[Dailydave] Tigers are not small.

Dave Aitel dave at immunityinc.com
Mon May 11 15:20:34 EDT 2015


You should set up a DailyDave special webinar where we can all join and
ask annoying technical questions. I would definitely attend! :)

Of course part of the reason we have a debugger built into INNUENDO is
to "instrument" the "instrumenters" if you will. I.E. Implants can
attack the recording and transmission of system data, and longer term,
send back manipulated data to attack the correlation and analysis.
Likewise, attackers are going to want to build methodologies that
conduct missions faster than analysis and response systems can be
reasonably expected to handle.

And I don't know any modern HIDS company willing to offer a solution
that they would claim is resilient against an attacker who already has
access to the platform and can prepare counter-measures. This is, as the
NSA might put it, a "somewhat challenging problem to attack".

-dave


On 5/8/2015 11:14 AM, Dmitri Alperovitch wrote:
> Dave, perhaps you should learn a little bit about what we do before
> making such authoritative judgement calls. Everything you've said
> about us is dead wrong. We are not "aimed" at implants at all, dumb or
> otherwise, – we look, record, correlate and aggregate in the cloud
> execution activities on the host regardless of whether it's done
> through an implant, powershell script or someone running commands
> interactively from cmd.exe. We look at effects of what the action is
> doing, regardless of how it's done. Happy to give you a demo if you
> wish to learn more
>
> Regards,
>
> Dmitri
> From: Dave Aitel
> Date: Friday, May 8, 2015 at 9:41 AM
> To: "dailydave at lists.immunityinc.com
> <mailto:dailydave at lists.immunityinc.com>"
> Subject: [Dailydave] Tigers are not small.
>
> NEW VIDEO TO WATCH: https://vimeo.com/album/3385044/video/127189491
>
> This video starts off with Chris talking a little bit about strategy,
> and it's important. If you watch a CrowdStrike talk you'll hear lots
> of nonsense about TTP or "Tactics, tools and procedures" as you learn
> to be a "adversary hunter". But there's a layer above "what does your
> stuff do, and how does it do it, and what do you do with it". That
> layer is "Why we chose to build a rather heavy-sized implant for
> professional penetration testing in Python and not, as no doubt
> everyone else wanted to
> <http://www.quora.com/Why-did-the-programmers-of-Flame-decide-to-use-Lua>,
> in Lua."
>
> The Lua vs Python argument is something people are going to have till
> the end of time, when it comes to implants. This is because a large
> variety of the things you want to do in a Windows implant are best
> described as "automated high level use of Windows API's". Lua excels
> at that, and is BUILT to be embedded into other projects, for example,
> games, running a lightweight 220k. This means that not only does it
> know how to interface to an API, but it knows how to go away when it
> is done. It is FAST and fast means something when you are trying to
> hide from performance counters. And yes, you'll have to build
> everything yourself as Lua is not even object oriented and has no
> reference counting (?!?), but at least you can build it exactly to spec.
>
> Of course, you could also build your entire implant as an incredibly
> complicated PowerShell script. But that doesn't mean you SHOULD.
>
> Python, as an implant choice, is a beastly thirty megs just to start
> and has its own mind and culture. Nothing is LESS fun than trying to
> debug why the SSL library in your implant randomly hangs when there is
> clock skew. Thread management in Python is an arcane science. Should
> you use Requests to do your web control channel, or one of the older
> libraries, or build your own? You end up having to design interfaces
> to various parts of the internals of your implant, having software
> "contracts" and suffering the issues of bloat. Bloat and implants are
> not a good mix. You don't want design by committee!
>
> But even though Python itself is slow, your design flow will be fast
> and in Python your implant will soon become SMART. The video series
> we're releasing this week emphasizes the building blocks of SMART
> IMPLANTS more than anything else. Next-gen incident response systems
> (CrowdStrike, Mandiant, and anything that had the words "Behavioral
> Analysis" on their booth at RSA) are aimed at DUMB implants - things
> that try to hide by being small. But there is another way. You can in
> fact, hunt the hunters.
>
> -----------------------
>
> -dave
> (PS. Feeling hungry for INNUENDO? admin at immunityinc.com can issue
> quotes. ;) )

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150511/a19f26ae/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150511/a19f26ae/attachment.sig>


More information about the Dailydave mailing list