top | item 25354834

(no title)

If I understand your comment correctly - even though the fingerprints are published, the attacker can still reverse eng the implementation from the tools and bypass antivirus systems at least in the near future?

discuss

est31|5 years ago

Also fingerprints will only stop the lowest level of attackers. You can easily change binaries in a way the fingerprint is changed but the functionality remains the same. Reorder functions, add some garbage data, etc.

arafsheikh|5 years ago

That makes sense. So given that the attacker is technically sophisticated in this case, what are the tangible benefits of publishing the fingerprints?

I guess one benefit might be to push the development of new detection techniques to detect the underlying implementation of these tools.

weisk|5 years ago

Fingerprints are definitely not the only way to know if a binary has been tampered with.

mlyle|5 years ago

Sure, but they could already reverse mimikatz; having another implementation from FireEye doesn't really help.

martinko|5 years ago

You don't need to reverse minikatz, it's open source.

_kbh_|5 years ago

A nation-state actor likely already knows most of (if not all) of the techniques being used by FireEye. If they were really a nation-state actor then they were likely after the insight into sensitive networks rather then the tools imo.