬥System hostname ⬥Payload expiration ⬥Number of processors ⬥Current username ◈ There’s room for more checks to be added in ⬥Want to find an easy way to contribute, add a new environmental check!
  • 56. Environmental Checks ◈ These are here to try to combat a few things: ⬥Prevent analysis of the end payload by an automated malware analysis solution ⬥If payload is run in sandbox prior to execution, it will (hopefully) prevent malicious detection ⬥Allow the end user to create highly targeted malware
  • 57. New Languages ◈ While we’re at it, let’s add two new languages ⬥AutoIt3 ⬥Lua ◈ Lua - currently generates source code ⬥Can’t do native compilation, yet ◈ AutoIt3 - Generates code and can be compiled within Linux
  • 58.
  • 59. Future Work ◈ Add in additional environmental checks ◈ Always looking for new languages and payloads to support ◈ Additional encoders to Ordnance
  • 60. Questions? ◈ Questions? ◈ Veil - https://github.com/Veil- Framework/Veil ◈ Get in touch! ⬥@ChrisTruncer ⬥@VeilFramework