SlideShare a Scribd company logo

AV Evasion with the Veil Framework

V
VeilFramework

This presentation is about how to utilize the Veil Framework to bypass common antivirus solutions. This talk was given at Shmoocon 2014.

Technology
1 of 40
Download to read offline
AV Evasion With the Veil Framework #avlol @HarmJ0y @ChrisTruncer @TheMightyShiv @VeilFramework
@VeilFramework ●  Will Schroeder @HarmJ0y ○  Former national research lab keyboard monkey ●  Chris Truncer @ChrisTruncer ○  Florida State Graduate - Go Noles! ●  Michael Wright @TheMightyShiv ○  Pulled away on assessment : ( ●  Veris Group pentesters by day, antivirus evasion researchers by night
Overview •  The Problem •  Public Reaction and Ethical Considerations •  The Veil Framework •  Payload Releases •  Veil-Evasion Demo •  Payload Delivery •  Veil-Catapult Demo •  How to stop us
The Problem Antivirus can’t catch malware but does catch pentesters
Our Solution •  A way to get around antivirus as easily as professional malware •  Don’t want to roll our own backdoor each time •  Find a way to execute existing shellcode in an av-evading way
Our Solution
Veil-Evasion’s Approach •  Aggregation of various shellcode injection techniques across multiple languages o  These have been known and documented in other tools •  Focused on automation, usability, and developing a true framework •  Some shellcodeless Meterpreter stagers as well
Ethical Considerations ●  The disclosure debate is not new... ●  Pentesters are 5+ years behind the professional malware community ●  This is already a problem the bad guys have solved
HD Moore’s Take “The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won.” https://community.rapid7.com/community/metasploit/blog/2009/02/23/the-best-defense-is-information
Our Take •  We chose the path of full public disclosure •  We want to help the security industry better emulate threats •  AV vendors can see our code!
Public Reaction ●  “surely this will just result in 21 new signatures for all major AVs and then we're back to square one?” ●  “Isn't our entire field meant to be working towards increasing security, rather than handing out fully functioning weapons?” ●  “The other point here is that anything that helps to expose how in-effective AV really is at stopping even a minimally sophisticated attacker is a good thing.” http://www.reddit.com/r/netsec/comments/1fc2xp/veil_a_metasploit_payload_generator_for_bypassing/
The Veil Framework Veil-Evasion
Veil-Evasion Features •  Can use Metasploit-generated or custom shellcode o  MSF payloads/options dynamically loaded •  Third party tools can be easily integrated o  Hyperion, PEScrambler, BackDoor Factory, etc. •  Command line switches to allow scriptability
Armitage Integration •  The veil_evasion.cna script allows for the graphical integration of Veil-Evasion into Armitage/Cobalt Strike •  Payloads can be generated and optionally substituted into all psexec calls seamlessly http://blog.strategiccyber.com/2012/08/03/cortana-real-time-collaborativehacking-with-bots/
Native Compilation Python: pyinstaller/py2exe C#: mono for .NET C: mingw32
Module Development •  Implement your own obfuscation methods •  Lots of reusable functionality o  Shellcode generation is abstracted and can be invoked as needed •  https://www.veil-framework.com/tutorial-veilpayload-development/
Am I Getting Caught? •  A running hash list of every payload generated is kept in ~/veil-output/hashes.txt •  Mubix’s vt-notify script* can alert us if a customer submits a Veil payload to virustotal.com *https://github.com/mubix/vt-notify
checkvt
Shellcode Injection •  Void pointer casting o  no guarantee the memory region is executable •  VirtualAlloc o  allocate memory as RWX, copy code in and create a thread •  HeapAlloc o  create a heap object and manually allocate memory
DEP and Pyinstaller •  Pyinstaller produced .exe’s are DEP enabled by default o  this ruins some shellcode injection methods •  Luckily Pyinstaller is open source o  we can recompile to turn off DEP opt-in •  https://www.veil-evasion.com/deppyinstaller/
Payload Releases #VDay
V-Day •  We release at least one new payload on the 15th of every month •  24 currently published payloads •  20+ additional payloads have been developed so far o  we’re going to be releasing for a while :)
Shellcodeless Stagers ●  Stage 1 Meterpreter loaders don’t have to be implemented in shellcode ●  Meterpreter stagers can be written in higherlevel languages ●  https://github.com/rsmudge/metasploitloader
Veil Stagers ●  The following are the stagers currently available in the framework: Language Stager C meterpreter/rev_tcp C meterpreter/rev_tcp_service C# meterpreter/rev_tcp python meterpreter/rev_tcp python meterpreter/rev_http python meterpreter/rev_https
Stager Basics How a Meterpreter stager works: 1) a tcp connection is opened to the handler 2) the handler sends back 4 bytes indicating the .dll size, and then transfers the .dll 3) the socket number for this tcp connection is pushed into the edi register 4) execution is passed to the .dll just like regular shellcode (void * or VirtualAlloc)
DEMO #1
Veil Framework Veil-Catapult
Veil-Catapult ●  Our payload delivery system ●  Features nice integration with Veil-Evasion for on-the-fly payload generation ●  Cleanup scripts generated for payload killing and deletion ●  Command line flags for every option
Veil-Catapult
.EXE Delivery ●  Users can invoke Veil-Evasion to generate a payload, or specify an existing .exe ●  Payloads are delivered in one of two ways: ○  ○  upload/execute using Impacket and pth-toolkit host/execute UNC path to the attacker’s box ●  UNC invocation gets otherwise detectable .EXEs right by some AVs (lol @MSE)
Standalone Payloads ●  Powershell: shellcode injector, bye bye disk writes ○  http://www.exploit-monday.com/2011/10/exploitingpowershells-features-not.html ●  Barebones python: uploads a minimal python installation to invoke shellcode (see: next slide) ●  Sethc backdoor: issues a registry command to set up the sticky-keys RDP backdoor
Barebones Python ●  Uploads a minimal python .zip installation and 7zip binary ●  Python environment unzipped, shellcode invoked using “-c …” ●  The only files that touch disk are trusted python libraries and a python interpreter ●  Gets right by reputation filters and antivirus!
DEMO #2
How to Stop Us #avlol
Predictable Behavior •  A lot of malware and Veil-Evasion payload behaviors are fairly predictable: o  o  Immediate reverse connection to a target RWX memory page allocation, binary code copying, thread creation, etc. •  A small set of APIs are usually used in a very specific and non-standard way
Ambush IPS •  An intrusion prevention system that allows for flexible rules to be written for API calls •  Rules can be written to stop Meterpreter stagers without affecting normal execution •  http://ambuships.com/
EMET •  Microsoft’s Enhanced Mitigation Experience Toolkit •  Has some mechanisms that stop the ability for an executable to inject shellcode •  Ruins powershell shellcode injection •  http://technet.microsoft.com/en-us/security/jj653751
Where to Find Veil •  Web: https://www.veil-framework.com •  Now in Kali! apt-get install veil •  Github: https://github.com/Veil-Framework/Veil/
Questions? •  harmj0y@veil-framework.com o  @harmj0y •  chris@veil-framework.com o  @ChrisTruncer •  shiv@veil-framework.com o  @TheMightyShiv

Recommended

PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
Joe Desimone
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
Process and Threads in Linux - PPT
Process and Threads in Linux - PPTProcess and Threads in Linux - PPT
Process and Threads in Linux - PPT
QUONTRASOLUTIONS
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 

Recommended

PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
Will Schroeder
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
Joe Desimone
 
Not a Security Boundary
Not a Security BoundaryNot a Security Boundary
Not a Security Boundary
Will Schroeder
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
Process and Threads in Linux - PPT
Process and Threads in Linux - PPTProcess and Threads in Linux - PPT
Process and Threads in Linux - PPT
QUONTRASOLUTIONS
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
Justin Bui
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
M.Syarifudin, ST, OSCP, OSWP
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder
 
Linux Containers (LXC)
Linux Containers (LXC)Linux Containers (LXC)
Linux Containers (LXC)
Vladimir Melnic
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
Nikhil Mittal
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
Raghav Bisht
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Abraham Aranguren
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
Will Schroeder
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyWindows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Michael Gough
 
How to use miniedit
How to use minieditHow to use miniedit
How to use miniedit
Takuji IIMURA
 
Linux introduction
Linux introductionLinux introduction
Linux introduction
Md. Zahid Hossain Shoeb
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network Security
Ashok Reddy Medikonda
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
VeilFramework
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
CTruncer
 

More Related Content

What's hot

Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Abraham Aranguren
 

What's hot (20)

Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Linux Containers (LXC)
Linux Containers (LXC)Linux Containers (LXC)
Linux Containers (LXC)
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
Introduction To Exploitation & Metasploit
Introduction To Exploitation & MetasploitIntroduction To Exploitation & Metasploit
Introduction To Exploitation & Metasploit
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyWindows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
 
How to use miniedit
How to use minieditHow to use miniedit
How to use miniedit
 
Linux introduction
Linux introductionLinux introduction
Linux introduction
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
 
Metasploit framework in Network Security
Metasploit framework in Network SecurityMetasploit framework in Network Security
Metasploit framework in Network Security
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 

Viewers also liked

Viewers also liked (20)

The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirus
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level Malware
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and More
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
 
Pentester++
Pentester++Pentester++
Pentester++
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data Exfiltration
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-Ordnance
 
EyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolEyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage Tool
 
L2
L2L2
L2
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 

Similar to AV Evasion with the Veil Framework

Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
Positive Hack Days
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 
Deep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudDeep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloud
sparkfabrik
 

Similar to AV Evasion with the Veil Framework (20)

Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
PowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity TopicsPowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity Topics
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CD
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Demystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampDemystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels Camp
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
 
Dynamic Languages in Production: Progress and Open Challenges
Dynamic Languages in Production: Progress and Open ChallengesDynamic Languages in Production: Progress and Open Challenges
Dynamic Languages in Production: Progress and Open Challenges
 
Reverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfReverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdf
 
Deep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudDeep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloud
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
 
Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020
 
Continuous Integration Step-by-step
Continuous Integration Step-by-stepContinuous Integration Step-by-step
Continuous Integration Step-by-step
 

Recently uploaded

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

AV Evasion with the Veil Framework

  • 1. AV Evasion With the Veil Framework #avlol @HarmJ0y @ChrisTruncer @TheMightyShiv @VeilFramework
  • 2. @VeilFramework ●  Will Schroeder @HarmJ0y ○  Former national research lab keyboard monkey ●  Chris Truncer @ChrisTruncer ○  Florida State Graduate - Go Noles! ●  Michael Wright @TheMightyShiv ○  Pulled away on assessment : ( ●  Veris Group pentesters by day, antivirus evasion researchers by night
  • 3. Overview •  The Problem •  Public Reaction and Ethical Considerations •  The Veil Framework •  Payload Releases •  Veil-Evasion Demo •  Payload Delivery •  Veil-Catapult Demo •  How to stop us
  • 4. The Problem Antivirus can’t catch malware but does catch pentesters
  • 5. Our Solution •  A way to get around antivirus as easily as professional malware •  Don’t want to roll our own backdoor each time •  Find a way to execute existing shellcode in an av-evading way
  • 7. Veil-Evasion’s Approach •  Aggregation of various shellcode injection techniques across multiple languages o  These have been known and documented in other tools •  Focused on automation, usability, and developing a true framework •  Some shellcodeless Meterpreter stagers as well
  • 8. Ethical Considerations ●  The disclosure debate is not new... ●  Pentesters are 5+ years behind the professional malware community ●  This is already a problem the bad guys have solved
  • 9. HD Moore’s Take “The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won.” https://community.rapid7.com/community/metasploit/blog/2009/02/23/the-best-defense-is-information
  • 10. Our Take •  We chose the path of full public disclosure •  We want to help the security industry better emulate threats •  AV vendors can see our code!
  • 11. Public Reaction ●  “surely this will just result in 21 new signatures for all major AVs and then we're back to square one?” ●  “Isn't our entire field meant to be working towards increasing security, rather than handing out fully functioning weapons?” ●  “The other point here is that anything that helps to expose how in-effective AV really is at stopping even a minimally sophisticated attacker is a good thing.” http://www.reddit.com/r/netsec/comments/1fc2xp/veil_a_metasploit_payload_generator_for_bypassing/
  • 13. Veil-Evasion Features •  Can use Metasploit-generated or custom shellcode o  MSF payloads/options dynamically loaded •  Third party tools can be easily integrated o  Hyperion, PEScrambler, BackDoor Factory, etc. •  Command line switches to allow scriptability
  • 14. Armitage Integration •  The veil_evasion.cna script allows for the graphical integration of Veil-Evasion into Armitage/Cobalt Strike •  Payloads can be generated and optionally substituted into all psexec calls seamlessly http://blog.strategiccyber.com/2012/08/03/cortana-real-time-collaborativehacking-with-bots/
  • 15.
  • 17. Module Development •  Implement your own obfuscation methods •  Lots of reusable functionality o  Shellcode generation is abstracted and can be invoked as needed •  https://www.veil-framework.com/tutorial-veilpayload-development/
  • 18. Am I Getting Caught? •  A running hash list of every payload generated is kept in ~/veil-output/hashes.txt •  Mubix’s vt-notify script* can alert us if a customer submits a Veil payload to virustotal.com *https://github.com/mubix/vt-notify
  • 20. Shellcode Injection •  Void pointer casting o  no guarantee the memory region is executable •  VirtualAlloc o  allocate memory as RWX, copy code in and create a thread •  HeapAlloc o  create a heap object and manually allocate memory
  • 21. DEP and Pyinstaller •  Pyinstaller produced .exe’s are DEP enabled by default o  this ruins some shellcode injection methods •  Luckily Pyinstaller is open source o  we can recompile to turn off DEP opt-in •  https://www.veil-evasion.com/deppyinstaller/
  • 23. V-Day •  We release at least one new payload on the 15th of every month •  24 currently published payloads •  20+ additional payloads have been developed so far o  we’re going to be releasing for a while :)
  • 24. Shellcodeless Stagers ●  Stage 1 Meterpreter loaders don’t have to be implemented in shellcode ●  Meterpreter stagers can be written in higherlevel languages ●  https://github.com/rsmudge/metasploitloader
  • 25. Veil Stagers ●  The following are the stagers currently available in the framework: Language Stager C meterpreter/rev_tcp C meterpreter/rev_tcp_service C# meterpreter/rev_tcp python meterpreter/rev_tcp python meterpreter/rev_http python meterpreter/rev_https
  • 26. Stager Basics How a Meterpreter stager works: 1) a tcp connection is opened to the handler 2) the handler sends back 4 bytes indicating the .dll size, and then transfers the .dll 3) the socket number for this tcp connection is pushed into the edi register 4) execution is passed to the .dll just like regular shellcode (void * or VirtualAlloc)
  • 29. Veil-Catapult ●  Our payload delivery system ●  Features nice integration with Veil-Evasion for on-the-fly payload generation ●  Cleanup scripts generated for payload killing and deletion ●  Command line flags for every option
  • 31. .EXE Delivery ●  Users can invoke Veil-Evasion to generate a payload, or specify an existing .exe ●  Payloads are delivered in one of two ways: ○  ○  upload/execute using Impacket and pth-toolkit host/execute UNC path to the attacker’s box ●  UNC invocation gets otherwise detectable .EXEs right by some AVs (lol @MSE)
  • 32. Standalone Payloads ●  Powershell: shellcode injector, bye bye disk writes ○  http://www.exploit-monday.com/2011/10/exploitingpowershells-features-not.html ●  Barebones python: uploads a minimal python installation to invoke shellcode (see: next slide) ●  Sethc backdoor: issues a registry command to set up the sticky-keys RDP backdoor
  • 33. Barebones Python ●  Uploads a minimal python .zip installation and 7zip binary ●  Python environment unzipped, shellcode invoked using “-c …” ●  The only files that touch disk are trusted python libraries and a python interpreter ●  Gets right by reputation filters and antivirus!
  • 35. How to Stop Us #avlol
  • 36. Predictable Behavior •  A lot of malware and Veil-Evasion payload behaviors are fairly predictable: o  o  Immediate reverse connection to a target RWX memory page allocation, binary code copying, thread creation, etc. •  A small set of APIs are usually used in a very specific and non-standard way
  • 37. Ambush IPS •  An intrusion prevention system that allows for flexible rules to be written for API calls •  Rules can be written to stop Meterpreter stagers without affecting normal execution •  http://ambuships.com/
  • 38. EMET •  Microsoft’s Enhanced Mitigation Experience Toolkit •  Has some mechanisms that stop the ability for an executable to inject shellcode •  Ruins powershell shellcode injection •  http://technet.microsoft.com/en-us/security/jj653751
  • 39. Where to Find Veil •  Web: https://www.veil-framework.com •  Now in Kali! apt-get install veil •  Github: https://github.com/Veil-Framework/Veil/
  • 40. Questions? •  harmj0y@veil-framework.com o  @harmj0y •  chris@veil-framework.com o  @ChrisTruncer •  shiv@veil-framework.com o  @TheMightyShiv