Adventures in Asymmetric Warfare: Fighting the AV Vendors

Presented at BSidesDC 2014, Oct. 19, 2014, 2:30 p.m. (50 minutes)

As a co-founder and principal developer of the Veil-Framework, the speaker has spent a considerable amount of time over the past year and a half researching AV-evasion techniques. This talk will briefly cover the problem space of antivirus detection, as well as the reaction to the initial release of Veil-Evasion, a tool for generating AV-evading executables that implements much of the speaker’s research. We will trace through the evolution of the obfuscation techniques utilized by Veil-Evasion’s generation methods, including the recent release of an entirely new payload language and .NET encryptor. The talk will conclude with some basic static analysis of several Veil-Evasion payload families, showing once and for all that antivirus static signature detection is dead.

Presenters:

  • Will Schroeder / @harmj0y - Associate at Veris Group, LLC   as Will Schroeder
    Will Schroeder (@harmj0y) is a security researcher and pentester/red-teamer for the Adaptive Threat Division of Veris Group, and is one of the co-founders and active developers of the Veil-Framework. Will presented at Shmoocon ‘14 on AV-evasion and custom payload delivery methods utilizing tools he developed, Veil-Evasion and Veil-Catapult. He has presented at various BSides events on the Cortana attack scripting language and obfuscated Pyinstaller loaders, and presented at Defcon ‘14 on Veil-Pillage, a post-exploitation framework. He is also the author of Veil-PowerView and PowerUp, Powershell tools for Windows domain situational awareness and privilege escalation. A current NovaHacker and former national lab security researcher, he is happy to finally be in the private sector.

Links: