Slipping your pen test past antivirus protection with Veil-Evasion

Through the Keyhole

Conclusion

Veil-Evasion is a pen-testing tool that offers a fast and easy means of slipping an attack past an antivirus scanner on the target system. You can use Veil-Evasion to create a randomized version of an exploit that is more likely to escape detection. Veil is heavily dependent on the tools and techniques of the Metasploit environment, so you'll have an easier time with Veil if you have some background in Metasploit.

If you're worried about a pen tester (or intruder) using Veil for an attack on you, be aware that Veil and other similar tools do have their limitations. See the box titled "Stopping Veil" for more on some protective measures.

Stopping Veil

A lot a malware and Veil-Evasion payload behaviors are fairly predictable:

  • Immediate reverse connection to a target
  • RWX memory page allocation, binary code copying, thread creation, etc.

Tools such as Veil-Evasion employ a small set of APIs in a very specific and non-standard way. A tool like Ambush IPS [5] allows you to write flexible rules for API calls. You can use Ambush or a similar tool to stop Meterpreter stagers without affecting normal execution.

Also, Microsoft's Enhanced Mitigation Experience ToolKit [6] has some mechanisms that stop an executable from injecting shellcode, thereby foiling PowerShell shellcode injection.

Infos

  1. Veil framework: https://www.veil-framework.com/
  2. Metasploit: https://www.metasploit.com/
  3. How Metasploit stagers work: https://www.veil-framework.com/veil-framework-2-2-0-release/
  4. Veil GitHub repositories: https://github.com/veil-evasion/Veil
  5. Ambush IPS: http://ambuships.com
  6. Microsoft Enhanced Mitigation Experience Toolkit: https://www.microsoft.com/en-us/download/details.aspx?id=50766

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • How to Hide a Malicious File

    The best way to stop an attack is to think like an attacker. We’ll show you how to use the Metasploit framework to create a malicious payload that escapes antivirus detection.

  • Pen Test Tips

    The powerful Metasploit framework helps you see your network as an intruder would see it. You might discover it is all too easy to get past your own defenses.

  • Discovering SQL injection vulnerabilities
    Hardly a day goes by without reports of hackers breaking into government, military, or enterprise servers. If you analyze the details of the hacker's approach, you will see that, in 90 percent of all cases, SQL injection was the root cause of a server's compromise.
  • Uncovering SQL Injections

    Hardly a day goes by without reports of hackers breaking into government, military, or enterprise servers. If you analyze the details of the hacker’s approach, you will see that, in 90 percent of all cases, SQL injection was the root cause of a server’s compromise.

  • Improved defense through pen testing
    Discover indicators of compromise with open source pen testing tools.
comments powered by Disqus