Most pentest firms have their own methods of antivirus evasion, and most firms tend to keep these close to the chest to maximize the window of effectiveness. It should come as no surprise to anyone that Veil’s codebase was kept private for several months, until a series of internal debates led us to release the project. We ultimately agreed that sharing information with the public community was the best course of action.
Some people have argued against sharing of these kinds of techniques. We fundamentally disagree, and feel that public information sharing is a good thing. Think of how much further along we all are because of the Metasploit project; think of the improved defenses we have because people have publicly shared exploit techniques; think of how much more effective our industry has become at emulating true threats after sharing awesome techniques at major conferences. To channel HD Moore, “In this case, like many others, the bad guys already won.” The best defense is information, and as a community it’s in our best interest to share these techniques and promote progress.
On the flip side of the coin, we’re giving this effort to the community with the full knowledge that it will likely diminish the effective window of these techniques that we ourselves use on assessments. We say, bring it on- we’re trying to push things forward, and we hope that others will join the fight for the good of the community. Our primary goal is to help penetration testers more effectively simulate threats by minimizing the time spent on getting around particular antivirus solutions. And we have enough exciting stuff to release over the next year that we hope AV won’t be a problem anytime soon.