Dailydave mailing list archives
El Jefe secondary thoughts
From: Dave Aitel <dave () immunityinc com>
Date: Tue, 24 Jun 2014 10:38:40 -0400
Nico disagrees with me and thinks the best feature in the new El Jefe is the ability to create a farm of VM's which you can then apply against malware for analysis. So for example, you might have a "developer" VM and an "executive" VM, and they might be different operating systems, configurations, and all sorts of other setups. Perhaps one of them has a more modern AV or HIPS on it even. Then you can quickly and easily select a piece of suspected malware to run on one of them that you think is most appropriate and then just as easily get your report. Honestly, I think as an attacker sometimes the best malware is NO MALWARE AT ALL. A lot of what I'm looking for in El Jefe is people running psexec, or cmd.exe at weird times. There's a concept missing from OpenIOC that is more related to the process of intrusion as opposed to "which malware was run". It's something quite hard to model and test - we use CANVAS and INNUENDO and a few other tools for this obviously to generate database sections that correspond to actual attacks (client-sides, for example). A lot of this is purely "in memory" and has a very short time-span, but is still detectable, even automatically, with tools like El Jefe. -dave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- El Jefe secondary thoughts Dave Aitel (Jun 24)