Dailydave June 2020

dailydave@lists.aitelfoundation.org

2 participants
4 discussions

Data
by Dave Aitel 18 Jun '20

18 Jun '20

I wanted to highlight something that I find funny did not make a much bigger impact: DARPA's release of former INFILTRATE keynoter Bill Arbaugh's dataset of endpoint behavioral data. See here for more information: https://twitter.com/williamarbaugh/status/1273421101469753344?s=20 How else are you supposed to test if your Endpoint Protection DEEEEEEP LEARNING works or does not work, as advertised? My only complaints are: This is not as much data as I would want. You really do want at least a couple months of data. Everyone annoy DARPA about that. :) I don't speak for Immunity anymore, but it IS good to see those who do speak for Trail of Bits making themselves heard: https://blog.trailofbits.com/2020/06/17/advocating-for-change/ -dave

1 0

Code (library) economics
by Konrads Smelkovs 15 Jun '20

15 Jun '20

When I want to code something from scratch, I will often look for libraries that help me achieve it best regardless of language they are written - for common situations Python has a good ecosystem (but web interfaces don't look so great there anymore), if it's enterprise-y, most likely Java (which I'll use via Jython if I can help it), if it's Windows-ish - C# with WinApi calls. Weirdly RubyDNS/EventMachine is good for quick DNS shenanigans. I do this because I don't have an infinite amount of time to re-implement something in my *langage du jour*. Same holds true for people moving code for hacking operations. If an operator wants to search for specific data on a computer, I'm probably best off using Windows Search API and the easiest way to invoke it is via PowerShell <https://gist.github.com/arebee/1928da03047aee4167fabee0f501c72d> - about 20 lines of code seems to do it. I looked at my code for selectively exfiltrating Outlook mailbox contents and discovered it was a bit of OLE Interop code (again - PowerShell, but I concede that C# would be pretty close line-wise). We could of course bring OpenDLP package or ntfs raw copy the entire .ost, but that seems to be heavyweight. A parallel exists for EDRs as well - EDRs like to rely on cool Win8.1+ features and tell customers to upgrade their XP/7 and Win2k3 boxes or not have latest features - they don't want to re-implement same stuff 3 times and could you please have our .NET to 4+ kthx bye. (this is also why network traffic recorders are useful). You can see right now the fad for POC implants has moved away from C to C# to Golang, because all of this makes programmers more productive. as you're paid for operations not tool fetish, why write it in C? Sometimes doing stuff in non-C is harder. Over the last 2 months there's been an explosion of API unhooking articles thanks to great work by F-Secure (ex MWR) <https://labs.f-secure.com/blog/bypassing-windows-defender-runtime-scanning/> and so to keep up with the Joneses any decent toolkit needs now the ability to manipulate loaded libraries which perhaps excludes some choice of languages (I'm not quite sure how to achieve this in PS). Other code economics matter as well. When you're in shellcode territory, the crawl space is small. Once you're in "bootstrap" territory, you have more space (e.g. your Office macro that downloads the kit can be fairly meaty) and you have options to hunt for eggs (e.g. retrieve a hidden attachment from Outlook in which your macro came in). Once you're in the "I can run an exe/dll here" territory, 20 megs is nothing. In one report I read, hackers downloaded and installed VirtualBox to run their toolkit. I think Dave's INNUENDO ran to 40 megs. Once they were done, it was a matter of shutting down the encrypted VM - good luck with forensics. <retransmission> -- Konrads Smelkovs Applied IT sorcery.

1 0

Primordial Fire
by Dave Aitel 15 Jun '20

15 Jun '20

I've moved to a part time contract with AppGate and I'm focused largely on INFILTRATE now, which gives me some time to attend cyber policy briefings. Most cyber policy briefings are the same 200 people, and they tend to be held under Chatham House rules, which means they are not recorded and you can't quote anyone directly. I'm not sure why, since getting someone in Cyber Policy to say anything controversial is as impossible as getting them to think about any kind of change that doesn't involve giving more money to CISA, for some reason. As part of prepping for INFILTRATE, like many of you, I've been attending a suite of online security conferences, from SANS (Zoom+Slack), to Summercon (Youtube), to Matt Suiche's OPCODE <https://www.opcde.com/opcdex/> (Youtube) to today's ACM Program Analysis conference <https://www.youtube.com/watch?v=81V2ifmW-4c> (Youtube), still going on ! That program analysis conference is AMAZING btw. The first talk, by Peter O'Hearn <https://en.wikipedia.org/wiki/Peter_O%27Hearn> is on point, as he starts off with some high level lessons learned trying to transfer his academic work on static analysis into Facebook's efforts, then three quarters of the way through dives like a pelican into the depths of concurrency analytics theory. He talks about what worked and what didn't work and how to scale.... and I dunno how to explain it. It's just a nuclear sub of a talk, rising from the icy sea with advanced technology and primordial fire. INFILTRATE is not going to be a purely virtual conference. A lot of what you do at a good conference is have conversations you can't have over a Chinese teleconference system, sometimes with a beverage of choice. We're going to have a hybrid conference - there's some amazing things about virtual conferences but they're not everything, as I'm sure you're aware. I've also had time to try to catch up with the exploit firehose. This bug <https://github.com/guhe120/Windows-EoP/blob/master/CVE-2020-1281/CVE-2020-1…> in particular - an integer overflow in Variant processing in the core feature of Windows. That would have been an amazing 0day to have. Or maybe not? It's hard to know without writing the exploit, looking at the target space, testing a lot of things. Recently one of the people in a policy conference asked "What is it that makes a government different anyways?" And the answer, of course, is vertical integration. When you find an 0day, it's hard to know anything about it other than it gets you a shell! And there's so much to know - much of which you want to talk about over fried alligator with music just loud enough to keep recording devices guessing. -dave

1 0

FIRST TEST EMAIL WITH NEW SERVER
by Dave Aitel 05 Jun '20

05 Jun '20

HI THERE THIS IS A TEST EMAIL. -dave

1 0

2024

2023

2022

2021

2020

Dailydave June 2020