[arafsheikh]

If I understand your comment correctly - even though the fingerprints are published, the attacker can still reverse eng the implementation from the tools and bypass antivirus systems at least in the near future?

[est31]

Also fingerprints will only stop the lowest level of attackers. You can easily change binaries in a way the fingerprint is changed but the functionality remains the same. Reorder functions, add some garbage data, etc.

[arafsheikh]

That makes sense. So given that the attacker is technically sophisticated in this case, what are the tangible benefits of publishing the fingerprints?

I guess one benefit might be to push the development of new detection techniques to detect the underlying implementation of these tools.

[judge2020]

The biggest advantage is that it would allow orgs to audit all applications that have been fingerprinted within their org and see if they might have been attacked as well.

[Kalium]

Some of the fingerprints are easily gotten around by fudging the binaries a bit. Others, like snort rules, look at things like network traffic that might not always be so easily disguised.

[weisk]

Fingerprints are definitely not the only way to know if a binary has been tampered with.

[mlyle]

Sure, but they could already reverse mimikatz; having another implementation from FireEye doesn't really help.

[martinko]

You don't need to reverse minikatz, it's open source.

[_kbh_]

A nation-state actor likely already knows most of (if not all) of the techniques being used by FireEye. If they were really a nation-state actor then they were likely after the insight into sensitive networks rather then the tools imo.