Dailydave mailing list archives
Modeling real attackers is hard
From: Dave Aitel <dave () immunityinc com>
Date: Fri, 19 Jun 2015 14:50:20 -0400
The following reports demonstrate incident response efforts by good teams against good teams. * https://wikileaks.org/saudi-cables/doc129906.html (Iranians versus Saudi Ministry) * http://www.wired.com/2015/06/kaspersky-finds-new-nation-state-attack-network/ (Israelis versus Russian Foreign Banya Ministry) ;> It's been a busy month in the ol' world of cyber security. There's some key things in those reports (one of which is new today, although Cylance published their take on it a while back) which I think point out the future of the penetration testing world. 1. CLEAVER: Channels that go through FTP or other commonly used but not watched protocols. You can get this now in INNUENDO. The key here is having asynchronicity built into your C2 structure. 2. Duqu2: Sniffers integrated into implants for weird advanced behaviors. This used to be common with people trying to steal passwords in time immemorial, and then became the way to grab credit card data, but now is being used to guide the implant into using the right exfil channels at the right time. Again, INNUENDO is the only penetration testing implant I know that can do this. The key is providing a high level Python API for the "thinky" bits of what your implant needs to do when triggered by a sniffer. We were on a penetration test recently where we installed INNUENDO and checked what the bandwidth available was from various exfiltration protocols. We wanted to answer the question "What are hackers likely to be using to exfiltrate data from your network?" Everyone should be doing this! If you're interested in this sort of thing: https://lists.immunityinc.com/mailman/listinfo/innuendo -dave (although let's face it, I'll probably post lots about it on this list too :) ) -- First of all, INNUENDO 1.3 now supports network sniffing based callback operations as well as kernel driver install/uninstall operations. You can see an example of the INNUENDO 1.3 sniffer in action at: https://vimeo.com/album/3385044/video/126988596 The keylogger module now supports scenarios where you can instruct it to listen for process creation events for e.g. "notepad.exe" and it will automatically attach and start logging for any new instance of the specified process name. Which makes INNUENDO's keylogging much more flexible and operator independent. This feature is driven by INNUENDO's new implant-wide event notification scheme which will be the basis for many more exciting new INNUENDO capabilities. You can see a demo of this new feature at: https://vimeo.com/album/3385044/video/119460494 The debugging core that drives features such as the keylogger has been updated to support WoW64 processes, and INNUENDO is now compatible with the latest versions of EMET and can run inside processes that are EMET monitored. System-wide implant communication is now driven by a peer-to-peer discovery and communications protocol. You can learn more about this at: https://vimeo.com/album/3385044/video/127189491 The p2p layer also facilitates much improved channel management and synchronization. Convergence to the optimal C2 channel is now guaranteed and occurs rapidly. Also included are the much requested force-uninstall option for the deployer as well as the ability to customize the INNUENDO service name.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Modeling real attackers is hard Dave Aitel (Jun 19)