AV Evasion With the Veil Framework

Global Events / Cybersecurity Books

Chris Truncer
Chris Truncer (@ChrisTruncer) is a penetration testing lead at Veris Group, LLC, where he leads a variety of penetration tests and red team exercises for Federal and commercial customers. He has presented at Shmoocon, CarolinaCon, and will be presenting at BSidesAugusta. His specialties include penetration testing post-exploitation, specialized technical assessments, and developing focused training for specific aspects of security assessments. Chris is a developer of the Veil Framework, an open-source Red Team tool suite, EyeWitness, and a variety of other hacker tools.

Will Schroeder
Will Schroeder (@harmj0y) is a security researcher and pen-tester/ red-teamer for the Adaptive Threat Division of Veris Group, and is one of the co-founders and active developers of the Veil-Framework. He has presented Shmoocon, Carolinacon, Defcon, and at various BSides events on topics spanning from AV-evasion, to post-exploitation, offensive PowerShell, and more. A former national lab security researcher, he is happy to finally be in the private sector.

Learning Objectives:

Chris & Will will explain:

Resources and materials:

Questions and answers

Max, Concise Courses:

Any thoughts to get your tool on Kali Linux as standard? I know that you can install via command line…right?

Chris & Will:
The recommended way is install Veil is to get it from our Git Hub Repo and tell them to clone it. It is currently in the Kali Repo’s, however it is an old out of date version. The reason for that is because although the guys from Offensive Security are awesome – they have to maintain these giant repo’s with tons of tools but the issue that you have with that is every time a tool is updated there is not currently an automated process to get the actual up to dated latest version of the tool.

We have to submit a bug report every single time we have a new version. The problem with our tools is that Veil is updated every single month which we try to do every four months or so.

You can also use the built-in update function within Veil and that will actually ensure that it is up to date if you clone it from our repo’s so that is the best way that we recommend.

Max, Concise Courses:

How did you guys even come up with wanting to build a pentesting hacking tool – did it spawn off a conversation?

Chris & Will:
We had been on a pentest for four or five days and all these techniques and stuff [penetration testing] we had been doing manually and we realized that we would always get past AV but sometimes we had to spend an entire day trying to handroll an old bypass method so all of a sudden we got thinking about organizing an automated way of doing this.

The code base was actually private for about four or five months between us, and after a lot of discussion between us we realized that there needs to be a need for this, and ethically, (and we have a whole section on this in our Shmoocon presentation) – because all these techniques are out there and being used by Black Hat – we are happy to release the tool and bring some attention [to our research]. This is a problem that the bad guys have already solved. I think we both agree that the white hat community and the security community in general, should have the same capabilities as the black hat world, especially if you are trying to emulate those threat actors out there.

We wanted to make sure that everyone could do that and it wasn’t that hard. We had no idea of what we were doing when we started and within a few months we had half a functioning framework and a bunch of bypass techniques. We are not geniuses, we started from scratch and anyone can do this.

Max, Concise Courses:

Is Veil written in Python? And if yes why did you choose Python?

Chris & Will:
We were both writing different tools before we merged our code bases. We did start in Python and the real reason we started was because that was the only language that I knew at the time.

If you use Kali Linux, or BackTrack at the time, we knew that was going to be the main attack platform, so we thought we could write it in Bash or Ruby – and most security tools are written in Python, and that was I was most comfortable with. The only hacking tool that I can think of that is not written in Python is Metasploit.

Max, Concise Courses:

What did you find most surprising about bypassing AV? What firewalls or AV programs were the worst in your opinion and why?

Chris & Will:
We don’t focus on testing everything. We don’t have a farm. We used to think that MSE was good but I don’t think so anymore. The most surprising thing to me was how easy this was.

You can take a lot of super basic techniques that people have written for C-Payloads and literally just changing the language to Python it just all of a sudden bypassed the AV. There were 8 or 9 ways to bypass AV just by doing a little bit of obfuscation and things like that. People have been doing this for a long time, it’s just that people tended not to talk about it because it was your ‘secret sauce’ and it didn’t make sense to tell everybody how you were doing your AV Bypass.

What is heartening to us is that our tool has been out there a while and most of these techniques are still very effective.

Max, Concise Courses:

As you know, Concise Courses has a keen focus on education, either via Hacker Hotshot events or in some cases Continuing Education. What advice would you give to someone watching this who wants to become a Penetration Tester in regards to the career path you have taken. Is there a particular certificate or educational experience or courses that you have taken that would be recommend for somebody who is looking at you and wants to have a similar career.

Chris & Will:
I came from a server/ admin background and I think that that really helped. In my opinion there are really only two paths that help pentesting an ‘easier job’ is if you come from an admin background like servers, networking etc – or – from a development side. I am a little weaker on the development side and I have been working to learn but it has really helped as we have been doing pentests on systems. When we are on servers I am familiar with them and I understand how they work and certainly things to look for that could be security issues. So that sort of background for me, i.e. having that sysadmin experience, really helped me be a better pentester.

I came a CS background. I have been programming since I was 13 so that made me strong in some areas but I am weaker in the server side as discussed. For me breaking into Cyber Security, I went through the more formal route so undergrad, computer science and that type of stuff and I worked at a couple of Federal Research Centres. What really helped though was the Pentesting With Kali courses run by Offensive Security. I put a couple of hundred dollars in their program and that is where it really began to take off for me with the offensive mindset. For those that aren’t aware, you have to compromise several machines in a short period and it is extremely difficult – but if you put the time in and do it you’ll pass.

The biggest thing to me that I think people underestimate is that amount of time that you have to put into this if you want to be good. We put an enormous amount of time outside of work hours into our work. If you have the passion for it and you really want to do this doing stuff like Open Security Training or doing the OSCP Labs etc – it takes a lot of time but it doesn’t really feel like work to us.

We have labs on our work computers at home. Anything you can do to test techniques is recommended. It is a field [Information Security] where you are always going to be learning and if you are not learning then you will fall behind.