<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
The following reports demonstrate incident response efforts by good
teams against good teams. <br>
<ul>
<li><a class="moz-txt-link-freetext" href="https://wikileaks.org/saudi-cables/doc129906.html">https://wikileaks.org/saudi-cables/doc129906.html</a> (Iranians
versus Saudi Ministry)</li>
<li><a class="moz-txt-link-freetext" href="http://www.wired.com/2015/06/kaspersky-finds-new-nation-state-attack-network/">http://www.wired.com/2015/06/kaspersky-finds-new-nation-state-attack-network/</a>
(Israelis versus Russian Foreign Banya Ministry) ;></li>
</ul>
<p>It's been a busy month in the ol' world of cyber security.
There's some key things in those reports (one of which is new
today, although Cylance published their take on it a while back)
which I think point out the future of the penetration testing
world. <br>
</p>
<p>1. CLEAVER: Channels that go through FTP or other commonly used
but not watched protocols. You can get this now in INNUENDO. The
key here is having asynchronicity built into your C2 structure.<br>
2. Duqu2: Sniffers integrated into implants for weird advanced
behaviors. This used to be common with people trying to steal
passwords in time immemorial, and then became the way to grab
credit card data, but now is being used to guide the implant into
using the right exfil channels at the right time. Again, INNUENDO
is the only penetration testing implant I know that can do this.
The key is providing a high level Python API for the "thinky" bits
of what your implant needs to do when triggered by a sniffer.<br>
</p>
<p>We were on a penetration test recently where we installed
INNUENDO and checked what the bandwidth available was from various
exfiltration protocols. We wanted to answer the question "What are
hackers likely to be using to exfiltrate data from your network?"
Everyone should be doing this! If you're interested in this sort
of thing:</p>
<p><a class="moz-txt-link-freetext" href="https://lists.immunityinc.com/mailman/listinfo/innuendo">https://lists.immunityinc.com/mailman/listinfo/innuendo</a><br>
</p>
<p>-dave (although let's face it, I'll probably post lots about it
on this list too :) )<br>
<br>
</p>
<p>--<br>
</p>
<pre style="white-space: pre-wrap; color: rgb(0, 0, 0); font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px;">
First of all, INNUENDO 1.3 now supports network sniffing based callback
operations as well as kernel driver install/uninstall operations.
You can see an example of the INNUENDO 1.3 sniffer in action at:
<a href="https://vimeo.com/album/3385044/video/126988596">https://vimeo.com/album/3385044/video/126988596</a>
The keylogger module now supports scenarios where you can instruct it to
listen for process creation events for e.g. "notepad.exe" and it will
automatically attach and start logging for any new instance of the
specified process name. Which makes INNUENDO's keylogging much more
flexible and operator independent.
This feature is driven by INNUENDO's new implant-wide event notification
scheme which will be the basis for many more exciting new INNUENDO
capabilities.
You can see a demo of this new feature at:
<a href="https://vimeo.com/album/3385044/video/119460494">https://vimeo.com/album/3385044/video/119460494</a>
The debugging core that drives features such as the keylogger has been
updated to support WoW64 processes, and INNUENDO is now compatible with
the latest versions of EMET and can run inside processes that are EMET
monitored.
System-wide implant communication is now driven by a peer-to-peer
discovery and communications protocol. You can learn more about this at:
<a href="https://vimeo.com/album/3385044/video/127189491">https://vimeo.com/album/3385044/video/127189491</a>
The p2p layer also facilitates much improved channel management and
synchronization. Convergence to the optimal C2 channel is now guaranteed
and occurs rapidly.
Also included are the much requested force-uninstall option for the
deployer as well as the ability to customize the INNUENDO service name.</pre>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>