SlideShare a Scribd company logo

AV Evasion with the Veil Framework

V
VeilFramework

This presentation is about how to utilize the Veil Framework to bypass common antivirus solutions. This talk was given at Shmoocon 2014.

Technology
1 of 40
Download to read offline
AV Evasion With the Veil Framework #avlol @HarmJ0y @ChrisTruncer @TheMightyShiv @VeilFramework
@VeilFramework ●  Will Schroeder @HarmJ0y ○  Former national research lab keyboard monkey ●  Chris Truncer @ChrisTruncer ○  Florida State Graduate - Go Noles! ●  Michael Wright @TheMightyShiv ○  Pulled away on assessment : ( ●  Veris Group pentesters by day, antivirus evasion researchers by night
Overview •  The Problem •  Public Reaction and Ethical Considerations •  The Veil Framework •  Payload Releases •  Veil-Evasion Demo •  Payload Delivery •  Veil-Catapult Demo •  How to stop us
The Problem Antivirus can’t catch malware but does catch pentesters
Our Solution •  A way to get around antivirus as easily as professional malware •  Don’t want to roll our own backdoor each time •  Find a way to execute existing shellcode in an av-evading way
Our Solution
Veil-Evasion’s Approach •  Aggregation of various shellcode injection techniques across multiple languages o  These have been known and documented in other tools •  Focused on automation, usability, and developing a true framework •  Some shellcodeless Meterpreter stagers as well
Ethical Considerations ●  The disclosure debate is not new... ●  Pentesters are 5+ years behind the professional malware community ●  This is already a problem the bad guys have solved
HD Moore’s Take “The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won.” https://community.rapid7.com/community/metasploit/blog/2009/02/23/the-best-defense-is-information
Our Take •  We chose the path of full public disclosure •  We want to help the security industry better emulate threats •  AV vendors can see our code!
Public Reaction ●  “surely this will just result in 21 new signatures for all major AVs and then we're back to square one?” ●  “Isn't our entire field meant to be working towards increasing security, rather than handing out fully functioning weapons?” ●  “The other point here is that anything that helps to expose how in-effective AV really is at stopping even a minimally sophisticated attacker is a good thing.” http://www.reddit.com/r/netsec/comments/1fc2xp/veil_a_metasploit_payload_generator_for_bypassing/
The Veil Framework Veil-Evasion
Veil-Evasion Features •  Can use Metasploit-generated or custom shellcode o  MSF payloads/options dynamically loaded •  Third party tools can be easily integrated o  Hyperion, PEScrambler, BackDoor Factory, etc. •  Command line switches to allow scriptability
Armitage Integration •  The veil_evasion.cna script allows for the graphical integration of Veil-Evasion into Armitage/Cobalt Strike •  Payloads can be generated and optionally substituted into all psexec calls seamlessly http://blog.strategiccyber.com/2012/08/03/cortana-real-time-collaborativehacking-with-bots/
Native Compilation Python: pyinstaller/py2exe C#: mono for .NET C: mingw32
Module Development •  Implement your own obfuscation methods •  Lots of reusable functionality o  Shellcode generation is abstracted and can be invoked as needed •  https://www.veil-framework.com/tutorial-veilpayload-development/
Am I Getting Caught? •  A running hash list of every payload generated is kept in ~/veil-output/hashes.txt •  Mubix’s vt-notify script* can alert us if a customer submits a Veil payload to virustotal.com *https://github.com/mubix/vt-notify
checkvt
Shellcode Injection •  Void pointer casting o  no guarantee the memory region is executable •  VirtualAlloc o  allocate memory as RWX, copy code in and create a thread •  HeapAlloc o  create a heap object and manually allocate memory
DEP and Pyinstaller •  Pyinstaller produced .exe’s are DEP enabled by default o  this ruins some shellcode injection methods •  Luckily Pyinstaller is open source o  we can recompile to turn off DEP opt-in •  https://www.veil-evasion.com/deppyinstaller/
Payload Releases #VDay
V-Day •  We release at least one new payload on the 15th of every month •  24 currently published payloads •  20+ additional payloads have been developed so far o  we’re going to be releasing for a while :)
Shellcodeless Stagers ●  Stage 1 Meterpreter loaders don’t have to be implemented in shellcode ●  Meterpreter stagers can be written in higherlevel languages ●  https://github.com/rsmudge/metasploitloader
Veil Stagers ●  The following are the stagers currently available in the framework: Language Stager C meterpreter/rev_tcp C meterpreter/rev_tcp_service C# meterpreter/rev_tcp python meterpreter/rev_tcp python meterpreter/rev_http python meterpreter/rev_https
Stager Basics How a Meterpreter stager works: 1) a tcp connection is opened to the handler 2) the handler sends back 4 bytes indicating the .dll size, and then transfers the .dll 3) the socket number for this tcp connection is pushed into the edi register 4) execution is passed to the .dll just like regular shellcode (void * or VirtualAlloc)
DEMO #1
Veil Framework Veil-Catapult
Veil-Catapult ●  Our payload delivery system ●  Features nice integration with Veil-Evasion for on-the-fly payload generation ●  Cleanup scripts generated for payload killing and deletion ●  Command line flags for every option
Veil-Catapult
.EXE Delivery ●  Users can invoke Veil-Evasion to generate a payload, or specify an existing .exe ●  Payloads are delivered in one of two ways: ○  ○  upload/execute using Impacket and pth-toolkit host/execute UNC path to the attacker’s box ●  UNC invocation gets otherwise detectable .EXEs right by some AVs (lol @MSE)
Standalone Payloads ●  Powershell: shellcode injector, bye bye disk writes ○  http://www.exploit-monday.com/2011/10/exploitingpowershells-features-not.html ●  Barebones python: uploads a minimal python installation to invoke shellcode (see: next slide) ●  Sethc backdoor: issues a registry command to set up the sticky-keys RDP backdoor
Barebones Python ●  Uploads a minimal python .zip installation and 7zip binary ●  Python environment unzipped, shellcode invoked using “-c …” ●  The only files that touch disk are trusted python libraries and a python interpreter ●  Gets right by reputation filters and antivirus!
DEMO #2
How to Stop Us #avlol
Predictable Behavior •  A lot of malware and Veil-Evasion payload behaviors are fairly predictable: o  o  Immediate reverse connection to a target RWX memory page allocation, binary code copying, thread creation, etc. •  A small set of APIs are usually used in a very specific and non-standard way
Ambush IPS •  An intrusion prevention system that allows for flexible rules to be written for API calls •  Rules can be written to stop Meterpreter stagers without affecting normal execution •  http://ambuships.com/
EMET •  Microsoft’s Enhanced Mitigation Experience Toolkit •  Has some mechanisms that stop the ability for an executable to inject shellcode •  Ruins powershell shellcode injection •  http://technet.microsoft.com/en-us/security/jj653751
Where to Find Veil •  Web: https://www.veil-framework.com •  Now in Kali! apt-get install veil •  Github: https://github.com/Veil-Framework/Veil/
Questions? •  harmj0y@veil-framework.com o  @harmj0y •  chris@veil-framework.com o  @ChrisTruncer •  shiv@veil-framework.com o  @TheMightyShiv

Recommended

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 

Recommended

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇
[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇
[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇CODE BLUE
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...CODE BLUE
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 
0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
0x003 - Exploiting LOLDrivers - Physical Memory Mayhem0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
0x003 - Exploiting LOLDrivers - Physical Memory MayhemRussell Sanford
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-FrameworkVeilFramework
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
 

More Related Content

What's hot

[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇
[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇
[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇CODE BLUE
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...CODE BLUE
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueWill Schroeder
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the KingdomDennis Maldonado
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Password Cracking
Password Cracking Password Cracking
Password Cracking Sina Manavi
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Michael Gough
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingSagar Verma
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacksMichael Gough
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 
0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
0x003 - Exploiting LOLDrivers - Physical Memory Mayhem0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
0x003 - Exploiting LOLDrivers - Physical Memory MayhemRussell Sanford
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 

What's hot (20)

A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇
[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇
[CB19] FileInsight-plugins: Decoding toolbox for malware analysis by 萬谷 暢崇
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
Sticky Keys to the Kingdom
Sticky Keys to the KingdomSticky Keys to the Kingdom
Sticky Keys to the Kingdom
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
 
Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1Detecting WMI Exploitation v1.1
Detecting WMI Exploitation v1.1
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
 
0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
0x003 - Exploiting LOLDrivers - Physical Memory Mayhem0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
0x003 - Exploiting LOLDrivers - Physical Memory Mayhem
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And Countermeasures
 

Viewers also liked

A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofCTruncer
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!CTruncer
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0CTruncer
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationCTruncer
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationCTruncer
 
EyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolEyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolCTruncer
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 

Viewers also liked (20)

The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the Wild
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirus
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level Malware
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
 
AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0AntiVirus Evasion Reconstructed - Veil 3.0
AntiVirus Evasion Reconstructed - Veil 3.0
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and More
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
 
Pentester++
Pentester++Pentester++
Pentester++
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data Exfiltration
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-Ordnance
 
EyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolEyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage Tool
 
L2
L2L2
L2
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 

Similar to AV Evasion with the Veil Framework

Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processesDavid Jorm
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
 
PowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity TopicsPowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity TopicsDev 010101
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDDaniel Garcia (a.k.a cr0hn)
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
Demystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampDemystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampAndré Baptista
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel securitysmart_bit
 
Dynamic Languages in Production: Progress and Open Challenges
Dynamic Languages in Production: Progress and Open ChallengesDynamic Languages in Production: Progress and Open Challenges
Dynamic Languages in Production: Progress and Open Challengesbcantrill
 
Reverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfReverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfAbdelrahmanShaban3
 
Deep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudDeep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudsparkfabrik
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Clark Everetts
 
Continuous Integration Step-by-step
Continuous Integration Step-by-stepContinuous Integration Step-by-step
Continuous Integration Step-by-stepMichelangelo van Dam
 

Similar to AV Evasion with the Veil Framework (20)

Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
 
Hacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass FirewallsHacking Vulnerable Websites to Bypass Firewalls
Hacking Vulnerable Websites to Bypass Firewalls
 
PowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity TopicsPowerShell Defcon for Cybersecurity Topics
PowerShell Defcon for Cybersecurity Topics
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CD
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Demystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels CampDemystifying Binary Reverse Engineering - Pixels Camp
Demystifying Binary Reverse Engineering - Pixels Camp
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
 
Dynamic Languages in Production: Progress and Open Challenges
Dynamic Languages in Production: Progress and Open ChallengesDynamic Languages in Production: Progress and Open Challenges
Dynamic Languages in Production: Progress and Open Challenges
 
Reverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfReverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdf
 
Deep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudDeep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloud
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024Analysis of-quality-of-pkgs-in-packagist-univ-20171024
Analysis of-quality-of-pkgs-in-packagist-univ-20171024
 
Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020
 
Continuous Integration Step-by-step
Continuous Integration Step-by-stepContinuous Integration Step-by-step
Continuous Integration Step-by-step
 

Recently uploaded

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 

AV Evasion with the Veil Framework

  • 1. AV Evasion With the Veil Framework #avlol @HarmJ0y @ChrisTruncer @TheMightyShiv @VeilFramework
  • 2. @VeilFramework ●  Will Schroeder @HarmJ0y ○  Former national research lab keyboard monkey ●  Chris Truncer @ChrisTruncer ○  Florida State Graduate - Go Noles! ●  Michael Wright @TheMightyShiv ○  Pulled away on assessment : ( ●  Veris Group pentesters by day, antivirus evasion researchers by night
  • 3. Overview •  The Problem •  Public Reaction and Ethical Considerations •  The Veil Framework •  Payload Releases •  Veil-Evasion Demo •  Payload Delivery •  Veil-Catapult Demo •  How to stop us
  • 4. The Problem Antivirus can’t catch malware but does catch pentesters
  • 5. Our Solution •  A way to get around antivirus as easily as professional malware •  Don’t want to roll our own backdoor each time •  Find a way to execute existing shellcode in an av-evading way
  • 7. Veil-Evasion’s Approach •  Aggregation of various shellcode injection techniques across multiple languages o  These have been known and documented in other tools •  Focused on automation, usability, and developing a true framework •  Some shellcodeless Meterpreter stagers as well
  • 8. Ethical Considerations ●  The disclosure debate is not new... ●  Pentesters are 5+ years behind the professional malware community ●  This is already a problem the bad guys have solved
  • 9. HD Moore’s Take “The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won.” https://community.rapid7.com/community/metasploit/blog/2009/02/23/the-best-defense-is-information
  • 10. Our Take •  We chose the path of full public disclosure •  We want to help the security industry better emulate threats •  AV vendors can see our code!
  • 11. Public Reaction ●  “surely this will just result in 21 new signatures for all major AVs and then we're back to square one?” ●  “Isn't our entire field meant to be working towards increasing security, rather than handing out fully functioning weapons?” ●  “The other point here is that anything that helps to expose how in-effective AV really is at stopping even a minimally sophisticated attacker is a good thing.” http://www.reddit.com/r/netsec/comments/1fc2xp/veil_a_metasploit_payload_generator_for_bypassing/
  • 13. Veil-Evasion Features •  Can use Metasploit-generated or custom shellcode o  MSF payloads/options dynamically loaded •  Third party tools can be easily integrated o  Hyperion, PEScrambler, BackDoor Factory, etc. •  Command line switches to allow scriptability
  • 14. Armitage Integration •  The veil_evasion.cna script allows for the graphical integration of Veil-Evasion into Armitage/Cobalt Strike •  Payloads can be generated and optionally substituted into all psexec calls seamlessly http://blog.strategiccyber.com/2012/08/03/cortana-real-time-collaborativehacking-with-bots/
  • 15.
  • 17. Module Development •  Implement your own obfuscation methods •  Lots of reusable functionality o  Shellcode generation is abstracted and can be invoked as needed •  https://www.veil-framework.com/tutorial-veilpayload-development/
  • 18. Am I Getting Caught? •  A running hash list of every payload generated is kept in ~/veil-output/hashes.txt •  Mubix’s vt-notify script* can alert us if a customer submits a Veil payload to virustotal.com *https://github.com/mubix/vt-notify
  • 20. Shellcode Injection •  Void pointer casting o  no guarantee the memory region is executable •  VirtualAlloc o  allocate memory as RWX, copy code in and create a thread •  HeapAlloc o  create a heap object and manually allocate memory
  • 21. DEP and Pyinstaller •  Pyinstaller produced .exe’s are DEP enabled by default o  this ruins some shellcode injection methods •  Luckily Pyinstaller is open source o  we can recompile to turn off DEP opt-in •  https://www.veil-evasion.com/deppyinstaller/
  • 23. V-Day •  We release at least one new payload on the 15th of every month •  24 currently published payloads •  20+ additional payloads have been developed so far o  we’re going to be releasing for a while :)
  • 24. Shellcodeless Stagers ●  Stage 1 Meterpreter loaders don’t have to be implemented in shellcode ●  Meterpreter stagers can be written in higherlevel languages ●  https://github.com/rsmudge/metasploitloader
  • 25. Veil Stagers ●  The following are the stagers currently available in the framework: Language Stager C meterpreter/rev_tcp C meterpreter/rev_tcp_service C# meterpreter/rev_tcp python meterpreter/rev_tcp python meterpreter/rev_http python meterpreter/rev_https
  • 26. Stager Basics How a Meterpreter stager works: 1) a tcp connection is opened to the handler 2) the handler sends back 4 bytes indicating the .dll size, and then transfers the .dll 3) the socket number for this tcp connection is pushed into the edi register 4) execution is passed to the .dll just like regular shellcode (void * or VirtualAlloc)
  • 29. Veil-Catapult ●  Our payload delivery system ●  Features nice integration with Veil-Evasion for on-the-fly payload generation ●  Cleanup scripts generated for payload killing and deletion ●  Command line flags for every option
  • 31. .EXE Delivery ●  Users can invoke Veil-Evasion to generate a payload, or specify an existing .exe ●  Payloads are delivered in one of two ways: ○  ○  upload/execute using Impacket and pth-toolkit host/execute UNC path to the attacker’s box ●  UNC invocation gets otherwise detectable .EXEs right by some AVs (lol @MSE)
  • 32. Standalone Payloads ●  Powershell: shellcode injector, bye bye disk writes ○  http://www.exploit-monday.com/2011/10/exploitingpowershells-features-not.html ●  Barebones python: uploads a minimal python installation to invoke shellcode (see: next slide) ●  Sethc backdoor: issues a registry command to set up the sticky-keys RDP backdoor
  • 33. Barebones Python ●  Uploads a minimal python .zip installation and 7zip binary ●  Python environment unzipped, shellcode invoked using “-c …” ●  The only files that touch disk are trusted python libraries and a python interpreter ●  Gets right by reputation filters and antivirus!
  • 35. How to Stop Us #avlol
  • 36. Predictable Behavior •  A lot of malware and Veil-Evasion payload behaviors are fairly predictable: o  o  Immediate reverse connection to a target RWX memory page allocation, binary code copying, thread creation, etc. •  A small set of APIs are usually used in a very specific and non-standard way
  • 37. Ambush IPS •  An intrusion prevention system that allows for flexible rules to be written for API calls •  Rules can be written to stop Meterpreter stagers without affecting normal execution •  http://ambuships.com/
  • 38. EMET •  Microsoft’s Enhanced Mitigation Experience Toolkit •  Has some mechanisms that stop the ability for an executable to inject shellcode •  Ruins powershell shellcode injection •  http://technet.microsoft.com/en-us/security/jj653751
  • 39. Where to Find Veil •  Web: https://www.veil-framework.com •  Now in Kali! apt-get install veil •  Github: https://github.com/Veil-Framework/Veil/
  • 40. Questions? •  harmj0y@veil-framework.com o  @harmj0y •  chris@veil-framework.com o  @ChrisTruncer •  shiv@veil-framework.com o  @TheMightyShiv