<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Watch this new INNUENDO Video first: <a
href="https://vimeo.com/126988596">https://vimeo.com/126988596</a>
. It is amazing.<br>
<br>
At INFILTRATE the Microsoft penetration testing team did the final
presentation. First of all, their goal is to move FASTER than log
replication. I know a lot of modern players are pretending to be
able to do their intrusion analysis in real time. REAL TIME IS NOT
POSSIBLE. Not even <a
href="http://images.chinatopix.com/data/images/full/6462/muhammad-ali-getting-hit-by-a-left-hook-from-joe-frazier-during-the-fight-of-the-century-in-madison-square-garden-in-1971.jpg">your
brain</a> works in "real time". <br>
<br>
The basic theme of the talk was simple: Hit any one host in a large
domain. Grab all the LDAP data you can (Groups/Machines/Users) and
then sweep as much as you can across the domain to find out
LastLoggedIn data. Then exfil it as fast as possible. It'll be
"moderately large" (4GB) but you can download it reliably over DNS
or ICMP even with a modern system like INNUENDO. You can then remove
yourself from the network before the IR team has a chance to do
anything.<br>
<br>
With the data you retrieved, you can do all sorts of cool analysis
that will enable lateral movement or follow on attacks. Not
coincidentally Microsoft also released some <a
href="http://blogs.technet.com/b/ad/archive/2015/05/04/microsoft-advanced-threat-analytics-public-preview-release-is-now-available.aspx">interesting
AD intrusion analysis</a> tools this week which are worth a look.
<br>
<br>
Really there are several things changing: <br>
1. Top level methodology is changing. The Microsoft team emphasized
that once they go in, and gather the right data, they can use
advanced machine learning and data analysis to show them exactly
which users to phish next, and how. They know once they get back in
exactly which machines they need to go onto to control the network.
It's no longer a guessing game. It's more deterministic. Looking at
some of these methdologies means how you buy penetration testing has
to change. Once you realize "The attacker at some point is going to
get on one of the boxes on my domain" you have to start testing
lateral movement, data exfiltration, and incident response from that
perspective.<br>
<br>
2. Advanced low level techniques are being commoditized, partially
because Kaspersky and co. are doing a good job writing giant white
papers on the things they catch in the wild. In INNUENDO's case this
means the public penetration testing community can get an advanced
implant including the in-memory loader, high-level language VM and
API, multiple channels, built in sniffer and debugger, and OPSEC
workflow. <br>
<br>
In short: if you just bought Mandiant or Crowdstrike or Carbon Black
or are using the new agents from Tenable or Qualys, then you are
going to want to test them with INNUENDO or a tool like INNUENDO to
see if they really work the way you think they do. Let us know if
you want to try this out! :)<br>
<br>
-dave<br>
<br>
</body>
</html>