reSee.it - Tweets Saved By @ImposeCost

ImposeCost
Posted - February 18, 2023 at 2:25 PM
Saved - February 19, 2023 at 11:38 AM
reSee.it AI Summary
MIMIKATZ is a label given to a set of code that provides a set of capabilities. It's important to understand what MIMIKATZ is used for and in what phase of an intrusion. Assigning a name to a piece of code has utility in defense. Names are assigned to things to provide context, meaning, and significance. Attribution matters in the whole picture. MIMIKATZ is malware, but personal use cases will change how much you value various granularity and confidence.

@ImposeCost - Andrew Thompson

Many years ago, a SOC analyst concluded that because anti-virus caught the malware, the threat was mitigated. This mentality was instilled in them of course. It's all just happy little viruses floating around the internet, right? Wrong. The malware was MIMIKATZ.

@ImposeCost - Andrew Thompson

First of all calling a binary MIMIKATZ is context. That name is a label given to a set of code that when arranged and compiled into a binary provides a set of capabilities. You either know the significance of "MIMIKATZ" or you will need to look it up. It is taken for granted that…

@ImposeCost - Andrew Thompson

The analyst clearly didn't understand at a high level what MIMIKATZ is used for and in what phase of an intrusion. It was just another computer virus to them. Thankfully, someone with a more mature understanding of intrusions advised them that MIMIKATZ doesn't generally just pop…

@ImposeCost - Andrew Thompson

That anti virus fired is great. That anti virus provided an accurate label for the binary is even better. However, it was on the analyst to seek additional knowledge about the significance of MIMIKATZ. Really, this is modern foundational stuff if you work in the intrusion space.

@ImposeCost - Andrew Thompson

Giving things names is a way to catalogue information. You are essentially attributing a binary to specific software, and that name has meaning because of the additional knowledge that accompanies it. "MIMIKATZ" can be called whatever, as long as you can quickly index a body of…

@ImposeCost - Andrew Thompson

I think most people agree that labeling, or "attributing" a set of code to a specific software (malware) is useful information. MIMIKATZ instantly tells you a bunch of things about what is likely going on than simply a generic malware disposition. Now apply that understanding to…

@ImposeCost - Andrew Thompson

In other words, if you can see that assigning a name to a piece of code has utility in defense, then you are 95% the way towards understanding why assigning a name to a collection of tools, activity, infrastructure, and at times people and organizations is beneficial.

@ImposeCost - Andrew Thompson

A slight branch off of this is also related to MIMIKATZ, but it takes a different turn. A researcher I was working with was digging into some binaries. They were definitively MIMIKATZ. They were code signed with a specific certificate. More binaries are found, more detections…

@ImposeCost - Andrew Thompson

There's a bunch of points in this thread: 1) Software is written and deployed by humans with intent. When that intent is malicious, it's called malware. 2) Names are assigned to things to provide context, meaning, and significance. When binaries lack known author assigned…

@ImposeCost - Andrew Thompson

When I say attribution matters, I mean the whole thing. Your personal use cases will change how much you value various granularity and confidence. That said, be cautious about using your personal use cases as the standard for what does and doesn't matter big picture.

@ImposeCost - Andrew Thompson

I forgot to add, it is my view that MIMIKATZ is malware. That view is my own and it isn't universal. 😂

ImposeCost
Posted - February 18, 2023 at 2:25 PM
Saved - February 19, 2023 at 11:38 AM
reSee.it AI Summary
MIMIKATZ is a label given to a set of code that provides a set of capabilities. It's important to understand what MIMIKATZ is used for and in what phase of an intrusion. Assigning a name to a piece of code has utility in defense. Names are assigned to things to provide context, meaning, and significance. Attribution matters in the whole picture. MIMIKATZ is malware, but personal use cases will change how much you value various granularity and confidence.

@ImposeCost - Andrew Thompson

Many years ago, a SOC analyst concluded that because anti-virus caught the malware, the threat was mitigated. This mentality was instilled in them of course. It's all just happy little viruses floating around the internet, right? Wrong. The malware was MIMIKATZ.

@ImposeCost - Andrew Thompson

First of all calling a binary MIMIKATZ is context. That name is a label given to a set of code that when arranged and compiled into a binary provides a set of capabilities. You either know the significance of "MIMIKATZ" or you will need to look it up. It is taken for granted that…

@ImposeCost - Andrew Thompson

The analyst clearly didn't understand at a high level what MIMIKATZ is used for and in what phase of an intrusion. It was just another computer virus to them. Thankfully, someone with a more mature understanding of intrusions advised them that MIMIKATZ doesn't generally just pop…

@ImposeCost - Andrew Thompson

That anti virus fired is great. That anti virus provided an accurate label for the binary is even better. However, it was on the analyst to seek additional knowledge about the significance of MIMIKATZ. Really, this is modern foundational stuff if you work in the intrusion space.

@ImposeCost - Andrew Thompson

Giving things names is a way to catalogue information. You are essentially attributing a binary to specific software, and that name has meaning because of the additional knowledge that accompanies it. "MIMIKATZ" can be called whatever, as long as you can quickly index a body of…

@ImposeCost - Andrew Thompson

I think most people agree that labeling, or "attributing" a set of code to a specific software (malware) is useful information. MIMIKATZ instantly tells you a bunch of things about what is likely going on than simply a generic malware disposition. Now apply that understanding to…

@ImposeCost - Andrew Thompson

In other words, if you can see that assigning a name to a piece of code has utility in defense, then you are 95% the way towards understanding why assigning a name to a collection of tools, activity, infrastructure, and at times people and organizations is beneficial.

@ImposeCost - Andrew Thompson

A slight branch off of this is also related to MIMIKATZ, but it takes a different turn. A researcher I was working with was digging into some binaries. They were definitively MIMIKATZ. They were code signed with a specific certificate. More binaries are found, more detections…

@ImposeCost - Andrew Thompson

There's a bunch of points in this thread: 1) Software is written and deployed by humans with intent. When that intent is malicious, it's called malware. 2) Names are assigned to things to provide context, meaning, and significance. When binaries lack known author assigned…

@ImposeCost - Andrew Thompson

When I say attribution matters, I mean the whole thing. Your personal use cases will change how much you value various granularity and confidence. That said, be cautious about using your personal use cases as the standard for what does and doesn't matter big picture.

@ImposeCost - Andrew Thompson

I forgot to add, it is my view that MIMIKATZ is malware. That view is my own and it isn't universal. 😂

View Full Interactive Feed