0P3N Blog Blog Post

Antivirus Evading Payloads: An Introduction to Veil-Evasion

By: gazzwalker
February 2, 2017
Estimated reading time: 2 minutesHi All,The following article is intended as a brief introduction to the Veil-Evasion tool. This is part of the Veil-Framework was created by Chris Truncer. The Evasion tool is used to generate a range of different payloads with the ability to circumvent standard endpoint antivirus. Similar to polymorphic malware, Veil-Evasion creates a unique payload for which no signature should exist and can, therefore evade anti-virus. This gives it a distinct advantage over other payload generators. The following example provides a brief overview of generating a payload.* Vail-Evasion is available from; https://github.com/Veil-Framework/Veil-Evasion *Step 1. Once installed on Kali launch Veil-Evasion by running Veil-Evasion.py”. Image 1Step 2. Select a payload by entering its associated number (use "list" to view all options).Image 2For this example, option 6 [ c/meterpreter/rev_tcp ] was used.Step 3. Configure the payload with the appropriate parameters (the CLI is similar to Metasploit).Image 3To view the configuration use "info".Step 4. Generate the payload using "generate" and pressing enter. You will then be prompted to name the output.Image 4.1The tool will then provide a summary of the payload you have generated.Image 4.2Step 5. Concurrently prepare a Meterpreter session for incoming connections using the appropriate information.Image 5Step 6. Deliver the payload contained in "usr/share/veil-output/compiled" per your chosen attack vector. For this example, Cybrary_example was simply copied onto the victim machine’s desktop. The below screenshot shows a scan using Windows Defender that detected nothing malicious in the payload.

Image 6

Step 7. Once the malicious .exe is run by the victim a reverse shell from the TOE is established with the attacking machine.The Meterpreter session then provides a beachhead for launching further exploits.Image 7The above example shows how easily an effective malicious payload can be generated using Veil-Evasion. I strongly recommend investigating the tool for yourself. There is an extensive range of payloads and functions available that this article only touches on. Once more it is worth noting Veil-Evasion’s biggest strength, is the ability to circumvent anti-virus software. Coupled with a good delivery mechanism Veil-Evasion is a worthy edition to any PenTester’s arsenal. I hope you found this article informative and thank you for reading. This is my first post so any constructive criticism or comments are welcome.This article is intended purely for academic purposes. Neither the author nor Cybrary endorses or takes responsibility for the malicious use of the Veil-Framework. 

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry