Conversation

Notices

1. Embed this notice
   Taggart :donor: (mttaggart@infosec.exchange)'s status on Friday, 18-Apr-2025 14:34:46 JST Taggart :donor:

   There's this scene in "The Rock," (I know) I think about way more than is reasonable. One of the bad guy Marines is showing off his custom motion detector that presents as a laser interrupt system, but is actually a vibration detector that will be disturbed when an adversary tries to cut the laser.

   I'm thinking a lot about a sort of "Dead Man's Switch" for defense. I've long theorized about such a mechanism for ransomware, but never seen it in practice. For defense, I like the idea of a response system that doesn't require the ping-pong of SOAR.

   • Embed this notice
     Viss (viss@mastodon.social)'s status on Friday, 18-Apr-2025 14:34:45 JST Viss

     in reply to

     @mttaggart home assistant

     Ryan Castellucci :nonbinary_flag: repeated this.
   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Friday, 18-Apr-2025 14:34:45 JST Taggart :donor:

     in reply to

     • Viss

     @Viss Hahaha I meant like...endpoint defense, but yeah! Home Alone style.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 18-Apr-2025 15:12:41 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Viss
     • da_667

     @mttaggart @da_667 @Viss PoC||GTFO!

     Seriously though, I'd like to see this it sounds cool AF.

   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Friday, 18-Apr-2025 15:12:42 JST Taggart :donor:

     in reply to

     • Viss
     • da_667

     @da_667 @Viss Now we're talkin'

   • Embed this notice
     da_667 (da_667@infosec.exchange)'s status on Friday, 18-Apr-2025 15:12:42 JST da_667

     in reply to

     • Viss

     @mttaggart @Viss any of you around long enough to remember defense tools for the blind?

     https://sourceforge.net/p/dtftb/code/HEAD/tree/

     tl;dr: "nobody gets shells, now that this daemon is running. I'm not locked in here with you, you're locked in here with me"

   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Friday, 18-Apr-2025 15:12:42 JST Taggart :donor:

     in reply to

     • Viss
     • da_667

     @da_667 @Viss I was playing with eBPF to lie to attackers about data. So like, you run ps aux as anyone but root, you just get nonsense back. That's Linux-specific, but there are a lot of possibilities there since you can intercept function returns as a kernel feature

   • Embed this notice
     da_667 (da_667@infosec.exchange)'s status on Friday, 18-Apr-2025 15:12:43 JST da_667

     in reply to

     • Viss

     @mttaggart @Viss I've very interested in this. I like the idea of active countermeasures, but turned up to 11.

     It wasn't that long ago that some were theorycrafting that by just installing VMware Tools, or by installing a host of forensic, malware analysis, or reverse engineering tools, that whole hosts of automated malware will just throw shitfits and refuse to run.

     What happens when you develop defense tools that randomize the name of the executable and/or the service or drivers required to run each time they are run?

     What happens when you install a dead man's switch service when the AV/EDR executable/service/driver are otherwise disabled or removed entirely?

   • Embed this notice
     da_667 (da_667@infosec.exchange)'s status on Friday, 18-Apr-2025 15:12:43 JST da_667

     in reply to

     • Viss

     @mttaggart @Viss what happens when you hide your dead man's switch service into shit like service accounts with non-printable ascii characters? What happens when you store the dead man's switch into an alternate data stream?

   • Embed this notice
     Viss (viss@mastodon.social)'s status on Friday, 18-Apr-2025 15:12:44 JST Viss

     in reply to

     @mttaggart that sort of stuff works the best if its 100% out of band and cant be touched or modified by the attacker. if they have the box, they have the ram. and if theyre good, your hands are tied. you have no choice but to go out of band

   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Friday, 18-Apr-2025 15:12:44 JST Taggart :donor:

     in reply to

     • Viss

     @Viss I don't disagree, but "if they're good" is not most of the time (at least in my world), and then we're in perfect as enemy of the good territory. I really do think there's value in a more deceptive approach to active defense.

   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Friday, 18-Apr-2025 15:12:44 JST Taggart :donor:

     in reply to

     • Viss

     @Viss Additional context: our response time is good enough that I often find myself in knife fights with the TA on a system. But there's lots of room for improvement. I want to increase visibility on the field and make the terrain actively hostile to the adversary without them knowing it.

   • Embed this notice
     Viss (viss@mastodon.social)'s status on Friday, 18-Apr-2025 15:12:45 JST Viss

     in reply to

     @mttaggart yes, home assistant :D

     are we talking about environmental controls, or presence detection? thermiting drives? how hard do you wanna go?

   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Friday, 18-Apr-2025 15:12:45 JST Taggart :donor:

     in reply to

     • Viss

     @Viss To be really clear, I am talking about computers not physical defense.

     I was thinking more about something that does better than EDR at getting good data going, and that isn't where the TAs will look to kill. Something that kicks off packet capture and like Velociraptor under certain conditions.

   • Embed this notice
     Viss (viss@mastodon.social)'s status on Friday, 18-Apr-2025 15:12:45 JST Viss

     in reply to

     @mttaggart so like, pci leech to suck ram out of a box out of band to another host on a trigger?

   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Friday, 18-Apr-2025 15:12:45 JST Taggart :donor:

     in reply to

     • Viss

     @Viss I wasn't thinking about hardware, but maybe. I was more in the space of like, an aggressive software tripwire that fires off the fallback defense in the event that EDR is tampered with or some other condition.

   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Friday, 18-Apr-2025 15:16:23 JST Taggart :donor:

     in reply to

     • Viss
     • da_667
     • Ryan Castellucci :nonbinary_flag:

     @ryanc @da_667 @Viss I'll try to whip that one into shape soon. Here are a few other toys I cobbled together, including SSH session spying and instakilling shells from service accounts. https://codeberg.org/mttaggart/bluebpf

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 18-Apr-2025 15:16:35 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Viss
     • da_667

     @da_667 @mttaggart @Viss I actually used that quote in my ShmooCon presentation, lol. It was in reference to completely pwning bots with client side JavaScript.

     I have since gotten better at it. Using DOM APIs? Cool, I can dump your source code and exfiltrate it over a custom encrypted channel with forward secrecy, your logs will tell you fuckall about what I did.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 18-Apr-2025 15:18:33 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Viss
     • da_667

     @mttaggart @da_667 @Viss when my team played in defcon CTF I deployed a tool that intercepted most system binaries and checked their process ancestry to decide whether they'd be allowed to run, we didn't score many points for offense, but most of the other team's exploits got them jack shit, lol