[Dailydave] El Jefe secondary thoughts

Dave Aitel dave at immunityinc.com
Tue Jun 24 10:38:40 EDT 2014


Nico disagrees with me and thinks the best feature in the new El Jefe is
the ability to create a farm of VM's which you can then apply against
malware for analysis. So for example, you might have a "developer" VM
and an "executive" VM, and they might be different operating systems,
configurations, and all sorts of other setups. Perhaps one of them has a
more modern AV or HIPS on it even. Then you can quickly and easily
select a piece of suspected malware to run on one of them that you think
is most appropriate and then just as easily get your report.

Honestly, I think as an attacker sometimes the best malware is NO
MALWARE AT ALL. A lot of what I'm looking for in El Jefe is people
running psexec, or cmd.exe at weird times. There's a concept missing
from OpenIOC that is more related to the process of intrusion as opposed
to "which malware was run". It's something quite hard to model and test
- we use CANVAS and INNUENDO and a few other tools for this obviously to
generate database sections that correspond to actual attacks
(client-sides, for example). A lot of this is purely "in memory" and has
a very short time-span, but is still detectable, even automatically,
with tools like El Jefe.

-dave


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140624/83bd55cd/attachment.sig>


More information about the Dailydave mailing list