Bypassing On-disk Detection With Veil-Catapult

Say you’re on an internal pentest for a client, and the backdoor .exe you’ve been using has suddenly been snatched up by some antivirus solution. You’re short on time, you haven’t heard of Veil-Evasion, and you really need access. Are you toast, or is there some other option?

There still might be hope. One of the techniques released with Veil-Catapult at Shmoocon 2014 is the host-and-UNC-invoke approach. Choose the [h]ost method when prompted and enter your local IP (tab-completable) so the target machines know where to reach back to:

catapult_host_launch

We use the Impacket library to throw up a temporary SMB server to host an .EXE, and then issue a pth-wmis or pth-winexe command that invokes a command with a \\UNC path back to our attacker box. This will load the payload executable into memory without touching disk, allowing otherwise disk-detectable executables to bypass detection:

catapult_host_execute

One interesting note we discovered when working with this technique: you can use this to get some otherwise disk-detectable executables past some solutions, but not all. Microsoft Security Essentials will detect a stock-generated msfvenom executable executed-in-memory using host/execute but not other disk-detectable methods (like c/shellcode_inject/void):

mse

More evidence that AV vendors are trying to block pentesting tools without actually doing the correct behavioral detection.

#avlol :)

Leave a Reply