Double Your Threat Blocking in 90 Days
Read More
Picus Labs Red Team & Süleyman Özarslan, PhD | December 10, 2020
We have been routinely reading about new breaches this year, but this last incident is different from all others we have heard so far. FireEye, like all security vendors, fighting for a good cause. We support FireEye and we think that their response so far very mature and transparent sharing countermeasures to detect the use of their stolen tools.
We know that in such a situation and in a limited time, it is not easy to build all possible countermeasures. So we are also doing our best to support the community, sharing analysis, and additional countermeasures to help organizations to validate and improve their security posture for the possible use of the leaked Red Team tools against them.
Executive Summary
In this article, we analyzed 60 tools stolen from FireEye Red Team’s arsenal to understand the impact of this breach. We found that:
FireEye also announced that exploits of 16 vulnerabilities were also stolen. But there is no room for a big concern regarding these vulnerabilities and their exploits since they are already well-known.
At first, this breach remained the stolen NSA hacking tools published in the Shadow Brokers leak. A couple of high severity 0-day exploits were released in the NSA breach. These 0-day exploits caused severe security incidents worldwide, such as WannaCry and NotPetya. However, stolen tools and exploits in the FireEye breach utilizes known attack techniques. Our analysis shows that this breach will not have high impact on organizations.
Still, countermeasures should be taken against the stolen tools since they are frequently used by threat actors. In our new blog post, "It is Time to Take Action - How to Defend Against FireEye’s Red Team Tools", we shared our comprehensive Blue Team recommendations, our detection contents as SIGMA and vendor-specific queries, and also vendor-based prevention signatures related to defending against FireEye Red Team tools.
Stolen Red Team Tools
FireEye has not shared details about what the stolen red team tools do. The Red and Blue Team analysts of Picus Labs analyzed the compromised tools to reveal the functionalities and possible impacts of these tools.
We categorized these tools into four sets:
The below chart shows the distribution of stolen red team tools according to the above categories.
In addition to the red team tools, there are also exploit payloads affected by the incident. Leaked payloads exploit the following list of vulnerabilities. According to FireEye's report, leaked payloads do not include a 0-day exploit.
CVE Number |
Vulnerability Type |
Affected Product |
CVSS |
Picus ThreatID |
CVE-2014-1812 |
Privilege Escalation |
Windows |
9.0 |
|
CVE-2016-0167 |
Privilege Escalation |
Microsoft Windows |
7.8 |
|
CVE-2017-11774 |
Remote Code Execution |
Microsoft Outlook |
7.8 |
|
CVE-2018-13379 |
Pre-auth Arbitrary File Read |
Fortigate SSL VPN |
9.8 |
545960 |
CVE-2018-15961 |
Remote Code Execution |
Adobe ColdFusion |
9.8 |
|
CVE-2019-0604 |
Remote Code Execution |
Microsoft Sharepoint |
9.8 |
365560 836508 |
CVE-2019-0708 |
Remote Code Execution |
Windows Remote Desktop Services (RDS) |
9.8 |
689860 |
CVE-2019-11510 |
Pre-auth Arbitrary File Read |
Pulse Secure SSL VPN |
10.0 |
575541 |
CVE-2019-11580 |
Remote Code Execution |
Atlassian Crowd |
9.8 |
|
CVE-2019-19781 |
Remote Code Execution |
Citrix Application Delivery Controller and Citrix Gateway |
9.8 |
311195 321318 |
CVE-2019-3398 |
Authenticated Remote Code Execution |
Confluence |
8.8 |
541281 |
CVE-2019-8394
|
Pre-auth Arbitrary File Upload |
ZoHo ManageEngine ServiceDesk Plus |
6.5 |
|
CVE-2020-0688 |
Remote Code Execution |
Microsoft Exchange |
8.8 |
765961 |
CVE-2020-1472 |
Privilege Escalation |
Microsoft Active Directory |
10.0 |
318083 474540 |
CVE-2018-8581 |
Privilege Escalation |
Microsoft Exchange Server |
7.4 |
|
CVE-2020-10189
|
Remote Code Execution |
ZoHo ManageEngine Desktop Central |
9.8 |
752616 |
CVE-2014-1812 |
Privilege Escalation |
Windows |
9.0 |
|
CVE-2016-0167 |
Privilege Escalation |
Microsoft Windows |
7.8 |
875573 |
CVE-2017-11774 |
Remote Code Execution |
Microsoft Outlook |
7.8 |
468843 |
CVE-2018-15961 |
Remote Code Execution |
Adobe ColdFusion |
9.8 |
764471 |
CVE-2019-11580 |
Remote Code Execution |
Atlassian Crowd |
9.8 |
|
CVE-2019-8394 |
Pre-auth Arbitrary File Upload |
ZoHo ManageEngine ServiceDesk Plus |
6.5 |
|
CVE-2018-8581 |
Privilege Escalation |
Microsoft Exchange Server |
7.4 |
|
Below chart shows the distribution of the vulnerabilities according to the vulnerability type:
FireEye frequently engages with Russian threat actors being a cybersecurity company fighting with APT groups and nation-state threat actors. According to the Washington Post, APT29 (also known as YTTRIUM, The Dukes, Cozy Bear, and CozyDuke) [2] carried out the FireEye breach [3]. However, there is no evidence to prove that.
IT company SolarWinds announced on Sunday that the SolarWinds Orion network monitoring product has been tampered by a state-sponsored threat actor via embedding backdoor code into a legitimate SolarWinds library [31]. This leads to the attacker having remote access into the victim’s environment and a foothold in the network, which can be used by the attacker to obtain privileged credentials. Today, SolarWinds breach is connected to the FireEye breach, and suspicions on Russia increased [32].
Picus Labs’ Blue Team prepared a list of recommendations for preventing and detecting the stolen tools and exploits.
Mitigating Vulnerabilities
Assess your systems against vulnerabilities listed in the above section using vulnerability scanning and monitoring tools. If there are any gaps you haven't patched yet, you must fix them, and you should check if they have been abused in your systems.
Compromise Assessment
You can conduct compromise assessments on your systems by using released Yara rules by FireEye [4]. To utilize Yara rules, you can use an open-source Yara scanning tool or enterprise product and distribute it to the endpoints on your systems, then add the rules and get the results. Moreover, you can use IoCs included in Yara rules and search them in your SIEM environment.
To prevent and detect future related threats, you can add IOCs given in this report to your security products, such as EDR, EPP, and SIEM. However, keep in mind that these IoCs can easily be changed by adversaries.
Fore more detailed recommendations and our detection contents as SIGMA and vendor-specific (ArcSight, Carbon Black, QRadar, and Splunk) queries, and also vendor-based (CheckPoint, Cisco, Citrix, Fortinet, F5, McAfee, ModSecurity, Palo Alto Networks, Snort, Trend Micro) prevention signatures read our new blog post, "It is Time to Take Action - How to Defend Against FireEye’s Red Team Tools".
The Picus Threat Library includes most of the stolen tools, and the Picus Mitigation Library contains actionable mitigation recommendations and detection rules. Picus Labs’ Red Team and Blue Teams are working on missed tools and adding them and their techniques to our libraries.
So, our users have already assessed their cyber defense against most of the stolen red team tools and their attack techniques. And, they fixed the identified gaps using actionable recommendations provided by Picus platform.
These red team tools are slightly modified versions of open-source tools.
It is a credential stealer tool that hunts Active Directory credentials. There are two remarkable strings in the YARA rule [5] of this tool: Get-GPPPasswords and Get-GPPAutologons. Get-GPPPassword is a PowerShell script that retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences (GPP) [6]. Get-GPPAutologons is another PowerShell script that retrieves passwords from Autologon entries that are pushed through GPP. These scripts are used as functions in the PowerSploit, which is an offensive security framework combining PowerShell modules and scripts [7]. You can read our blog post to find out more information on the OS credential dumping technique.
MITRE ATT&CK Techniques T1552.06 Unsecured Credentials: Group Policy Preferences |
AdPassHunt IOCs 590bd7609edf9ea8dab0b5fbc38393a870b329de 29385446751ddbca27c26c43015be7ab0d548b895531fba9b03d612e53bd9ff0 |
This red team tool is based on the CobaltStrike beacon. A beacon is a CobaltStrike payload used by adversaries for several goals, such as persistence, execution, privilege escalation, credential dumping, lateral movement, and Command and Control (C2) communication over HTTP, HTTPS, DNS, SMB, and TCP protocols [8]. According to countermeasures published by FireEye, the Beacon tool uses HTTP, HTTPS, and DNS beacons. The Beacon tool utilizes built-in Windows binaries, such as msbuild.exe, Microsoft.Workflow.Compiler.exe, and regsvr32.exe to execute arbitrary payloads, and searchindexer.exe for process injection to evade defenses. It renames these binaries to avoid name-based detection rules by masquerading. You can read our blog post to find out more information about the masquerading technique.
MITRE ATT&CK Techniques T1029 Scheduled Transfer T1036.003 Masquerading: Rename System Utilities T1036.004 Masquerading: Task or Service T1036.005 Masquerading: Match Legitimate Name or Location T1574.002 Hijack Execution Flow: DLL Side-Loading T1047 Windows Management Instrumentation T1072 Software Deployment Tools T1059.003 Command and Scripting Interpreter: Windows Command Shell |
CobaltStrike Beacon IOCs 03a8efce7fcd5b459adf3426166b8bda56f8d8439c070b620bccb85a283295f4 |
Picus Threat Library 853411 CobaltStrike Beacon used by OceanLotus Threat Group .DLL File Download Variant-1 748618 CobaltStrike Beacon Hack Tool used in Military Themed Campaign .EXE File Download Variant-1 649065 CobaltStrike Backdoor Malware .EXE File Download Variant-1 655930 CobaltStrike Backdoor Malware used by OceanLotus Threat Group .EXE |
Beltalowda is a red team tool based on an open-source utility, SeatBelt. SeatBelt conducts a variety of security-oriented "safety checks" from both offensive and defensive security viewpoints related to the host survey [9].
Beltalowda / SeatBelt IOCs d80b7a31d68b5f483073ff7af0984c1090f6a493f84db7d3a301e3e35fdb4a56 |
Picus Threat Library 830665 Information Gathering from Browsers using Seatbelt Variant-2 346711 Information Gathering by using Seatbelt Variant-3 |
Dtrim is a modified version of SharpSploit, which is an open-source .NET post-exploitation library written in C# [10]. SharpSploit ported modules of PowerShell post-exploitation frameworks like PowerSploit and other tools such as Mimikatz.
Picus Threat Library 841093 Process Injection by using Powersploit's Invoke-DllInjection Function 853912 Credential Dumping via SharpSploit’s Mimikatz Script Attack Scenario 322981 Information Gathering Scenario using Sharpsploit 778874 Credential Dumping by using Sharpsploitconsole and Sharpcradle 430106 Credential Dumping by using SharpSploit Library (compiled by SharpGen) |
EWS-RT is based on an open-source PowerShell tool, RT-EWS [11], which is a couple of cmdlets leveraging EWS (Exchange Web Services) API to perform specific enumeration and exploitation tasks on Microsoft Exchange Servers including Office365 and on-premise servers.
Fluffy is a modified version of Rubeus, which is an open-source C# toolkit for raw Kerberos interaction and abuses [12]. Red teams use Rubeus for Kerberoasting attacks and extracting Kerberos tickets [13].
MITRE ATT&CK Techniques T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting |
Fluffy IOCs (SHA1) 8bebf19d54c749560301eaada2e92eb240501b8c |
G2JS (GadgetToJScript) is an open-source tool for generating .NET serialized gadgets that can trigger .NET assembly load and execution when deserialized using BinaryFormatter from JS, VBS, and VBA scripts [14]. G2JS was created mainly for automating Microsoft Windows Script Host (WSH) scripts weaponization during red team engagements.
MITRE ATT&CK Techniques T1059.005 Command and Scripting Interpreter: Visual Basic T1059.007 Command and Scripting Interpreter: JavaScript/JScript |
G2JS IOCs (SHA256) dcce258cc818febe2b888c8eee42aa95393b2fb4f1f2406330840ab8ad5c7d50 eed9402cb6fdc047b12f67493ba10970155a00086918eaad9542ab24096cc715 398afc4c33e00b26466abb87668e33be766dbbf4c493fe04d180a14d14a32fa3 da3bdb6b9348a8d9328e669c744d0f21a83937c31894245e3157121342efe52c cdabbe815b7aafa94469b97fa3665137c4d5b2da4fdd7648ba2851cf2df214fc f8c8bb2ac03cc2a037ddde4ad175aa05aa80277483fcdac42627fbdcc36f64ba fd2e546faed7426c448d1a11d8e1d4b8a06b5148c9c8dfa780338fac2ab53c5b 0b8eab0a1961c52c141ac058c11e070d724d600cf903f2457c8ed189e7aae047 117b9c9127beaf2e3ce7837c5e313084fd3926f1ebf1a77563149e08347cb029 |
Picus Threat Library |
ImpacketObf (ImpacketObfuscation) is a collection of obfuscated Impacket utilities. Impacket is an open-source collection of Python classes for working with network protocols [15].
This tool is based on Impacket’s smbexec.py tool.
This tool is based on Impacket’s wmiexec.py tool.
MITRE ATT&CK Techniques |
InveighZero is an open-source spoofer and man-in-the-middle (MitM) attack tool designed to assist red teamers and penetration testers [16], [17]. It can spoof LMNR, NBNS, mDNS, DNS, and DHCPv6 protocols.
MITRE ATT&CK Techniques |
InveighZero IOCs (SHA256) 78fafeb22bf31de02a4b56114e86dcc3394e382658a5c95b1a302d3d8794718d |
Picus Threat Library |
KeeFarce is an open-source tool that extracts KeePass 2.x password database information from memory [16]. It uses DLL injection to execute code within the context of a running KeePass process.
MITRE ATT&CK Techniques |
KeeFarce IOCs (SHA256) 5ea9a04284157081bd5999e8be96dda8fac594ba72955adacb6fa48bdf866434 |
Picus Threat Library |
This tool injects C# .NET assemblies into arbitrary Windows processes. It is based on an open-source tool, NET-Assembly-Inject-Remote [18] .
Picus Threat Library |
NoAmci is an open-source tool that uses DInvoke to patch AMSI.dll to bypass AMSI (Windows Antimalware Scan Interface) detections [19].
Picus Threat Library |
PuppyHound is a modified version of an open-source tool, SharpHound [20]. It is the C# data collector for the BloodHound Project [21].
PuppyHound / SharpHound IOCs (SHA256) 23490f7ac40b6b15c228ed8f8e9122d460469aa4025ed7008660e4310ef7e70f |
Picus Threat Library |
Rubeus is an open-source C# toolkit for raw Kerberos interaction and abuses [12]. Red teams use Rubeus for Kerberoasting attacks and extracting Kerberos tickets [13].
MITRE ATT&CK Techniques T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting |
Rubeus IOCs (SHA256) a729d51f3deff5065e4978df2f88517d26e0d5db542c9cf8501a4206d8d2432c |
Picus Threat Library 479855 Kerberoasting Attack by using Rubeus Tool 217117 Kerberoasting Attack by using Rubeus Tool Variant-2 893519 Pass the Hash by using Rubeus Tool (1.5.0) with asktgt Module (Pass The Key) 789965 Kerberoasting Attack by using Rubeus Tool (1.5.0) 509384 AS-REP Roasting Attack by using Rubeus Tool |
SafetyKatz is a combination of Mimikatz and .NET PE Loader [22]. It creates a minidump of LSASS and uses PELoader to load a customized version of Mimikatz for credential dumping.
MITRE ATT&CK Techniques |
SafetyKatz IOCs (SHA256) 2b3cab071ca6f104377a7684eb586150fdec11df2dc8cebcb468f57a82f10c73 |
Picus Threat Library 549536 Credential Dumping by using SafetyKatz Tool Variant-2 764801 Mimikatz Execution with Evasion by using BetterSafetyKatz 779384 Credential Dumping using SafetyKatz Tool with AmsiScanBufferBypass |
It is an open-source collection of red team utilities written in C# language [23].
It is an open-source exploit for the Zerologon vulnerability (CVE-2020-1472) [24]. It exploits the cryptographic vulnerability in Netlogon to bypass authentication.
SharpZeroLogon IOCs (SHA256) c4a97815d2167df4bdf9bfb8a9351f4ca9a175c3ef7c36993407c766b57c805b |
Picus Threat Library |
TitoSpecial is based on an open-source tool AndrewSpecial, which is a credential stealer. It dumps credentials from LSASS memory. We explained this technique in our Credential Dumping blog.
MITRE ATT&CK Techniques |
TitoSpecial / AndreSpecial IOCs (SHA256) 7bcf833ab795b3a2cbd5df2e8caf5d664534b4623d0864dda73222dc47c56ec7 |
Picus Threat Library |
This tool is based on an open-source tool, Rural Bishop [25].
TrimBishop / RuralBishop IOCs (SHA256) 38e7e5250287542688b12e216d9b25388061decde2f7255969a7a914cda0faf4 |
Picus Threat Library 754289 TrimBishop (FireEye) RAT .EXE File Download Variant-5 451090 TrimBishop (FireEye) RAT .EXE File Download Variant-4 854677 TrimBishop (FireEye) RAT .EXE File Download Variant-3 759601 TrimBishop (FireEye) RAT .EXE File Download Variant-2 746754 TrimBishop (FireEye) RAT .EXE File Download Variant-1 |
These tools use built-in Windows binaries known as LOLBINs (Living Off The Land Binaries) [1].
DueDLLigence is a shellcode runner framework previously published by FireEye[26]. Red Teams use it for application whitelisting bypass and DLL side-loading. It utilizes built-in Windows binaries Control.exe (Windows Control Panel), Rasautou.exe (Remote Access Dialer), and msiexec.exe (Microsoft Installer Executable) to bypass applications.
MITRE ATT&CK Techniques T1218.002 Signed Binary Proxy Execution: Control Panel T1218.007 Signed Binary Proxy Execution: Msiexec |
DueDLLinge IOCs (SHA256) 9ff0c4211b7e0b6b9789c4a8576a5e2d1085ca729047a97518f46073ba558956 |
Picus Threat Library 288390 DueDLLigence (FireEye) RAT .DLL File Download Variant-4 380893 DueDLLigence (FireEye) RAT .DLL File Download Variant-3 664528 DueDLLigence (FireEye) RAT .DLL File Download Variant-2 755632 DueDLLigence (FireEye) RAT .DLL File Download Variant-1 |
This red team tool is based on the MSBuild (Microsoft Build Engine), which is a platform for building applications [27]. It is used to compile and execute code and bypass the Application Whitelisting (AWL).
MITRE ATT&CK Techniques T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild |
Picus Threat Library 395873 Parent PID Spoofing using APC Queue Code Injection 817545 Mimikatz Execution using MSBuild Task Property |
This tool is based on Netsh.exe, which is a Windows tool used to manipulate network interface settings. Netsh.exe is used by adversaries and red teamers to execute a .dll file.
MITRE ATT&CK Techniques T1546.007 Event Triggered Execution: Netsh Helper DLL |
This is a collection of tools that utilize built-in Windows binaries dism.exe, searchprotocolhost.exe, and werfault.exe for Process Injection.
MITRE ATT&CK Techniques T1055 Process Injection |
This tool uses the built-in Windows binary TSTheme.exe (TSTheme Server Module).
These tools are specifically developed for the use of FireEye’s Red Team.
DShell red team tool is a backdoor written in the D programming language. Its payload is encoded in Base64 format. According to Windows functions used by DShell, we guess it uses the process injection technique to inject its payload into a legitimate process.
DShell IOCs (SHA256): |
Picus Threat Library 679074 DShell (FireEye) Backdoor .EXE File Download Variant-4 820177 DShell (FireEye) Backdoor .EXE File Download Variant-3 657835 DShell (FireEye) Backdoor .EXE File Download Variant-2 565235 DShell (FireEye) Backdoor .EXE File Download Variant-1 |
This red team tool can dump a process directly or via its service. It is used by red teams to dump credentials from LSASS memory. You can read our Credential Dumping blog to learn the details of this technique.
MITRE ATT&CK Techniques T1003.001 OS Credential Dumping: LSASS Memory |
Excavator IOCs (SHA256): efb533249f71ea6ebfb6418bb67c94e8fbd5f2a26cbd82ef8ec1d30c0c90c6c1 |
3.2 Excavator Excavator IOCs (SHA256) kutusu altına:Picus Threat Library 470104 Excavator (FireEye) Infostealer .DLL File Download Variant-1 |
Picus Threat Library 624090 Excavator (FireEye) Infostealer .DLL File Download Variant-2 244487 Excavator (FireEye) Infostealer .EXE File Download Variant-1 470104 Excavator (FireEye) Infostealer .DLL File Download Variant-1 |
It is a reconnaissance tool that obtains the password policy for an Active Directory domain.
It is a reconnaissance tool that retrieves Group Policy configurations.
It is a tool developed in-house for Fireeye’s Red Team that is used for persistence.
LNKSmasher is a tool that generates malicious .LNK files. LNK is a file format used for shortcut files that point to an executable file. This red team tool can embed an arbitrary payload in an LNK file.
MITRE ATT&CK Techniques T1547.009 Boot or Logon Autostart Execution: Shortcut Modification T1204.002 User Execution: Malicious File |
LuaLoader is a red team tool that can load arbitrary codes written in the Lua language. It is a tool developed in-house for Fireeye’s Red Team.
Matryoshka is a tool written in the Rust programming language. It is a multi-stage tool. After downloading the first-stage payload, it runs the second-stage malware via its dropper and installs the real payload. It uses the process hollowing technique [28] to evade defenses.
The MemComp tool is used for in-memory compilation.
MOFComp (MOF Compiler) is a built-in Windows tool that parses a file containing MOF (Managed Object Format) statements and adds the classes and class instances defined in the file to the WMI (Windows Management Instrumentation) repository [29].
MITRE ATT&CK Techniques T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription |
PGF is a backdoor development framework that utilizes several LOLBINs, such as Netsh, InstallUtil, Regasm, RunDLL32, Control, and Cstmp.exe.
MITRE ATT&CK Techniques T1218.001 Signed Binary Proxy Execution: Compiled HTML File T1218.002 Signed Binary Proxy Execution: Control Panel T1218.003 Signed Binary Proxy Execution: CMSTP T1218.004 Signed Binary Proxy Execution: InstallUtil T1218.005 Signed Binary Proxy Execution: Mshta T1218.007 Signed Binary Proxy Execution: Msiexec T1218.008 Signed Binary Proxy Execution: Odbcconf T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm T1218.010 Signed Binary Proxy Execution: Regsvr32 T1218.011 Signed Binary Proxy Execution: Rundll32 T1216.001 Signed Script Proxy Execution: PubPrn T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control T1036.005 Masquerading: Match Legitimate Name or Location T1055 Process Injection T1574.002 Hijack Execution Flow: DLL Search Order Hijacking T1574.002 Hijack Execution Flow: DLL Side-Loading |
PGF IOCs (SHA256) 1208a9fcee5cf7522676427a7b8ceb6d49f7fcb6295f759b8cda0c3b3066a7e1 |
Picus Threat Library 573139 PGF (FireEye) Hacking Tool .EXE File Download Variant-3 819174 PGF (FireEye) Hacking Tool .EXE File Download Variant-2 674310 PGF (FireEye) Hacking Tool .EXE File Download Variant-1 |
It is a red team tool that discovers and exploits misconfigurations in Windows Deployment Services (WDS).
RedFlare is a Trojan development framework that includes builder, controller, downloader, and keylogger. It can generate Trojans for Windows and Linux systems.
RedFlare IOCs (SHA256): 037a51ea69153ce7044f85bb11d54f825b9fed904dac1b7c3f505c50cc8a43ab 42192e9df6321af2a1039a2353f1abe2aa53174582c7623cb1e42c9accc24720 11ddfdf2f102cb1518c0dc8d9021d8c16c9da3ae1b99ff3abc77467e7709ef23 dd5157b908d14f09cedc7ce687056a57a883fd796624e42f731c57630d7b43b4 34acd86d85b018feecc9adcd7985f15678306f518c21fcd6b34d62b27521fea5 4b3629ff14f5dc465d628cadc2f0c0b7503979078b1f9559fc35f6b0b1c7299d 7ecb85692b45c28300144c1451ef9e94cdd1964f40cd809e4b9b423581b2843e 9033aff8650ff5236b696561f7b0546581c74d715301a22584fdfca59ec444a2 68e376573d59d8f4e626d34df4ed8c16bae409fd95ca5f7215c9e483422ea429 8118b4c86db92483bf20e466f3ff664a4ea25e728a480282b498e95673bbb4f5 546a7635330fdefc2a084483eb2a43187d302de5bdfbe7a36364f8ed019f8f36 914cb1bcb371622923ac70bea30eb9bd6ff6f75c189d110de0be6adc30002157 28d9875c987188f940606459fd9b9dd65df224dfeb31e552e5b564a71b1eb7ce ed2898dbbb1c9f3ba50adb64d17b1ce4ab31b3b0b8e18160ec6b6800f3922f9b 312ca68ff36542efe4f4b545230fc579269b477ec59f735081f395a5094c55c2 |
Picus Threat Library 809371 RedFlare (FireEye) Hacking Tool .EXE File Download Variant-3 207277 RedFlare (FireEye) Hacking Tool .EXE File Download Variant-2 867336 RedFlare (FireEye) Hacking Tool .EXE File Download Variant-1 |
GoRAT is a RAT (Remote Access Trojan) written in the Golang programming language.
GoRAT IOCs (SHA256) 1381107c1f473b3dce170356158be445afc76ec3c0661d8429ef1f5a591e76f0 |
It is a Microsoft Office macro malware template that includes malicious VBA (Visual Basic for Application) codes.
ResumePlease IOCs (SHA256) 1866449e8ad2c55240eafdf14fc835138ca3e99a7b180c2150cef047868f56cc |
Picus Threat Library |
It is a Windows persistence toolkit written in C# for FireEye Red Team [30]. It provides persistence via several methods, such as modifying registry run keys, adding payload to the startup folder, and adding a new scheduled task that runs on each startup.
MITRE ATT&CK Techniques T1546.015 Event Triggered Execution: Component Object Model Hijacking T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1047 Windows Management Instrumentation T1053.005 Scheduled Task/Job: Scheduled Task |
SharPersist IOCs (SHA256) e9711f47cf9171f79bf34b342279f6fd9275c8ae65f3eb2c6ebb0b8432ea14f8 |
Picus Threat Library 478660 SharpPersist (FireEye) Hacking Tool .EXE File Download Variant-3 286882 SharpPersist (FireEye) Hacking Tool .EXE File Download Variant-2 479515 SharpPersist (FireEye) Hacking Tool .EXE File Download Variant-1 |
SharPivot is a .NET console application. This red team tool executes commands on a remote target for lateral movement by utilizing DCOM (Distributed Component Object Model)
MITRE ATT&CK Techniques T1559.001 Inter-Process Communication: Component Object Model T1059.003 Command and Scripting Interpreter: Windows Command Shell |
It is a persistence tool written in C# that utilizes the scheduled task feature of Windows.
MITRE ATT&CK Techniques |
SharpStomp is a C# utility that can be used to modify creation, last access, and last write time of a file. In other words, it is a timestomping tool.
MITRE ATT&CK Techniques |
This tool is used to create malicious Microsoft Office documents using the OLE (Object Linking and Embedding) feature.
SinfulOffice IOCs (SHA256) 4c5e5e172d233680fee184643b4b79dbf1f97674807c7e40bcfaac8675016c0d |
Picus Threat Library |
WildChild is a builder tool that is used to create malicious HTA (HTML Application) files. Microsoft HTML Application Host (Mshta.exe) runs HTA files.
MITRE ATT&CK Techniques |
This tool is used to run WMI commands.
MITRE ATT&CK Techniques |
This tool includes WMI commands used in Red Team engagements.
MITRE ATT&CK Techniques |
WMISpy tool uses several WMI classes such as Win32_NetworkLoginProfile, MSFT_NetNeighbor, Win32_IP4RouteTable, Win32_DCOMApplication, Win32_SystemDriver, Win32_Share, and Win32_Process for reconnaissance and lateral movement.
MITRE ATT&CK Techniques T1021.003 Remote Services: Distributed Component Object Model |
The Yara rules published by FireEye for the following tools are specific to ProjectGuid of the tool. We hope FireEye publishes more detailed countermeasures about this tool.
4.1 AllTheThings
4.2 CoreHound
4.3 Justask
4.4 PrepShellCode
4.5 Revolver
4.6 SharpGenerator
4.7 SharpGrep
4.8 SharpSack
4.9 SharpSectionInjection
4.10 SharPy
[1] “LOLBAS.” [Online]. Available: https://lolbas-project.github.io. [Accessed: 09-Dec-2020]
[2] “APT29.” [Online]. Available: https://attack.mitre.org/groups/G0016/. [Accessed: 10-Dec-2020]
[3] E. Nakashima and J. Marks, “Spies with Russia’s foreign intelligence service believed to have hacked a top American cybersecurity firm and stolen its sensitive tools,” The Washington Post, The Washington Post, 08-Dec-2020 [Online]. Available: https://www.washingtonpost.com/national-security/leading-cybersecurity-firm-fireeye-hacked/2020/12/08/a3369aaa-3988-11eb-98c4-25dc9f4987e8_story.html. [Accessed: 10-Dec-2020]
[4] fireeye, “fireeye/red_team_tool_countermeasures.” [Online]. Available: https://github.com/fireeye/red_team_tool_countermeasures. [Accessed: 10-Dec-2020]
[5] “[No title].” [Online]. Available: https://raw.githubusercontent.com/fireeye/
red_team_tool_countermeasures/master/rules/
ADPASSHUNT/production/yara/
APT_HackTool_MSIL_ADPassHunt_2.yar. [Accessed: 09-Dec-2020]
[6] Chris and V. my C. Profile, “GPP Password Retrieval with PowerShell.” [Online]. Available: http://obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html. [Accessed: 09-Dec-2020]
[7] PowerShellMafia, “PowerShellMafia/PowerSploit.” [Online]. Available: https://github.com/PowerShellMafia/PowerSploit. [Accessed: 09-Dec-2020]
[8] “Beacon Covert C2 Payload - Cobalt Strike.” [Online]. Available: https://www.cobaltstrike.com/help-beacon. [Accessed: 09-Dec-2020]
[9] GhostPack, “GhostPack/Seatbelt.” [Online]. Available: https://github.com/GhostPack/Seatbelt. [Accessed: 09-Dec-2020]
[10] cobbr, “cobbr/SharpSploit.” [Online]. Available: https://github.com/cobbr/SharpSploit. [Accessed: 09-Dec-2020]
[11] med0x2e, “med0x2e/RT-EWS.” [Online]. Available: https://github.com/med0x2e/RT-EWS. [Accessed: 09-Dec-2020]
[12] GhostPack, “GhostPack/Rubeus.” [Online]. Available: https://github.com/GhostPack/Rubeus. [Accessed: 09-Dec-2020]
[13] “Steal or Forge Kerberos Tickets: Kerberoasting.” [Online]. Available: https://attack.mitre.org/techniques/T1558/003/. [Accessed: 09-Dec-2020]
[14] med0x2e, “med0x2e/GadgetToJScript.” [Online]. Available: https://github.com/med0x2e/GadgetToJScript. [Accessed: 09-Dec-2020]
[15] SecureAuthCorp, “SecureAuthCorp/impacket.” [Online]. Available: https://github.com/SecureAuthCorp/impacket. [Accessed: 09-Dec-2020]
[16] denandz, “denandz/KeeFarce.” [Online]. Available: https://github.com/denandz/KeeFarce. [Accessed: 09-Dec-2020]
[17] Kevin-Robertson, “Kevin-Robertson/InveighZero.” [Online]. Available: https://github.com/Kevin-Robertson/InveighZero. [Accessed: 09-Dec-2020]
[18] med0x2e, “med0x2e/NET-Assembly-Inject-Remote.” [Online]. Available: https://github.com/med0x2e/NET-Assembly-Inject-Remote. [Accessed: 09-Dec-2020]
[19] med0x2e, “med0x2e/NoAmci.” [Online]. Available: https://github.com/med0x2e/NoAmci. [Accessed: 09-Dec-2020]
[20] BloodHoundAD, “BloodHoundAD/SharpHound3.” [Online]. Available: https://github.com/BloodHoundAD/SharpHound3. [Accessed: 09-Dec-2020]
[21] BloodHoundAD, “BloodHoundAD/BloodHound.” [Online]. Available: https://github.com/BloodHoundAD/BloodHound. [Accessed: 09-Dec-2020]
[22] GhostPack, “GhostPack/SafetyKatz.” [Online]. Available: https://github.com/GhostPack/SafetyKatz. [Accessed: 09-Dec-2020]
[23] IllidanS, “IllidanS4/SharpUtils.” [Online]. Available: https://github.com/IllidanS4/SharpUtils. [Accessed: 09-Dec-2020]
[24] nccgroup, “nccgroup/nccfsas.” [Online]. Available: https://github.com/nccgroup/nccfsas. [Accessed: 09-Dec-2020]
[25] rasta-mouse, “rasta-mouse/RuralBishop.” [Online]. Available: https://github.com/rasta-mouse/RuralBishop. [Accessed: 09-Dec-2020]
[26] fireeye, “fireeye/DueDLLigence.” [Online]. Available: https://github.com/fireeye/DueDLLigence. [Accessed: 09-Dec-2020]
[27] ghogen, “MSBuild.” [Online]. Available: https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild. [Accessed: 09-Dec-2020]
[28] “Process Injection: Process Hollowing.” [Online]. Available: https://attack.mitre.org/techniques/T1055/012/. [Accessed: 09-Dec-2020]
[29] stevewhims, “mofcomp.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp. [Accessed: 09-Dec-2020]
[30] fireeye, “fireeye/SharPersist.” [Online]. Available: https://github.com/fireeye/SharPersist. [Accessed: 09-Dec-2020]
[31] SolarWinds, SolarWinds Security Advisory, https://www.solarwinds.com/securityadvisory [Accessed: 14-Dec-2020]
[32] Reuters, Technology News, https://www.reuters.com/article/us-usa-solarwinds-cyber-idUSKBN28N0Y7 [Accessed: 14-Dec-2020]