[Dailydave] Implants -> Persistence -> Fun! :)
David Aitel
dave at immunityinc.com
Tue Feb 6 19:25:16 UTC 2018
Persistence is the focus of the newest INNUENDO release and it’s one
we’ve been working on for a long time now. If you’ve not seen our
release video which goes over these things in some depth it is here:
https://vimeo.com/253864191
Persistence is one of those things that you really only figure out in
the wild. Originally INNUENDO was built around the idea of having a
monolithic deployer that could install the implant with a variety of
pre-configured persistence methods. A much more traditional “install the
software” model, if you will.
As it turned out, this was not the optimal way of approaching the
problem. Advanced INNUENDO operators wanted the ability to integrate the
core implant into their existing deployment toolchains through light
weight stagers and then make persistence decisions AFTER communication
with the C2 was achieved and initial recon was done by an operator.
There’s a balance between pushing the boundaries of what is possible in
the space and fitting in with established workflows. This also means
that your C2 API has to be positioned to play well with others. In other
words, offense is team based combat. :)
In my S4 talk I go over a longer version of using Overwatch, a class
based FPS team combat game, as an analogy for building implants. One of
those is the difference between Main Tanks (which include Kernel
implants, essentially), and Dive Tanks. INNUENDO is essentially a dive
tank - surviving by being in unexpected places.
Our goal with INNUENDO’s new persistence framework is to make it so easy
to create new methods that you can have a different persistence paradigm
for each and every target.
The demo video above goes into the details of how we accomplish that,
but the WHY is more important imho. The vision is that not only are the
IoCs different for every implant, but that some of the implants only are
running when the financial planner starts up their specialized
application for creating cash flow projections, or otherwise operate as
plugins for various other products custom to that enterprise. Having
this all in Python allows for automation layers to be added later, of
course.
In other words: Persistence is as big a space as Lateral Movement and
C2, and to push forward in this space you have to be willing to . . .
change everything.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20180206/ef1b588d/attachment.sig>
More information about the Dailydave
mailing list