Veil-Evasion tool coming with Kali Linux helps creating payloads capable of bypassing Anti Viruses. On this tutorial we are going to study creating a powershell payload with Veil and then embedding it into an Excel document to test it on an environment supported with MS Firewall, MS Defender and an Anti Virus tool with dynamic analysis options on. Let’s dive in:
First run the following command to start Veil:
On coming screen type “list” to see available payloads:
Here type “25” to select “powershell/shellcode_inject/virtual” option. Then type “generate” to prepare the payload:
It is quite straightforward to generate the payload. Go with default options, type the IP and port of your attacking machine:
Once the payload is created, two files of interest are created. One for Payload File, and one for Handler File:
Okay, open with your favorite editor the created payload file: /var/lib/veil-evasion/output/source/payload.bat
Then copy the powershell command section as shown below (please click on the pictures to seem them better):
Let’s name it as input.bat as below:
To be able to use this powershell command, we need to convert it into VBS format (which is the Macro language of MS Office documents).
I used the safe_macro.py script by khi@sh. You can reach the code here. (I had to comment lines 54 and 55 to run the code for my case).
Then you can copy and paste the generated code into your malicious Office document. That’s it, you’re done
Now you can open your listener handler with the following command and start waiting for your victim to open the document:
msfconsole -r /var/lib/veil-evasion/output/handlers/payload_handler.rc
Your meterpreter session runs in the background. To call it just type “sessions -i 1”.
As you can see, with a very straightforward technique it is possible to bypass most of the Antiviruses and other mitigations. There are countless attacking and exploiting vectors and traditional defense mechanisms are obviously incapable of handling all of them.
Here I want to introduce you a Next Generation Endpoint Security Tool: Trapmine. Trapmine smartly hunts for exploitive behaviors and catches any malicious activity. Below you can how it catches the same Macro exploit we developed here on a Word document:
You can learn about Trapmine here.