Dailydave mailing list archives
Implants -> Persistence -> Fun! :)
From: David Aitel <dave () immunityinc com>
Date: Tue, 6 Feb 2018 14:25:16 -0500
Persistence is the focus of the newest INNUENDO release and it’s one we’ve been working on for a long time now. If you’ve not seen our release video which goes over these things in some depth it is here: https://vimeo.com/253864191 Persistence is one of those things that you really only figure out in the wild. Originally INNUENDO was built around the idea of having a monolithic deployer that could install the implant with a variety of pre-configured persistence methods. A much more traditional “install the software” model, if you will. As it turned out, this was not the optimal way of approaching the problem. Advanced INNUENDO operators wanted the ability to integrate the core implant into their existing deployment toolchains through light weight stagers and then make persistence decisions AFTER communication with the C2 was achieved and initial recon was done by an operator. There’s a balance between pushing the boundaries of what is possible in the space and fitting in with established workflows. This also means that your C2 API has to be positioned to play well with others. In other words, offense is team based combat. :) In my S4 talk I go over a longer version of using Overwatch, a class based FPS team combat game, as an analogy for building implants. One of those is the difference between Main Tanks (which include Kernel implants, essentially), and Dive Tanks. INNUENDO is essentially a dive tank - surviving by being in unexpected places. Our goal with INNUENDO’s new persistence framework is to make it so easy to create new methods that you can have a different persistence paradigm for each and every target. The demo video above goes into the details of how we accomplish that, but the WHY is more important imho. The vision is that not only are the IoCs different for every implant, but that some of the implants only are running when the financial planner starts up their specialized application for creating cash flow projections, or otherwise operate as plugins for various other products custom to that enterprise. Having this all in Python allows for automation layers to be added later, of course. In other words: Persistence is as big a space as Lateral Movement and C2, and to push forward in this space you have to be willing to . . . change everything.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Implants -> Persistence -> Fun! :) David Aitel (Feb 06)