SANS Penetration Testing: Category - Anti-Virus Evasion

SANS Penetration Testing:

Winners of the SANS Spectacular Pen Test Video Contest

Ladies and gentlemen, boys and girls, friends, Romans, and countryman,

I'm delighted to announce the winners to our SANS Spectacular Pen Test Video Contest. Back in January and February, we asked folks to channel their creativity to share some great tips, insights, techniques, and inspiration with other penetration testers. You can read the contest description here.

We got some FANTASTIC entries, and we'd like to thank all who participated. Entries included numerous great technical tips, interesting "acting", noble attempts at humor, and even one Rick Roll, naturally.

So, without further ado (thanks, Ted, for your gracious input), let's announce the winners (click on each picture to see the video). We'll announce the victors in our four categories first, and then select from among them for the GRAND prize winner.

First up, our


Pen-Test-A-Go-Go: Integrating Mobile and Network Attacks for In-Depth Pwnage

Josh Wright and I presented a webcast a few months back that is chock full of useful pen testing techniques from the mobile and network arenas. Based on the new SANS course, SEC561: Intense Hands-on Skill Development for Pen Testers, this webcast covers numerous useful techniques, such as:

  • Exploiting and automating data harvesting from iOS devices

  • Extracting stored secrets from iTunes backups

  • Effective Anti Virus evasion with Veil

  • Windows host compromise and privilege escalation, along with UAC bypass

The slides below cover all the tools and techniques for doing all that great stuff, and more.

The SANS SEC 561 course is 80% hands-on skill development, showing how security personnel such as penetration testers, vulnerability assessment personnel, and auditors can leverage in-depth techniques to


What I Got for Christmas: Polymorphic Blog Spam Comment Vomited on My Site

by Ed Skoudis

Hope you had a great holiday! I got an unexpected nice gift for the holidays on one of my blogs. Below, you'll see a comment that was submitted to the SANS Pen Test Blog, which I run. As you can see, it is one of those lame pseudo-comments sent in as link-bait for Search Engines and other nefarious purposes. I get a few of this kind of thing a week, and our anti-blog-spam filter catches most of them.

What makes this one special is that the automated tool that barfed it into my blog didn't choose from each grouping of different options; instead, it shot up ALL options for every variation of this blog spam. You can see, by selecting at random from each grouping, untold thousands of combinations are possible. But, with this errant blog spam shot, I've got all potential combinations here. It's almost silly how many different combinations there are, and how each one tries to be super polite. You gotta read through them for a little


PsExec UAC Bypass

[Editor's Note: In this article, Tim Medin describes a common pen test scenario in which a tester gets limited access of a target Windows machine, and needs to escalate privileges without incurring the wrath of User Account Control (UAC). Tim describes his approach, which involves the use of psexec to bounce off of another machine to evade UAC and then pivot mercilessly in the target environment. Nice stuff! --Ed. ]

by Tim Medin

During a recent penetration test, we were trying to figure out how to bypass UAC on a fully patched Windows environment, given that we'd had a limited compromise of one system via phishing. I'd like to share the technique we came up with so you can apply it in your own work.

The Scenario

In our test, we were using phishing attacks trying to trick a user to click on an AV-dodging attachment that would


Anti-Virus Evasion: A Peek Under the Veil

[Editor's Note: In this article, Mark Baggett summarizes some of the Anti-Virus evasion tactics of the past year or two, and then cranks it up a notch, by digging into the details of some recent AV-dodging techniques useful to penetration testers. To be effective penetration testers, we need to model the techniques used by the real-world bad guys, and anti-virus evasion is high on the bad guys' list of things to do to remain undetected in target organizations. Mark builds up to showing how to use Veil for AV evasion, step-by-step, and also discusses how to leverage Veil all in a single command. Nice work, Mark! --Ed.]

By Mark Baggett

Back in October 2011 on the SANS penetration testing blog, I shared a little technique I had been sitting on for a while for bypassing antivirus software. Check it out here: