[Dailydave] Tigers are not small.

Fri May 8 09:41:43 EDT 2015

NEW VIDEO TO WATCH: https://vimeo.com/album/3385044/video/127189491

This video starts off with Chris talking a little bit about strategy,
and it's important. If you watch a CrowdStrike talk you'll hear lots of
nonsense about TTP or "Tactics, tools and procedures" as you learn to be
a "adversary hunter". But there's a layer above "what does your stuff
do, and how does it do it, and what do you do with it". That layer is
"Why we chose to build a rather heavy-sized implant for professional
penetration testing in Python and not, as no doubt everyone else wanted
to
<http://www.quora.com/Why-did-the-programmers-of-Flame-decide-to-use-Lua>,
in Lua."

The Lua vs Python argument is something people are going to have till
the end of time, when it comes to implants. This is because a large
variety of the things you want to do in a Windows implant are best
described as "automated high level use of Windows API's". Lua excels at
that, and is BUILT to be embedded into other projects, for example,
games, running a lightweight 220k. This means that not only does it know
how to interface to an API, but it knows how to go away when it is done.
It is FAST and fast means something when you are trying to hide from
performance counters. And yes, you'll have to build everything yourself
as Lua is not even object oriented and has no reference counting (?!?),
but at least you can build it exactly to spec.

Of course, you could also build your entire implant as an incredibly
complicated PowerShell script. But that doesn't mean you SHOULD.

Python, as an implant choice, is a beastly thirty megs just to start and
has its own mind and culture. Nothing is LESS fun than trying to debug
why the SSL library in your implant randomly hangs when there is clock
skew. Thread management in Python is an arcane science. Should you use
Requests to do your web control channel, or one of the older libraries,
or build your own? You end up having to design interfaces to various
parts of the internals of your implant, having software "contracts" and
suffering the issues of bloat. Bloat and implants are not a good mix.
You don't want design by committee!

But even though Python itself is slow, your design flow will be fast and
in Python your implant will soon become SMART. The video series we're
releasing this week emphasizes the building blocks of SMART IMPLANTS
more than anything else. Next-gen incident response systems
(CrowdStrike, Mandiant, and anything that had the words "Behavioral
Analysis" on their booth at RSA) are aimed at DUMB implants - things
that try to hide by being small. But there is another way. You can in
fact, hunt the hunters.

-----------------------

-dave
(PS. Feeling hungry for INNUENDO? admin at immunityinc.com can issue
quotes. ;) )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150508/c66ba5c0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150508/c66ba5c0/attachment.sig>