Christopher Truncer

Talk Title

Antivirus Evasion Reconstructed - Veil 3.0

Abstract

Since its initial release in May of 2013, the Veil Framework has been one of the go-to tools for bypassing antivirus. Veil didn’t contain anything groundbreaking, there were no 0-days, no previously unknown research. Since then, we’ve added our own take on new payloads but have always known a major update would be needed to the tool.

For this talk, I am going to start with the genesis of Veil, how it’s survived in it’s current 2.0 state, and walk through all the changes that were needed in the framework. The framework has received a complete restructure, including the payloads within it. The popular Python payloads have been completely rewritten to also support Python 3. Additionally, Veil generated executables can now require environmental variables in order to trigger the payload, allowing you to create highly targeted malware. I plan on releasing two brand-new languages within Veil, the newly developed Python 3.0 framework, support for environmental variables within Veil payloads, and conclude the presentation with the release of Veil 3.0.

Speaker Bio

Christopher Truncer (@ChrisTruncer) is a red teamer with Mandiant. He is a co-founder and current developer of the Veil-Framework, a project aimed to bridge the gap between advanced red team and penetration testing toolsets, EyeWitness, Just-Metadata, Egress-Assess, and more. Chris began developing toolsets that are not only designed for the offensive community, but can enhance the defensive community's ability to defend their network as well.