<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
You should set up a DailyDave special webinar where we can all join
and ask annoying technical questions. I would definitely attend! :)<br>
<br>
Of course part of the reason we have a debugger built into INNUENDO
is to "instrument" the "instrumenters" if you will. I.E. Implants
can attack the recording and transmission of system data, and longer
term, send back manipulated data to attack the correlation and
analysis. Likewise, attackers are going to want to build
methodologies that conduct missions faster than analysis and
response systems can be reasonably expected to handle. <br>
<br>
And I don't know any modern HIDS company willing to offer a solution
that they would claim is resilient against an attacker who already
has access to the platform and can prepare counter-measures. This
is, as the NSA might put it, a "somewhat challenging problem to
attack".<br>
<br>
-dave<br>
<br>
<br>
<div class="moz-cite-prefix">On 5/8/2015 11:14 AM, Dmitri
Alperovitch wrote:<br>
</div>
<blockquote
cite="mid:53E95C94-2798-4B5E-BB5B-46BCB7D955E6@crowdstrike.com"
type="cite">
<meta http-equiv="Context-Type" content="text/html; charset=UTF-8">
<div>
<div>Dave, perhaps you should learn a little bit about what we
do before making such authoritative judgement calls.
Everything you've said about us is dead wrong. We are not
"aimed" at implants at all, dumb or otherwise, – we look,
record, correlate and aggregate in the cloud execution
activities on the host regardless of whether it's done through
an implant, powershell script or someone running commands
interactively from cmd.exe. We look at effects of what the
action is doing, regardless of how it's done. Happy to give
you a demo if you wish to learn more</div>
<div><br>
</div>
<div>Regards,</div>
<div><br>
</div>
<div>Dmitri</div>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div><span>From: </span> Dave Aitel<br>
<span>Date: </span> Friday, May 8, 2015 at 9:41 AM<br>
<span>To: </span> "<a moz-do-not-send="true"
href="mailto:dailydave@lists.immunityinc.com">dailydave@lists.immunityinc.com</a>"<br>
<span>Subject: </span> [Dailydave] Tigers are not small.<br>
</div>
<div><br>
</div>
<div>
<div>
NEW VIDEO TO WATCH: <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://vimeo.com/album/3385044/video/127189491">
https://vimeo.com/album/3385044/video/127189491</a><br>
<br>
This video starts off with Chris talking a little bit about
strategy, and it's important. If you watch a CrowdStrike
talk you'll hear lots of nonsense about TTP or "Tactics,
tools and procedures" as you learn to be a "adversary
hunter". But there's a layer above "what does your stuff do,
and how does it do it, and what do you do with it". That
layer is "Why we chose to build a rather heavy-sized implant
for professional penetration testing in Python and not,
<a moz-do-not-send="true"
href="http://www.quora.com/Why-did-the-programmers-of-Flame-decide-to-use-Lua">as
no doubt everyone else wanted to</a>, in Lua."<br>
<br>
The Lua vs Python argument is something people are going to
have till the end of time, when it comes to implants. This
is because a large variety of the things you want to do in a
Windows implant are best described as "automated high level
use of Windows API's". Lua excels at that, and is BUILT to
be embedded into other projects, for example, games, running
a lightweight 220k. This means that not only does it know
how to interface to an API, but it knows how to go away when
it is done. It is FAST and fast means something when you are
trying to hide from performance counters. And yes, you'll
have to build everything yourself as Lua is not even object
oriented and has no reference counting (?!?), but at least
you can build it exactly to spec.<br>
<br>
Of course, you could also build your entire implant as an
incredibly complicated PowerShell script. But that doesn't
mean you SHOULD.
<br>
<br>
Python, as an implant choice, is a beastly thirty megs just
to start and has its own mind and culture. Nothing is LESS
fun than trying to debug why the SSL library in your implant
randomly hangs when there is clock skew. Thread management
in Python is an arcane science. Should you use Requests to
do your web control channel, or one of the older libraries,
or build your own? You end up having to design interfaces to
various parts of the internals of your implant, having
software "contracts" and suffering the issues of bloat.
Bloat and implants are not a good mix. You don't want design
by committee!<br>
<br>
But even though Python itself is slow, your design flow will
be fast and in Python your implant will soon become SMART.
The video series we're releasing this week emphasizes the
building blocks of SMART IMPLANTS more than anything else.
Next-gen incident response systems (CrowdStrike, Mandiant,
and anything that had the words "Behavioral Analysis" on
their booth at RSA) are aimed at DUMB implants - things that
try to hide by being small. But there is another way. You
can in fact, hunt the hunters.<br>
<br>
-----------------------<br>
<br>
-dave<br>
(PS. Feeling hungry for INNUENDO? <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:admin@immunityinc.com">
admin@immunityinc.com</a> can issue quotes. ;) )<br>
</div>
</div>
</span>
</blockquote>
<br>
</body>
</html>