SlideShare une entreprise Scribd logo

AntiVirus Evasion Reconstructed - Veil 3.0

C
CTruncer

This is the talk given at NullCon 2017. This talk give s history of the Veil Framework, and showcases the differences between 2.0 and the newly released 3.0. Veil 3.0 is released in this talk

Internet
1  sur  60
Télécharger pour lire hors ligne
Antivirus Evasion Reconstructed - Veil 3.0 @ChrisTruncer
Christopher Truncer Previous Sys Admin turned Red Red Team Lead Open Source Developer EyeWitness Veil Framework :)
What’s this talk about? ◈ Veil-Framework History ◈ Veil-Framework 2.0 ◈ Problems with Veil ◈ Veil-Framework 3.0 ⬥All the new stuff :) ◈ Public Release ◈ Questions
Veil - 1.0
The Inception ◈ The idea for Veil came after many pen tests ◈ The problem - time ◈ Will Schroeder and myself began developing different toolsets, and I released Veil ◈ First choice for developing payloads? ⬥Python
Veil 1.0 ◈ This was probably my second script, ever ◈ It was just one giant file ◈ Tons of random functions ◈ Easy for me to develop with, but probably no one else ◈ Not extensible, would be a pain to add new features
Veil 1.0 ◈ At this point, Will began combining both codebases ◈ We wanted a framework to allow drag and drop payloads ⬥Just create your own private module and the framework will pick it up! ◈ We wanted something that was easy to use and fast
Veil - 2.0
Veil 2.0 ◈ This is the Veil (Veil-Evasion) that everyone knows today ◈ Original Veil 2.0 didn’t include really any of our own research ⬥Why reinvent the wheel? ⬥We just packaged existing research into the framework ◈ But we slowly started to add our own flair
Veil 2.0 ◈ We largely wanted to focus on usability ⬥Seems funny, but it’s important ⬥If you can’t use it, then it’s worthless ◈ Included some of the basics such as: ⬥Tab completion ⬦Payloads ⬥Error checking ⬦Users….. :) ◈ Wanted to be able to easily help people
Veil 2.0 ◈ Veil was designed to be language agnostic ⬥Write payloads in any language we can! ◈ Currently support 7 different languages, plus native executables and auxiliary modules ⬥C, C#, Go, Perl, PowerShell, Python, and Ruby ◈ Anything that can access Windows functions can be used as a stager ◈ Built in native compilation everywhere we could
Problems I’ve Encountered
Shellcode and Metasploit ◈ Veil can generate shellcode for its payloads within the tool ⬥That whole usability thing… ◈ But Veil simply invokes msfvenom ⬥It’s not created within Veil ◈ This makes our life easier.. ◈ … until msfvenom gets updated...
Shellcode and Metasploit ◈ This happened one time early on after Veil 2.0’s release ⬥It completely broke Veil’s ability to receive/parse shellcode from msfvenom ◈ This was pretty easily fixed once we understood the new output format ⬥But it identified a problem ◈ We needed to remove complete reliance on msfvenom
Shellcode and Metasploit ◈ Doesn’t seem widely used, but it has its advantages for us ⬥I control the output, so no unforeseen changes ⬥It supports what we believe are the most widely used payloads ⬥It’s faster for use vs. using msfvenom ⬥Simply patching the shellcode allows for an immediate return of results
AV Trying to Signature Veil
AV Signature ◈ About a year after Veil 2.0’s release, we received word of a signature
Veil 3.0
Veil 3.0 ◈ Veil 3.0 has multiple changes in the tool when compared to version 2.0 ⬥First and foremost, Veil has been completely rewritten in Python 3 ⬥Python 3 is the way forward with using Python ⬥I did not want to refactor the code in Python 2 now, to need to update to Python 3 when Py2 is end-of-life (2020)
Veil 3.0 ◈ Refactoring the codebase while updating to Python 3 was a challenge ⬥It went beyond just changing print statements into functions ◈ Handling shellcode in Python 3 is completely different from Python 2 ◈ Creating a Python payload that injects shellcode into memory is different
Veil 2.0
Veil 3.0
Veil 2.0
Veil 3.0
Veil 3.0
Python 3 ◈ Why else did I choose Python3? ⬥I discovered some AntiVirus companies are trying to flag Veil Python payloads simply by the environment it was compiled in
Python 3 ◈ How did I determine this? ⬥Generated payload - caught ⬥Removed shellcode - caught ⬥Renamed CTypes - caught ⬥Commented Windows function calls - caught ⬦From 1 to all of them ⬥Deleted EVERYTHING and did a hello world program - ...take a guess...
Python 3
Python 3 ◈ Next… ⬥Use the same payload source code ⬥Copied it to Windows VM ⬥“Compiled” the Python code in Windows using Pyinstaller ⬥Scanned the new executable
Python 3
Python 3 ◈ Updating the version of Python used changes the environmental signature it was “compiled” in ◈ Easily bypass this detection method ◈ Try to get AV to go the smarter route and actually analyze the executable vs. develop poor signatures
Veil 3.0 Menu
Shellcode Generation ◈ MSFVenom is still available to generate shellcode ⬥Supports all of the payload built into MSF ⬥Still requires instantiating the “simple” framework object ◈ Veil-Ordnance is the default choice ⬥Quickly generate shellcode ⬥In the event msfvenom output changes again, this is a fallback (or use it by default :))
Ordnance Payloads ◈ Veil-Ordnance Payloads ⬥reverse_tcp ⬥reverse_http ⬥reverse_https ⬥reverse_tcp_dns ⬥reverse_tcp_all_ports ⬥bind_tcp
Ordnance Encoder ◈ Veil-Ordnance does have a single encoder ⬥Thanks to @sixdub ◈ This can be used when needing to avoid bad characters ◈ I’d love to have more encoders added into Ordnance ⬥Send any my way! :)
Veil 3.0 ◈ So… what else is new with Veil payloads?
Environmental Checks ◈ Nearly all payloads now have the ability to set pre-execution environmental checks ◈ Set just one, or all of the checks ◈ All checks need to pass in order for the payload to execute ⬥All or nothing ◈ Each check developed in its respective language
Environmental Checks ◈ Current supported environmental checks: ⬥Computer domain ⬥System hostname ⬥Payload expiration ⬥Number of processors ⬥Current username ◈ There’s room for more checks to be added in ⬥Want to find an easy way to contribute, add a new environmental check!
Environmental Checks ◈ These are here to try to combat a few things: ⬥Prevent analysis of the end payload by an automated malware analysis solution ⬥If payload is run in sandbox prior to execution, it will (hopefully) prevent malicious detection ⬥Allow the end user to create highly targeted malware
New Languages ◈ While we’re at it, let’s add two new languages ⬥AutoIt3 ⬥Lua ◈ Lua - currently generates source code ⬥Can’t do native compilation, yet ◈ AutoIt3 - Generates code and can be compiled within Linux
Future Work ◈ Add in additional environmental checks ◈ Always looking for new languages and payloads to support ◈ Additional encoders to Ordnance
Questions? ◈ Questions? ◈ Veil - https://github.com/Veil- Framework/Veil ◈ Get in touch! ⬥@ChrisTruncer ⬥@VeilFramework

Recommandé

The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-FrameworkVeilFramework
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-OrdnanceVeilFramework
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 

Recommandé

The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingCTruncer
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-FrameworkVeilFramework
 
Higher Level Malware
Higher Level MalwareHigher Level Malware
Higher Level MalwareCTruncer
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
A Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreA Battle Against the Industry - Beating Antivirus for Meterpreter and More
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
 
Veil-Ordnance
Veil-OrdnanceVeil-Ordnance
Veil-OrdnanceVeilFramework
 
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000
Windows 10 - Endpoint Security Improvements and the Implant Since Windows 2000CTruncer
 
Ever Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildEver Present Persistence - Established Footholds Seen in the Wild
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
 
Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofCTruncer
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityBrandon Arvanaghi
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareBrandon Arvanaghi
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationCTruncer
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!CTruncer
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBGCory Foy
 
Who’s afraid of WinDbg
Who’s afraid of WinDbgWho’s afraid of WinDbg
Who’s afraid of WinDbgDror Helper
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)RGKelley5
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for PentestersAnant Shrivastava
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 
0d1n
0d1n0d1n
0d1nAntonio Costa aka Cooler_
 
Mpeg guide
Mpeg guideMpeg guide
Mpeg guidekimsach
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned RightScale
 

Contenu connexe

Tendances

Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofCTruncer
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityBrandon Arvanaghi
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareBrandon Arvanaghi
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationCTruncer
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!CTruncer
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBGCory Foy
 
Who’s afraid of WinDbg
Who’s afraid of WinDbgWho’s afraid of WinDbg
Who’s afraid of WinDbgDror Helper
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)RGKelley5
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for PentestersAnant Shrivastava
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 

Tendances (20)

Bringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirusBringing Down the House - How One Python Script Ruled Over AntiVirus
Bringing Down the House - How One Python Script Ruled Over AntiVirus
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
The Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack ThereofThe Art of AV Evasion - Or Lack Thereof
The Art of AV Evasion - Or Lack Thereof
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant Security
 
CheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted MalwareCheckPlease: Payload-Agnostic Targeted Malware
CheckPlease: Payload-Agnostic Targeted Malware
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data Exfiltration
 
Entomology 101
Entomology 101Entomology 101
Entomology 101
 
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!Passive Intelligence Gathering and Analytics - It's All Just Metadata!
Passive Intelligence Gathering and Analytics - It's All Just Metadata!
 
Debugging NET Applications With WinDBG
Debugging NET Applications With WinDBGDebugging NET Applications With WinDBG
Debugging NET Applications With WinDBG
 
Who’s afraid of WinDbg
Who’s afraid of WinDbgWho’s afraid of WinDbg
Who’s afraid of WinDbg
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for Pentesters
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010
 
0d1n
0d1n0d1n
0d1n
 

Similaire à AntiVirus Evasion Reconstructed - Veil 3.0

Mpeg guide
Mpeg guideMpeg guide
Mpeg guidekimsach
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned RightScale
 
Making kubernetes simple for developers
Making kubernetes simple for developersMaking kubernetes simple for developers
Making kubernetes simple for developersSuraj Deshmukh
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014Carlo Bonamico
 
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...DynamicInfraDays
 
Dev Environments: The Next Generation
Dev Environments: The Next GenerationDev Environments: The Next Generation
Dev Environments: The Next GenerationTravis Thieman
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Codemotion
 
G3 Summit 2016 - Dockerize your Grails!
G3 Summit 2016 - Dockerize your Grails!G3 Summit 2016 - Dockerize your Grails!
G3 Summit 2016 - Dockerize your Grails!Iván López Martín
 
Understanding and building Your Own Docker
Understanding and building Your Own DockerUnderstanding and building Your Own Docker
Understanding and building Your Own DockerMotiejus Jakštys
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docxstirlingvwriters
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?AFUP_Limoges
 
GR8Conf US 2017 - Dockerize your Grails!
GR8Conf US 2017 - Dockerize your Grails!GR8Conf US 2017 - Dockerize your Grails!
GR8Conf US 2017 - Dockerize your Grails!Iván López Martín
 
Os dev tool box
Os dev tool boxOs dev tool box
Os dev tool boxbpowell29a
 
Docker. Micro services for lazy developers
Docker. Micro services for lazy developersDocker. Micro services for lazy developers
Docker. Micro services for lazy developersEugene Krevenets
 
Dockerize your Symfony application - Symfony Live NYC 2014
Dockerize your Symfony application - Symfony Live NYC 2014Dockerize your Symfony application - Symfony Live NYC 2014
Dockerize your Symfony application - Symfony Live NYC 2014André Rømcke
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 

Similaire à AntiVirus Evasion Reconstructed - Veil 3.0 (20)

Mpeg guide
Mpeg guideMpeg guide
Mpeg guide
 
Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned Real-World Docker: 10 Things We've Learned
Real-World Docker: 10 Things We've Learned
 
Making kubernetes simple for developers
Making kubernetes simple for developersMaking kubernetes simple for developers
Making kubernetes simple for developers
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
 
Greach 2016 dockerize your grails
Greach 2016 dockerize your grailsGreach 2016 dockerize your grails
Greach 2016 dockerize your grails
 
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
ContainerDays NYC 2015: "Easing Your Way Into Docker: Lessons From a Journey ...
 
Container Days
Container DaysContainer Days
Container Days
 
Dev Environments: The Next Generation
Dev Environments: The Next GenerationDev Environments: The Next Generation
Dev Environments: The Next Generation
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
G3 Summit 2016 - Dockerize your Grails!
G3 Summit 2016 - Dockerize your Grails!G3 Summit 2016 - Dockerize your Grails!
G3 Summit 2016 - Dockerize your Grails!
 
Understanding and building Your Own Docker
Understanding and building Your Own DockerUnderstanding and building Your Own Docker
Understanding and building Your Own Docker
 
Network and Internet Security.docx
Network and Internet Security.docxNetwork and Internet Security.docx
Network and Internet Security.docx
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
 
GR8Conf US 2017 - Dockerize your Grails!
GR8Conf US 2017 - Dockerize your Grails!GR8Conf US 2017 - Dockerize your Grails!
GR8Conf US 2017 - Dockerize your Grails!
 
Os dev tool box
Os dev tool boxOs dev tool box
Os dev tool box
 
What is Docker
What is DockerWhat is Docker
What is Docker
 
Docker. Micro services for lazy developers
Docker. Micro services for lazy developersDocker. Micro services for lazy developers
Docker. Micro services for lazy developers
 
Dockerize your Symfony application - Symfony Live NYC 2014
Dockerize your Symfony application - Symfony Live NYC 2014Dockerize your Symfony application - Symfony Live NYC 2014
Dockerize your Symfony application - Symfony Live NYC 2014
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 

Plus de CTruncer

BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI
BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMIBlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI
BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMICTruncer
 
Aggressive Autonomous Actions - Operating with Automation
Aggressive Autonomous Actions - Operating with AutomationAggressive Autonomous Actions - Operating with Automation
Aggressive Autonomous Actions - Operating with AutomationCTruncer
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into ItCTruncer
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationCTruncer
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing DevelopmentCTruncer
 
EyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolEyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolCTruncer
 

Plus de CTruncer (7)

BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI
BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMIBlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI
BlackHat USA 2019 - WMImplant: An Offensive Use Case of WMI
 
Aggressive Autonomous Actions - Operating with Automation
Aggressive Autonomous Actions - Operating with AutomationAggressive Autonomous Actions - Operating with Automation
Aggressive Autonomous Actions - Operating with Automation
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and More
 
Hacking - Breaking Into It
Hacking - Breaking Into ItHacking - Breaking Into It
Hacking - Breaking Into It
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
 
Pen Testing Development
Pen Testing DevelopmentPen Testing Development
Pen Testing Development
 
EyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage ToolEyeWitness - A Web Application Triage Tool
EyeWitness - A Web Application Triage Tool
 

Dernier

『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesLumiverse Solutions Pvt Ltd
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 

Dernier (9)

『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best Practices
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 

AntiVirus Evasion Reconstructed - Veil 3.0

  • 2. Christopher Truncer Previous Sys Admin turned Red Red Team Lead Open Source Developer EyeWitness Veil Framework :)
  • 3. What’s this talk about? ◈ Veil-Framework History ◈ Veil-Framework 2.0 ◈ Problems with Veil ◈ Veil-Framework 3.0 ⬥All the new stuff :) ◈ Public Release ◈ Questions
  • 5. The Inception ◈ The idea for Veil came after many pen tests ◈ The problem - time ◈ Will Schroeder and myself began developing different toolsets, and I released Veil ◈ First choice for developing payloads? ⬥Python
  • 6.
  • 7. Veil 1.0 ◈ This was probably my second script, ever ◈ It was just one giant file ◈ Tons of random functions ◈ Easy for me to develop with, but probably no one else ◈ Not extensible, would be a pain to add new features
  • 8. Veil 1.0 ◈ At this point, Will began combining both codebases ◈ We wanted a framework to allow drag and drop payloads ⬥Just create your own private module and the framework will pick it up! ◈ We wanted something that was easy to use and fast
  • 10.
  • 11. Veil 2.0 ◈ This is the Veil (Veil-Evasion) that everyone knows today ◈ Original Veil 2.0 didn’t include really any of our own research ⬥Why reinvent the wheel? ⬥We just packaged existing research into the framework ◈ But we slowly started to add our own flair
  • 12. Veil 2.0 ◈ We largely wanted to focus on usability ⬥Seems funny, but it’s important ⬥If you can’t use it, then it’s worthless ◈ Included some of the basics such as: ⬥Tab completion ⬦Payloads ⬥Error checking ⬦Users….. :) ◈ Wanted to be able to easily help people
  • 13.
  • 14. Veil 2.0 ◈ Veil was designed to be language agnostic ⬥Write payloads in any language we can! ◈ Currently support 7 different languages, plus native executables and auxiliary modules ⬥C, C#, Go, Perl, PowerShell, Python, and Ruby ◈ Anything that can access Windows functions can be used as a stager ◈ Built in native compilation everywhere we could
  • 16. Shellcode and Metasploit ◈ Veil can generate shellcode for its payloads within the tool ⬥That whole usability thing… ◈ But Veil simply invokes msfvenom ⬥It’s not created within Veil ◈ This makes our life easier.. ◈ … until msfvenom gets updated...
  • 17. Shellcode and Metasploit ◈ This happened one time early on after Veil 2.0’s release ⬥It completely broke Veil’s ability to receive/parse shellcode from msfvenom ◈ This was pretty easily fixed once we understood the new output format ⬥But it identified a problem ◈ We needed to remove complete reliance on msfvenom
  • 18.
  • 19.
  • 20.
  • 21. Shellcode and Metasploit ◈ Doesn’t seem widely used, but it has its advantages for us ⬥I control the output, so no unforeseen changes ⬥It supports what we believe are the most widely used payloads ⬥It’s faster for use vs. using msfvenom ⬥Simply patching the shellcode allows for an immediate return of results
  • 22. AV Trying to Signature Veil
  • 23. AV Signature ◈ About a year after Veil 2.0’s release, we received word of a signature
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 33. Veil 3.0 ◈ Veil 3.0 has multiple changes in the tool when compared to version 2.0 ⬥First and foremost, Veil has been completely rewritten in Python 3 ⬥Python 3 is the way forward with using Python ⬥I did not want to refactor the code in Python 2 now, to need to update to Python 3 when Py2 is end-of-life (2020)
  • 34. Veil 3.0 ◈ Refactoring the codebase while updating to Python 3 was a challenge ⬥It went beyond just changing print statements into functions ◈ Handling shellcode in Python 3 is completely different from Python 2 ◈ Creating a Python payload that injects shellcode into memory is different
  • 40. Python 3 ◈ Why else did I choose Python3? ⬥I discovered some AntiVirus companies are trying to flag Veil Python payloads simply by the environment it was compiled in
  • 41. Python 3 ◈ How did I determine this? ⬥Generated payload - caught ⬥Removed shellcode - caught ⬥Renamed CTypes - caught ⬥Commented Windows function calls - caught ⬦From 1 to all of them ⬥Deleted EVERYTHING and did a hello world program - ...take a guess...
  • 43. Python 3 ◈ Next… ⬥Use the same payload source code ⬥Copied it to Windows VM ⬥“Compiled” the Python code in Windows using Pyinstaller ⬥Scanned the new executable
  • 45. Python 3 ◈ Updating the version of Python used changes the environmental signature it was “compiled” in ◈ Easily bypass this detection method ◈ Try to get AV to go the smarter route and actually analyze the executable vs. develop poor signatures
  • 47.
  • 48.
  • 49. Shellcode Generation ◈ MSFVenom is still available to generate shellcode ⬥Supports all of the payload built into MSF ⬥Still requires instantiating the “simple” framework object ◈ Veil-Ordnance is the default choice ⬥Quickly generate shellcode ⬥In the event msfvenom output changes again, this is a fallback (or use it by default :))
  • 50. Ordnance Payloads ◈ Veil-Ordnance Payloads ⬥reverse_tcp ⬥reverse_http ⬥reverse_https ⬥reverse_tcp_dns ⬥reverse_tcp_all_ports ⬥bind_tcp
  • 51. Ordnance Encoder ◈ Veil-Ordnance does have a single encoder ⬥Thanks to @sixdub ◈ This can be used when needing to avoid bad characters ◈ I’d love to have more encoders added into Ordnance ⬥Send any my way! :)
  • 52. Veil 3.0 ◈ So… what else is new with Veil payloads?
  • 53.
  • 54. Environmental Checks ◈ Nearly all payloads now have the ability to set pre-execution environmental checks ◈ Set just one, or all of the checks ◈ All checks need to pass in order for the payload to execute ⬥All or nothing ◈ Each check developed in its respective language
  • 55. Environmental Checks ◈ Current supported environmental checks: ⬥Computer domain ⬥System hostname ⬥Payload expiration ⬥Number of processors ⬥Current username ◈ There’s room for more checks to be added in ⬥Want to find an easy way to contribute, add a new environmental check!
  • 56. Environmental Checks ◈ These are here to try to combat a few things: ⬥Prevent analysis of the end payload by an automated malware analysis solution ⬥If payload is run in sandbox prior to execution, it will (hopefully) prevent malicious detection ⬥Allow the end user to create highly targeted malware
  • 57. New Languages ◈ While we’re at it, let’s add two new languages ⬥AutoIt3 ⬥Lua ◈ Lua - currently generates source code ⬥Can’t do native compilation, yet ◈ AutoIt3 - Generates code and can be compiled within Linux
  • 58.
  • 59. Future Work ◈ Add in additional environmental checks ◈ Always looking for new languages and payloads to support ◈ Additional encoders to Ordnance
  • 60. Questions? ◈ Questions? ◈ Veil - https://github.com/Veil- Framework/Veil ◈ Get in touch! ⬥@ChrisTruncer ⬥@VeilFramework