AntiVirus Evasion Reconstructed - Veil 3.0
Transcript of AntiVirus Evasion Reconstructed - Veil 3.0
![Page 1: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/1.jpg)
Antivirus Evasion Reconstructed -
Veil 3.0@ChrisTruncer
![Page 2: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/2.jpg)
Christopher TruncerPrevious Sys Admin turned Red
Red Team LeadOpen Source Developer
EyeWitnessVeil Framework :)
![Page 3: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/3.jpg)
What’s this talk about?◈ Veil-Framework History◈ Veil-Framework 2.0◈ Problems with Veil◈ Veil-Framework 3.0
⬥All the new stuff :)◈ Public Release◈ Questions
![Page 4: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/4.jpg)
Veil - 1.0
![Page 5: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/5.jpg)
The Inception◈ The idea for Veil came after many pen tests◈ The problem - time◈Will Schroeder and myself began developing
different toolsets, and I released Veil◈ First choice for developing payloads?
⬥Python
![Page 6: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/6.jpg)
![Page 7: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/7.jpg)
Veil 1.0◈ This was probably my second script, ever◈ It was just one giant file◈ Tons of random functions◈ Easy for me to develop with, but probably no
one else◈ Not extensible, would be a pain to add new
features
![Page 8: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/8.jpg)
Veil 1.0◈ At this point, Will began combining both
codebases◈We wanted a framework to allow drag and
drop payloads⬥ Just create your own private module and the
framework will pick it up!
◈We wanted something that was easy to use and fast
![Page 9: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/9.jpg)
Veil - 2.0
![Page 10: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/10.jpg)
![Page 11: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/11.jpg)
Veil 2.0◈ This is the Veil (Veil-Evasion) that everyone
knows today◈ Original Veil 2.0 didn’t include really any of
our own research⬥Why reinvent the wheel?⬥We just packaged existing research into the
framework
◈ But we slowly started to add our own flair
![Page 12: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/12.jpg)
Veil 2.0◈We largely wanted to focus on usability
⬥Seems funny, but it’s important⬥ If you can’t use it, then it’s worthless
◈ Included some of the basics such as:⬥Tab completion
⬦Payloads⬥Error checking
⬦Users….. :)
◈Wanted to be able to easily help people
![Page 13: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/13.jpg)
![Page 14: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/14.jpg)
Veil 2.0◈ Veil was designed to be language agnostic
⬥Write payloads in any language we can!
◈ Currently support 7 different languages, plus native executables and auxiliary modules
⬥C, C#, Go, Perl, PowerShell, Python, and Ruby
◈ Anything that can access Windows functions can be used as a stager◈ Built in native compilation everywhere we
could
![Page 15: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/15.jpg)
Problems I’ve Encountered
![Page 16: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/16.jpg)
Shellcode and Metasploit◈ Veil can generate shellcode for its payloads
within the tool⬥That whole usability thing…
◈ But Veil simply invokes msfvenom⬥ It’s not created within Veil
◈ This makes our life easier..◈ … until msfvenom gets updated...
![Page 17: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/17.jpg)
Shellcode and Metasploit◈ This happened one time early on after Veil
2.0’s release⬥ It completely broke Veil’s ability to receive/parse
shellcode from msfvenom
◈ This was pretty easily fixed once we understood the new output format
⬥But it identified a problem
◈We needed to remove complete reliance on msfvenom
![Page 18: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/18.jpg)
![Page 19: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/19.jpg)
![Page 20: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/20.jpg)
![Page 21: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/21.jpg)
Shellcode and Metasploit◈ Doesn’t seem widely used, but it has its
advantages for us⬥ I control the output, so no unforeseen changes⬥ It supports what we believe are the most widely
used payloads⬥ It’s faster for use vs. using msfvenom⬥Simply patching the shellcode allows for an
immediate return of results
![Page 22: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/22.jpg)
AV Trying to Signature Veil
![Page 23: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/23.jpg)
AV Signature◈ About a year after Veil 2.0’s release, we
received word of a signature
![Page 24: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/24.jpg)
![Page 25: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/25.jpg)
![Page 26: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/26.jpg)
![Page 27: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/27.jpg)
![Page 28: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/28.jpg)
![Page 29: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/29.jpg)
![Page 30: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/30.jpg)
![Page 31: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/31.jpg)
![Page 32: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/32.jpg)
Veil 3.0
![Page 33: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/33.jpg)
Veil 3.0◈ Veil 3.0 has multiple changes in the tool
when compared to version 2.0⬥First and foremost, Veil has been completely
rewritten in Python 3⬥Python 3 is the way forward with using Python⬥ I did not want to refactor the code in Python 2
now, to need to update to Python 3 when Py2 is end-of-life (2020)
![Page 34: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/34.jpg)
Veil 3.0◈ Refactoring the codebase while updating to
Python 3 was a challenge⬥ It went beyond just changing print statements
into functions
◈ Handling shellcode in Python 3 is completely different from Python 2◈ Creating a Python payload that injects
shellcode into memory is different
![Page 35: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/35.jpg)
Veil 2.0
![Page 36: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/36.jpg)
Veil 3.0
![Page 37: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/37.jpg)
Veil 2.0
![Page 38: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/38.jpg)
Veil 3.0
![Page 39: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/39.jpg)
Veil 3.0
![Page 40: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/40.jpg)
Python 3◈Why else did I choose Python3?
⬥ I discovered some AntiVirus companies are trying to flag Veil Python payloads simply by the environment it was compiled in
![Page 41: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/41.jpg)
Python 3◈ How did I determine this?
⬥Generated payload - caught⬥Removed shellcode - caught⬥Renamed CTypes - caught⬥Commented Windows function calls - caught
⬦From 1 to all of them⬥Deleted EVERYTHING and did a hello world
program - ...take a guess...
![Page 42: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/42.jpg)
Python 3
![Page 43: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/43.jpg)
Python 3◈ Next…
⬥Use the same payload source code⬥Copied it to Windows VM⬥ “Compiled” the Python code in Windows using
Pyinstaller⬥Scanned the new executable
![Page 44: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/44.jpg)
Python 3
![Page 45: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/45.jpg)
Python 3◈ Updating the version of Python used changes
the environmental signature it was “compiled” in
◈ Easily bypass this detection method◈ Try to get AV to go the smarter route and
actually analyze the executable vs. develop poor signatures
![Page 46: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/46.jpg)
Veil 3.0 Menu
![Page 47: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/47.jpg)
![Page 48: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/48.jpg)
![Page 49: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/49.jpg)
Shellcode Generation◈MSFVenom is still available to generate
shellcode⬥Supports all of the payload built into MSF⬥Still requires instantiating the “simple” framework
object
◈ Veil-Ordnance is the default choice⬥Quickly generate shellcode⬥ In the event msfvenom output changes again, this
is a fallback (or use it by default :))
![Page 50: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/50.jpg)
Ordnance Payloads◈ Veil-Ordnance Payloads
⬥reverse_tcp⬥reverse_http⬥reverse_https⬥reverse_tcp_dns⬥reverse_tcp_all_ports⬥bind_tcp
![Page 51: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/51.jpg)
Ordnance Encoder◈ Veil-Ordnance does have a single encoder
⬥Thanks to @sixdub
◈ This can be used when needing to avoid bad characters◈ I’d love to have more encoders added into
Ordnance⬥Send any my way! :)
![Page 52: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/52.jpg)
Veil 3.0◈ So… what else is new with Veil payloads?
![Page 53: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/53.jpg)
![Page 54: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/54.jpg)
Environmental Checks◈ Nearly all payloads now have the ability to
set pre-execution environmental checks◈ Set just one, or all of the checks◈ All checks need to pass in order for the
payload to execute⬥All or nothing
◈ Each check developed in its respective language
![Page 55: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/55.jpg)
Environmental Checks◈ Current supported environmental checks:
⬥Computer domain⬥System hostname⬥Payload expiration⬥Number of processors⬥Current username
◈ There’s room for more checks to be added in⬥Want to find an easy way to contribute, add a new
environmental check!
![Page 56: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/56.jpg)
Environmental Checks◈ These are here to try to combat a few things:
⬥Prevent analysis of the end payload by an automated malware analysis solution
⬥ If payload is run in sandbox prior to execution, it will (hopefully) prevent malicious detection
⬥Allow the end user to create highly targeted malware
![Page 57: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/57.jpg)
New Languages◈ While we’re at it, let’s add two new languages
⬥AutoIt3⬥Lua
◈ Lua - currently generates source code⬥Can’t do native compilation, yet
◈ AutoIt3 - Generates code and can be compiled within Linux
![Page 58: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/58.jpg)
![Page 59: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/59.jpg)
Future Work◈ Add in additional environmental checks◈ Always looking for new languages and
payloads to support◈ Additional encoders to Ordnance
![Page 60: AntiVirus Evasion Reconstructed - Veil 3.0](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ce7e2a1a28ab210a8b4f39/html5/thumbnails/60.jpg)
Questions?◈ Questions?◈ Veil - https://github.com/Veil-
Framework/Veil◈ Get in touch!
⬥@ChrisTruncer⬥@VeilFramework