本帖最后由 神龟Turmi 于 2023-6-15 09:39 编辑
一些补充说明:
1.因为我一开始没打算测试EMSI
所以先测了BD和GDATA过了1天才测EMSI
测试过程中发现原本BD特征miss的4号样本已经被特征通杀(重新编译依然被杀)
如果将EMSI列入测试会对GDATA不公平
故本次测试没有EMSI,也不会再测试其他BD系,望周知
2.Norton初始测试使用了无法更新到最新版本的60天OEM版本,感谢两位饭友的反馈,已经重测
重测使用了全部重新生成或编译的payload(样本尾缀-D)
原始结果为3/10 重测结果为8/10
截图已经重新上传
3.360由@Yuki丶 重新测试开启核晶的效果
重测使用了第三天测试时重新生成或编译的payload(样本尾缀-C)
原始结果为6/10 重测结果为6/10
由于结果相同,不重新上传截图
4.考虑到测试C&C服务器运营商(akamai connected cloud)对我的要求(尽可能少的受到投诉)
以及考虑到本次测试部分样本的打包工具为Inceptor的商业订阅版本而非开源版本
我决定在测试结束后不公开发布测试用样本
如果你是安全软件厂商人员并且想获得样本用于测试复盘,在保证不向akamai connected cloud投诉的前提下
可以给我发送卡饭或malwaretips站内信,我将提供对应的样本以及完整的生成过程(不包括Inceptor商业订阅版本工具)
5.如果微软的法务团队看到了这个帖子(没错 我在DMCA withdrawal notice require中附上了url,你们应该看到这个帖子)
我想你们解释一下你们DMCA notice中提到的
Microsoft and Fortra have conducted a detailed investigation and detected a pattern of IP addresses hosted by your company acting as command and control infrastructure for the malicious, trademark and copyright infringing use of illegal versions of software known as “Cobalt Strike.” During the Attacks illegal activity is conducted through these IP addresses by delivering malicious commands to and receiving stolen information from victim computers running Microsoft’s Windows operating system. The malicious and unlawful versions of Cobalt Strike controlled through these IP addresses are used to target victims with ransomware (i.e., Conti and Lockbit) resulting in extortion of funds and theft of sensitive information, intrusion into victims’ computers and networks, surveillance of the victims, and obfuscation of the cybercriminals’ activity. In these ways, the Attacks emanating from the IP addresses hosted by your company are causing severe business disruption and injury to Microsoft, Fortra, and their respective customers, including victims in sensitive industries such as healthcare and individual consumers. The Attacks from your company’s infrastructure are ongoing. It is also foreseeable that if your customers carrying out the illegal Attacks over the identified IP addresses are permitted to continue to use your company’s infrastructure in the future, Microsoft, Fortra, and their respective customers will as a result be subject to continued serious injury.
为何对我本人以及我的测试计划恶意诋毁?
一码归一码,你说我们注入windows进程以及调用windows api有侵权嫌疑,我们已经删除了相关代码
但是你们对我们的恶意诋毁我也保留追究诽谤罪的权利
另外,你附上的证据
- // declaration of function pointer for advapi32.dll
- typedef BOOL (*AdjustTokenPrivileges)(
- ?????? HANDLE??????????? ????????? ?TokenHandle,
- ?????? BOOL????????????? ???????????? ?DisableAllPrivileges,
- ?????? PTOKEN_PRIVILEGES NewState,
- ?????? DWORD???????????? ???????? ??BufferLength,
- ?????? PTOKEN_PRIVILEGES PreviousState,
- ?????? PDWORD??????????? ??????? ??ReturnLength
- ?????? );
https://learn.microsoft.com/en-u ... justtokenprivileges
你写得我用不得?我用不得APT组织用得?你不去投诉他们投诉我?
这是公开的喊话,目的是维护我个人的正当权益,无论你们是否撤回DMCA,都不会修改,也不会删除,因为这是你们对我个人的诋毁!
如果你有证据我攻击了除我测试设备以外的任何人(特别你们还说我攻击和勒索了医疗行业),请提供证据,而不是信口雌黄!
本次测试过程中我收到了3次的abuse投诉,以及微软的DMCA投诉
如果安全软件厂商是这个态度对待非盈利性测试者,并且没有一家出面向我道歉,这将是我最后一次测试
|
楼主: 神龟Turmi
[复制链接]
发表于 2023-6-13 07:48:34
楼主
