[Dailydave] Modeling real attackers is hard

Dave Aitel dave at immunityinc.com
Fri Jun 19 14:50:20 EDT 2015

The following reports demonstrate incident response efforts by good
teams against good teams.

  * https://wikileaks.org/saudi-cables/doc129906.html (Iranians versus
    Saudi Ministry)
  * http://www.wired.com/2015/06/kaspersky-finds-new-nation-state-attack-network/
    (Israelis versus Russian Foreign Banya Ministry) ;>

It's been a busy month in the ol' world of cyber security. There's some
key things in those reports (one of which is new today, although Cylance
published their take on it a while back) which I think point out the
future of the penetration testing world.

1. CLEAVER: Channels that go through FTP or other commonly used but not
watched protocols. You can get this now in INNUENDO. The key here is
having asynchronicity built into your C2 structure.
2. Duqu2: Sniffers integrated into implants for weird advanced
behaviors. This used to be common with people trying to steal passwords
in time immemorial, and then became the way to grab credit card data,
but now is being used to guide the implant into using the right exfil
channels at the right time. Again, INNUENDO is the only penetration
testing implant I know that can do this. The key is providing a high
level Python API for the "thinky" bits of what your implant needs to do
when triggered by a sniffer.

We were on a penetration test recently where we installed INNUENDO and
checked what the bandwidth available was from various exfiltration
protocols. We wanted to answer the question "What are hackers likely to
be using to exfiltrate data from your network?" Everyone should be doing
this! If you're interested in this sort of thing:


-dave (although let's face it, I'll probably post lots about it on this
list too :) )


First of all, INNUENDO 1.3 now supports network sniffing based callback
operations as well as kernel driver install/uninstall operations.

You can see an example of the INNUENDO 1.3 sniffer in action at:


The keylogger module now supports scenarios where you can instruct it to
listen for process creation events for e.g. "notepad.exe" and it will
automatically attach and start logging for any new instance of the
specified process name. Which makes INNUENDO's keylogging much more
flexible and operator independent.

This feature is driven by INNUENDO's new implant-wide event notification
scheme which will be the basis for many more exciting new INNUENDO

You can see a demo of this new feature at:


The debugging core that drives features such as the keylogger has been
updated to support WoW64 processes, and INNUENDO is now compatible with
the latest versions of EMET and can run inside processes that are EMET

System-wide implant communication is now driven by a peer-to-peer
discovery and communications protocol. You can learn more about this at:


The p2p layer also facilitates much improved channel management and
synchronization. Convergence to the optimal C2 channel is now guaranteed
and occurs rapidly.

Also included are the much requested force-uninstall option for the
deployer as well as the ability to customize the INNUENDO service name.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150619/cf7ee3e1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150619/cf7ee3e1/attachment.sig>

More information about the Dailydave mailing list