« Previous 1 2
Slipping your pen test past antivirus protection with Veil-Evasion
Through the Keyhole
Conclusion
Veil-Evasion is a pen-testing tool that offers a fast and easy means of slipping an attack past an antivirus scanner on the target system. You can use Veil-Evasion to create a randomized version of an exploit that is more likely to escape detection. Veil is heavily dependent on the tools and techniques of the Metasploit environment, so you'll have an easier time with Veil if you have some background in Metasploit.
If you're worried about a pen tester (or intruder) using Veil for an attack on you, be aware that Veil and other similar tools do have their limitations. See the box titled "Stopping Veil" for more on some protective measures.
Stopping Veil
A lot a malware and Veil-Evasion payload behaviors are fairly predictable:
- Immediate reverse connection to a target
- RWX memory page allocation, binary code copying, thread creation, etc.
Tools such as Veil-Evasion employ a small set of APIs in a very specific and non-standard way. A tool like Ambush IPS [5] allows you to write flexible rules for API calls. You can use Ambush or a similar tool to stop Meterpreter stagers without affecting normal execution.
Also, Microsoft's Enhanced Mitigation Experience ToolKit [6] has some mechanisms that stop an executable from injecting shellcode, thereby foiling PowerShell shellcode injection.
Infos
- Veil framework: https://www.veil-framework.com/
- Metasploit: https://www.metasploit.com/
- How Metasploit stagers work: https://www.veil-framework.com/veil-framework-2-2-0-release/
- Veil GitHub repositories: https://github.com/veil-evasion/Veil
- Ambush IPS: http://ambuships.com
- Microsoft Enhanced Mitigation Experience Toolkit: https://www.microsoft.com/en-us/download/details.aspx?id=50766
« Previous 1 2
Buy this article as PDF
(incl. VAT)