Tactics, Techniques and Procedures (TTPs) Utilized by FireEye’s Red Team Tools

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries


We have been routinely reading about new breaches this year, but this last incident is different from all others we have heard so far. FireEye, like all security vendors, fighting for a good cause. We support FireEye and we think that their response so far very mature and transparent sharing countermeasures to detect the use of their stolen tools.

We know that in such a situation and in a limited time, it is not easy to build all possible countermeasures. So we are also doing our best to support the community, sharing analysis, and additional countermeasures to help organizations to validate and improve their security posture for the possible use of the leaked Red Team tools against them.

Executive Summary

In this article, we analyzed 60 tools stolen from FireEye Red Team’s arsenal to understand the impact of this breach. We found that:

  • 43% of the stolen tools are publicly available tools that are using known attack techniques.
  • 40% of tools are developed in-house by FireEye. These tools also utilize known adversary techniques. 
  • 17% of the stolen tools cannot be identified since FireEye did not share adequate details about these tools. According to their names, we believe that most of these unknown tools are also slightly modified versions of publicly available tools.

FireEye also announced that exploits of 16 vulnerabilities were also stolen. But there is no room for a big concern regarding these vulnerabilities and their exploits since they are already well-known.

At first, this breach remained the stolen NSA hacking tools published in the Shadow Brokers leak. A couple of high severity 0-day exploits were released in the NSA breach. These 0-day exploits caused severe security incidents worldwide, such as WannaCry and NotPetya. However, stolen tools and exploits in the FireEye breach utilizes known attack techniques. Our analysis shows that this breach will not have high impact on organizations.

Still, countermeasures should be taken against the stolen tools since they are frequently used by threat actors.  In our new blog post, "It is Time to Take Action - How to Defend Against FireEye’s Red Team Tools", we shared our comprehensive Blue Team recommendations, our detection contents as SIGMA and vendor-specific queries, and also vendor-based prevention signatures related to defending against FireEye Red Team tools.

banner fireeye blue

Stolen Red Team Tools

FireEye has not shared details about what the stolen red team tools do. The Red and Blue Team analysts of Picus Labs analyzed the compromised tools to reveal the functionalities and possible impacts of these tools.

We categorized these tools into four sets:

  1. Tools Based on Open Source Projects: These red team tools are slightly modified versions of open-source tools.
  2. Tools Based on Built-in Windows Binaries: These tools use built-in Windows binaries known as LOLBINs (Living Off The Land Binaries) [1].
  3. Tools Developed In-house for Fireeye’s Red Team: These tools are specially developed for the use of FireEye’s Red Team.
  4. Tools Without Adequate Data to Analyze: There is not enough data to analyze these tools. The Yara rules published by FireEye for the following tools are specific to ProjectGuid of the tool. 

The below chart shows the distribution of stolen red team tools according to the above categories.

Distribution of Red Team Tools

Stolen Exploits

In addition to the red team tools, there are also exploit payloads affected by the incident. Leaked payloads exploit the following list of vulnerabilities. According to FireEye's report, leaked payloads do not include a 0-day exploit.

CVE Number

Vulnerability Type

Affected Product


Picus ThreatID


Privilege Escalation





Privilege Escalation

Microsoft Windows




Remote Code Execution 

Microsoft Outlook 




Pre-auth Arbitrary File Read

Fortigate SSL VPN 




Remote Code Execution 

Adobe ColdFusion 




Remote Code Execution 

Microsoft Sharepoint





Remote Code Execution

Windows Remote Desktop Services (RDS)




Pre-auth Arbitrary File Read

Pulse Secure SSL VPN




Remote Code Execution 

Atlassian Crowd 




Remote Code Execution 

Citrix Application Delivery Controller and Citrix Gateway





Authenticated Remote Code Execution






Pre-auth Arbitrary File Upload

ZoHo ManageEngine ServiceDesk Plus




Remote Code Execution

Microsoft Exchange




Privilege Escalation

Microsoft Active Directory





Privilege Escalation

Microsoft Exchange Server





Remote Code Execution

ZoHo ManageEngine Desktop Central




Privilege Escalation





Privilege Escalation

Microsoft Windows




Remote Code Execution 

Microsoft Outlook




Remote Code Execution

Adobe ColdFusion




Remote Code Execution 

Atlassian Crowd




Pre-auth Arbitrary File Upload

ZoHo ManageEngine ServiceDesk Plus




Privilege Escalation

Microsoft Exchange Server



Below chart shows the distribution of the vulnerabilities according to the vulnerability type:

Distribution of Vulnerabilities

Usual Suspects

FireEye frequently engages with Russian threat actors being a cybersecurity company fighting with APT groups and nation-state threat actors. According to the Washington Post, APT29 (also known as YTTRIUM, The Dukes, Cozy Bear, and CozyDuke) [2] carried out the FireEye breach [3]. However, there is no evidence to prove that.

Update (December 14, 2020)

IT company SolarWinds announced on Sunday that the SolarWinds Orion network monitoring product has been tampered by a state-sponsored threat actor via embedding backdoor code into a legitimate SolarWinds library [31]. This leads to the attacker having remote access into the victim’s environment and a foothold in the network, which can be used by the attacker to obtain privileged credentials. Today, SolarWinds breach is connected to the FireEye breach, and suspicions on Russia increased [32].

Blue Team Recommendations

Picus Labs’ Blue Team prepared a list of recommendations for preventing and detecting the stolen tools and exploits.

  1. Mitigating Vulnerabilities
    Assess your systems against vulnerabilities listed in the above section using vulnerability scanning and monitoring tools. If there are any gaps you haven't patched yet, you must fix them, and you should check if they have been abused in your systems.

  2. Compromise Assessment
    You can conduct compromise assessments on your systems by using released Yara rules by FireEye [4]. To utilize Yara rules, you can use an open-source Yara scanning tool or enterprise product and distribute it to the endpoints on your systems, then add the rules and get the results. Moreover, you can use IoCs included in Yara rules and search them in your SIEM environment.

  3. Utilize IOCs

    To prevent and detect future related threats, you can add IOCs given in this report to your security products, such as EDR, EPP, and SIEM. However, keep in mind that these IoCs can easily be changed by adversaries.

  4. Utilize Snort Rules
    Most network security products support Snort rules. You can add released Snort rules to your security devices[4]. If you are already using Snort, you can check the current rules are up to date.

  5. Update Your Security Products
    Security vendors are releasing new signatures and rule sets that include countermeasures against stolen tools. Update your security products and their rule and signature sets.

  6. Hunting with OpenIOC
    FireEye released some countermeasures in the OpenIoC format. You can add these rules to your security devices by developing detection and hunting rules using IoC editors.

Fore more detailed recommendations and our detection contents as SIGMA and vendor-specific (ArcSight, Carbon Black, QRadar, and Splunk) queries, and also vendor-based (CheckPoint, Cisco, Citrix, Fortinet, F5, McAfee, ModSecurity, Palo Alto Networks, Snort, Trend Micro) prevention signatures read our new blog post, "It is Time to Take Action - How to Defend Against FireEye’s Red Team Tools".

Picus in Action

The Picus Threat Library includes most of the stolen tools, and the Picus Mitigation Library contains actionable mitigation recommendations and detection rules. Picus Labs’ Red Team and Blue Teams are working on missed tools and adding them and their techniques to our libraries.

So, our users have already assessed their cyber defense against most of the stolen red team tools and their attack techniques. And, they fixed the identified gaps using actionable recommendations provided by Picus platform.

Detailed Analysis of the Tools

  1. Tools Based on Open Source Projects:

    These red team tools are slightly modified versions of open-source tools.

    1.1 ADPassHunt

    It is a credential stealer tool that hunts Active Directory credentials. There are two remarkable strings in the YARA rule [5] of this tool: Get-GPPPasswords and Get-GPPAutologons. Get-GPPPassword is a PowerShell script that retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences (GPP) [6]. Get-GPPAutologons is another PowerShell script that retrieves passwords from Autologon entries that are pushed through GPP. These scripts are used as functions in the PowerSploit, which is an offensive security framework combining PowerShell modules and scripts [7]. You can read our blog post to find out more information on the OS credential dumping technique.

    MITRE ATT&CK Techniques
    T1003.003 OS Credential Dumping: NTDS

    T1552.06 Unsecured Credentials: Group Policy Preferences

    AdPassHunt IOCs



    1.2 Beacon

    This red team tool is based on the  CobaltStrike beacon. A beacon is a CobaltStrike payload used by adversaries for several goals, such as  persistence, execution, privilege escalation, credential dumping, lateral movement, and Command and Control (C2) communication over HTTP, HTTPS, DNS, SMB, and TCP protocols [8]. According to countermeasures published by FireEye, the Beacon tool uses HTTP, HTTPS, and DNS beacons. The Beacon tool utilizes built-in Windows binaries, such as msbuild.exe, Microsoft.Workflow.Compiler.exe, and regsvr32.exe to execute arbitrary payloads, and searchindexer.exe for process injection to evade defenses. It renames these binaries to avoid name-based detection rules by masquerading. You can read our blog post to find out more information about the masquerading technique.

    MITRE ATT&CK Techniques
    T1071.001 Application Layer Protocol: Web Protocols

    T1029 Scheduled Transfer

    T1036.003 Masquerading: Rename System Utilities

    T1036.004 Masquerading: Task or Service

    T1036.005 Masquerading: Match Legitimate Name or Location

    T1574.002 Hijack Execution Flow: DLL Side-Loading

    T1047 Windows Management Instrumentation

    T1072 Software Deployment Tools

    T1059.003 Command and Scripting Interpreter: Windows Command Shell

    CobaltStrike Beacon IOCs


    Picus Threat Library

    853411 CobaltStrike Beacon used by OceanLotus Threat Group .DLL File Download Variant-1

    748618 CobaltStrike Beacon Hack Tool used in Military Themed Campaign .EXE File Download Variant-1

    649065 CobaltStrike Backdoor Malware .EXE File Download Variant-1

    655930 CobaltStrike Backdoor Malware used by OceanLotus Threat Group .EXE
    File Download Variant-1

    1.3 Beltalowda

    Beltalowda is a red team tool based on an open-source utility, SeatBelt. SeatBelt conducts a variety of security-oriented "safety checks" from both offensive and defensive security viewpoints related to the host survey [9].

    Beltalowda / SeatBelt IOCs


    Picus Threat Library
    295245 Information Gathering from Browsers using Seatbelt

    830665 Information Gathering from Browsers using Seatbelt Variant-2

    346711 Information Gathering by using Seatbelt Variant-3

    1.4 Dtrim

    Dtrim is a modified version of SharpSploit, which is an open-source .NET post-exploitation library written in C# [10]. SharpSploit ported modules of PowerShell post-exploitation frameworks like PowerSploit and other tools such as Mimikatz.

    Picus Threat Library
    888666 Credential Dumping from Windows Vault by using PowerSploit

    841093 Process Injection by using Powersploit's Invoke-DllInjection Function

    853912 Credential Dumping via SharpSploit’s Mimikatz Script Attack Scenario

    322981 Information Gathering Scenario using Sharpsploit

    778874 Credential Dumping by using Sharpsploitconsole and Sharpcradle

    430106 Credential Dumping by using SharpSploit Library (compiled by SharpGen)

    1.5 EWS-RT

    EWS-RT is based on an open-source PowerShell tool, RT-EWS [11], which is a couple of cmdlets leveraging EWS (Exchange Web Services) API to perform specific enumeration and exploitation tasks on Microsoft Exchange Servers including Office365 and on-premise servers.

    1.6 Fluffy

    Fluffy is a modified version of Rubeus, which is an open-source C# toolkit for raw Kerberos interaction and abuses [12]. Red teams use Rubeus for Kerberoasting attacks and extracting Kerberos tickets [13].

    MITRE ATT&CK Techniques

    T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting

    Fluffy IOCs (SHA1)


    1.7 G2JS

    G2JS (GadgetToJScript) is an open-source tool for generating .NET serialized gadgets that can trigger .NET assembly load and execution when deserialized using BinaryFormatter from JS, VBS, and VBA scripts [14]. G2JS was created mainly for automating Microsoft Windows Script Host (WSH)  scripts weaponization during red team engagements.

    MITRE ATT&CK Techniques

    T1059.005 Command and Scripting Interpreter: Visual Basic

    T1059.007 Command and Scripting Interpreter: JavaScript/JScript

    G2JS IOCs (SHA256)










    Picus Threat Library
    423316 Command Execution by using .NET Serialized Gadgets
    467980 GadgetToJSCript (FireEye) HackTool .TXT File Download Variant-1

    1.8 ImpacketObf

    ImpacketObf (ImpacketObfuscation) is a collection of obfuscated Impacket utilities. Impacket is an open-source collection of Python classes for working with network protocols [15].

    1.9 ImpacketOBF (SMBExec)

    This tool is based on Impacket’s smbexec.py tool.

    1.10 ImpacketOBF (WMIExec)

    This tool is based on Impacket’s wmiexec.py tool.

    MITRE ATT&CK Techniques
    T1047 Windows Management Instrumentation

    1.11 InveighZero

    InveighZero is an open-source spoofer and man-in-the-middle (MitM) attack tool designed to assist red teamers and penetration testers [16], [17]. It can spoof LMNR, NBNS, mDNS, DNS, and DHCPv6 protocols.

    MITRE ATT&CK Techniques
    T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

    InveighZero IOCs (SHA256)


    Picus Threat Library
    685789 Credential Access via Network Sniffing by using Inveigh

    1.12 KeeFarce

    KeeFarce is an open-source tool that extracts KeePass 2.x password database information from memory [16]. It uses DLL injection to execute code within the context of a running KeePass process.

    MITRE ATT&CK Techniques
    T1555.001 Process Injection: Dynamic-link Library Injection

    KeeFarce IOCs (SHA256)


    Picus Threat Library
    206268 Credential Dumping by using KeeFarce

    1.13 NetAssemblyInject

    This tool injects C# .NET assemblies into arbitrary Windows processes. It is based on an open-source tool, NET-Assembly-Inject-Remote [18]

    Picus Threat Library
    459538 Credential Dumping using NetAssembly Injection Tool

    1.14 NoAmci

    NoAmci is an open-source tool that uses DInvoke to patch AMSI.dll to bypass AMSI (Windows Antimalware Scan Interface) detections [19].

    Picus Threat Library
    422966 Disabling Security Tools by using NoAmci Tool (AMSI Bypass)

    1.15 PuppyHound

    PuppyHound is a modified version of an open-source tool, SharpHound [20]. It is the C# data collector for the BloodHound Project [21].

    PuppyHound / SharpHound IOCs (SHA256)


    Picus Threat Library
    273197 Domain Information Discovery by using SharpHound

    1.16 Rubeus

    Rubeus is an open-source C# toolkit for raw Kerberos interaction and abuses [12]. Red teams use Rubeus for Kerberoasting attacks and extracting Kerberos tickets [13].

    MITRE ATT&CK Techniques

    T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting

    Rubeus IOCs (SHA256)


    Picus Threat Library
    471775 Pass the Hash by using Rubeus Tool with asktgt Module (Pass The Key)

    479855 Kerberoasting Attack by using Rubeus Tool

    217117 Kerberoasting Attack by using Rubeus Tool Variant-2

    893519 Pass the Hash by using Rubeus Tool (1.5.0) with asktgt Module (Pass The Key)

    789965 Kerberoasting Attack by using Rubeus Tool (1.5.0)

    509384 AS-REP Roasting Attack by using Rubeus Tool

    1.17 SafetyKatz

    SafetyKatz is a combination of Mimikatz and .NET PE Loader [22].  It creates a minidump of LSASS and uses PELoader to load a customized version of Mimikatz for credential dumping.

    MITRE ATT&CK Techniques
    T1003.001 OS Credential Dumping: LSASS Memory

    SafetyKatz IOCs (SHA256)


    Picus Threat Library
    416382 Credential Dumping by using SafetyKatz Tool

    549536 Credential Dumping by using SafetyKatz Tool Variant-2

    764801 Mimikatz Execution with Evasion by using BetterSafetyKatz

    779384 Credential Dumping using SafetyKatz Tool with AmsiScanBufferBypass

    1.18 SharpUtils

    It is an open-source collection of red team utilities written in C# language [23].

    1.19 SharpZeroLogon

    It is an open-source exploit for the Zerologon vulnerability (CVE-2020-1472) [24]. It exploits the cryptographic vulnerability in Netlogon to bypass authentication.

    SharpZeroLogon IOCs (SHA256)


    Picus Threat Library
    792844 Exploitation of Zerologon Vulnerability via SharpZeroLogon Tool

    1.20 TitoSpecial

    TitoSpecial is based on an open-source tool AndrewSpecial, which is a credential stealer. It dumps credentials from LSASS memory. We explained this technique in our Credential Dumping blog.

    MITRE ATT&CK Techniques
    T1003.001 OS Credential Dumping: LSASS Memory

    TitoSpecial / AndreSpecial IOCs (SHA256)


    Picus Threat Library
    797345 TitoSpecial (FireEye) Infostealer .EXE File Download Variant-1

    1.21 TrimBishop

    This tool is based on an open-source tool, Rural Bishop [25].

    TrimBishop / RuralBishop IOCs (SHA256)


    Picus Threat Library

    754289 TrimBishop (FireEye) RAT .EXE File Download Variant-5

    451090 TrimBishop (FireEye) RAT .EXE File Download Variant-4

    854677 TrimBishop (FireEye) RAT .EXE File Download Variant-3

    759601 TrimBishop (FireEye) RAT .EXE File Download Variant-2

    746754 TrimBishop (FireEye) RAT .EXE File Download Variant-1

  2. Tools Based on Built-in Windows Binaries

    These tools use built-in Windows binaries known as LOLBINs (Living Off The Land Binaries) [1].

    2.1 DueDLLigence

    DueDLLigence is a shellcode runner framework previously published by FireEye[26]. Red Teams use it for application whitelisting bypass and DLL side-loading. It utilizes built-in Windows binaries Control.exe (Windows Control Panel), Rasautou.exe (Remote Access Dialer), and msiexec.exe  (Microsoft Installer Executable) to bypass applications.

    MITRE ATT&CK Techniques

    T1218.002 Signed Binary Proxy Execution: Control Panel

    T1218.007 Signed Binary Proxy Execution: Msiexec

    DueDLLinge IOCs (SHA256)


    Picus Threat Library
    590774 Dism.exe OS Binary (Lolbas) used in Signed Binary Proxy Executio

    288390 DueDLLigence (FireEye) RAT .DLL File Download Variant-4

    380893 DueDLLigence (FireEye) RAT .DLL File Download Variant-3

    664528 DueDLLigence (FireEye) RAT .DLL File Download Variant-2

    755632 DueDLLigence (FireEye) RAT .DLL File Download Variant-1

    2.2 MSBuildMe

    This red team tool is based on the MSBuild (Microsoft Build Engine),  which is a platform for building applications [27]. It is used to compile and execute code and bypass the Application Whitelisting (AWL).

    MITRE ATT&CK Techniques

    T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild

    Picus Threat Library
    422325 Microsoft Build Engine (MSBuild) Attack Scenario

    395873 Parent PID Spoofing using APC Queue Code Injection

    817545 Mimikatz Execution using MSBuild Task Property

    2.3 NetshShellCodeRunner

    This tool is based on Netsh.exe, which is a Windows tool used to manipulate network interface settings. Netsh.exe is used by adversaries and red teamers to execute a .dll file.

    MITRE ATT&CK Techniques

    T1546.007 Event Triggered Execution: Netsh Helper DLL

    2.4 Uncategorized

    This is a collection of tools that utilize built-in Windows binaries dism.exe, searchprotocolhost.exe, and werfault.exe for Process Injection.

    MITRE ATT&CK Techniques

    T1055 Process Injection

    2.5 Weaponize

    This tool uses the built-in Windows binary TSTheme.exe (TSTheme Server Module).

  3. Tools Developed In-house for Fireeye’s Red Team

    These tools are specifically developed for the use of FireEye’s Red Team.

    3.1 DShell

    DShell red team tool is a backdoor written in the D programming language. Its payload is encoded in Base64 format. According to Windows functions used by DShell, we guess it uses the process injection technique to inject its payload into a legitimate process.

    DShell IOCs (SHA256):

    Picus Threat Library

    679074 DShell (FireEye) Backdoor .EXE File Download Variant-4

    820177 DShell (FireEye) Backdoor .EXE File Download Variant-3

    657835 DShell (FireEye) Backdoor .EXE File Download Variant-2

    565235 DShell (FireEye) Backdoor .EXE File Download Variant-1

    3.2 Excavator

    This red team tool can dump a process directly or via its service.  It is used  by red teams to dump credentials from LSASS memory. You can read our Credential Dumping blog to learn the details of this technique.

    MITRE ATT&CK Techniques

    T1003.001 OS Credential Dumping: LSASS Memory

    Excavator IOCs (SHA256):


    3.2 Excavator

    Excavator IOCs (SHA256) kutusu altına:Picus Threat Library

    470104 Excavator (FireEye) Infostealer .DLL File Download Variant-1 

    Picus Threat Library

    624090 Excavator (FireEye) Infostealer .DLL File Download Variant-2

    244487 Excavator (FireEye) Infostealer .EXE File Download Variant-1

    470104 Excavator (FireEye) Infostealer .DLL File Download Variant-1

    3.3 GetDomainPasswordPolicy

    It is a reconnaissance tool that obtains the password policy for an Active Directory domain.

    3.4 GPOHunt

    It is a reconnaissance tool that retrieves Group Policy configurations.

    3.5 KeePersist

    It is a tool developed in-house for Fireeye’s Red Team that is used for persistence.

    3.6 LNKSmasher

    LNKSmasher is a tool that generates malicious .LNK files. LNK is a file format used for shortcut files that point to an executable file. This red team tool can embed an arbitrary payload in an LNK file.

    MITRE ATT&CK Techniques

    T1547.009 Boot or Logon Autostart Execution: Shortcut Modification

    T1204.002 User Execution: Malicious File

    3.7 LuaLoader

    LuaLoader is a red team tool that can load arbitrary codes written in the Lua language. It is a tool developed in-house for Fireeye’s Red Team.

    3.8 Matryoshka

    Matryoshka is a tool written in the Rust programming language. It is a multi-stage tool. After downloading the first-stage payload, it runs the second-stage malware via its dropper and installs the real payload. It uses the process hollowing technique [28] to evade defenses.

    3.9 MemComp

    The MemComp tool is used for in-memory compilation.

    3.10 MOFComp

    MOFComp (MOF Compiler) is a built-in Windows tool that parses a file containing MOF (Managed Object Format) statements and adds the classes and class instances defined in the file to the WMI (Windows Management Instrumentation) repository [29].

    MITRE ATT&CK Techniques

    T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

    3.11 PGF

    PGF is a backdoor development framework that utilizes several LOLBINs, such as Netsh, InstallUtil, Regasm, RunDLL32, Control, and Cstmp.exe.

    MITRE ATT&CK Techniques

    T1218.001 Signed Binary Proxy Execution: Compiled HTML File

    T1218.002 Signed Binary Proxy Execution: Control Panel

    T1218.003 Signed Binary Proxy Execution: CMSTP

    T1218.004 Signed Binary Proxy Execution: InstallUtil

    T1218.005 Signed Binary Proxy Execution: Mshta

    T1218.007 Signed Binary Proxy Execution: Msiexec

    T1218.008 Signed Binary Proxy Execution: Odbcconf

    T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm

    T1218.010 Signed Binary Proxy Execution: Regsvr32

    T1218.011 Signed Binary Proxy Execution: Rundll32

    T1216.001 Signed Script Proxy Execution: PubPrn

    T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control

    T1036.005 Masquerading: Match Legitimate Name or Location

    T1055 Process Injection

    T1574.002 Hijack Execution Flow: DLL Search Order Hijacking

    T1574.002 Hijack Execution Flow: DLL Side-Loading

    PGF IOCs (SHA256)


    Picus Threat Library

    573139 PGF (FireEye) Hacking Tool .EXE File Download Variant-3

    819174 PGF (FireEye) Hacking Tool .EXE File Download Variant-2

    674310 PGF (FireEye) Hacking Tool .EXE File Download Variant-1

    3.12 PXELoot

    It is a red team tool that discovers and exploits misconfigurations in Windows Deployment Services (WDS).

    3.13 RedFlare

    RedFlare is a Trojan development framework that includes builder, controller, downloader, and keylogger. It can generate Trojans for Windows and Linux systems.

    RedFlare IOCs (SHA256):
















    Picus Threat Library

    809371 RedFlare (FireEye) Hacking Tool .EXE File Download Variant-3

    207277 RedFlare (FireEye) Hacking Tool .EXE File Download Variant-2

    867336 RedFlare (FireEye) Hacking Tool .EXE File Download Variant-1

    3.14 RedFlare (GoRAT)

    GoRAT is a RAT (Remote Access Trojan) written in the Golang programming language.

    GoRAT IOCs (SHA256)


    3.15 ResumePlease

    It is a Microsoft Office macro malware template that includes malicious VBA (Visual Basic for Application) codes.

    ResumePlease IOCs (SHA256)


    Picus Threat Library
    637798 ResumePlease (FireEye) Office Exploit Payload .Doc File Download Variant-1

    3.16 SharPersist

    It is a Windows persistence toolkit written in C# for FireEye Red Team [30]. It provides persistence via several methods, such as modifying registry run keys, adding payload to the startup folder, and adding a new scheduled task that runs on each startup.

    MITRE ATT&CK Techniques
    T1112 Modify Registry

    T1546.015 Event Triggered Execution: Component Object Model Hijacking

    T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

    T1047 Windows Management Instrumentation

    T1053.005 Scheduled Task/Job: Scheduled Task

    SharPersist IOCs (SHA256)


    Picus Threat Library
    206268 Registry Run Keys / Startup Folder Persistence by using SharPersist Tool

    478660 SharpPersist (FireEye) Hacking Tool .EXE File Download Variant-3

    286882 SharpPersist (FireEye) Hacking Tool .EXE File Download Variant-2

    479515 SharpPersist (FireEye) Hacking Tool .EXE File Download Variant-1

    3.17 SharPivot

    SharPivot is a .NET console application. This red team tool executes commands on a remote target for lateral movement by utilizing DCOM (Distributed Component Object Model)

    MITRE ATT&CK Techniques
    T1021.003 Remote Services: Distributed Component Object Model

    T1559.001 Inter-Process Communication: Component Object Model

    T1059.003 Command and Scripting Interpreter: Windows Command Shell

    3.18 SharpSchTask

    It is a persistence tool written in C# that utilizes the scheduled task feature of Windows.

    MITRE ATT&CK Techniques
    Scheduled Task/Job: Scheduled Task

    3.19 SharpStomp

    SharpStomp is a C# utility that can be used to modify creation, last access, and last write time of a file. In other words, it is a timestomping tool.

    MITRE ATT&CK Techniques
    T1070.006 Indicator Removal on Host: Timestomp

    3.20 SinfulOffice

    This tool is used to create malicious Microsoft Office documents using the OLE (Object Linking and Embedding) feature.

    SinfulOffice IOCs (SHA256)


    Picus Threat Library
    589557 OLE_CharENCODING (FireEye) Office Exploit Payload .DOC File Download Variant-1

    3.21 WildChild

    WildChild is a builder tool that is used to create malicious HTA (HTML Application) files. Microsoft HTML Application Host (Mshta.exe) runs HTA files.

    MITRE ATT&CK Techniques
    T1218.005 Signed Binary Proxy Execution: Mshta

    3.22 WMIRunner

    This tool is used to run WMI commands.

    MITRE ATT&CK Techniques
    T1047 Windows Management Instrumentation

    3.23 WMISharp

    This tool includes WMI commands used in Red Team engagements.

    MITRE ATT&CK Techniques
    T1047 Windows Management Instrumentation

    3.24 WMISpy

    WMISpy tool uses several WMI classes such as Win32_NetworkLoginProfile, MSFT_NetNeighbor, Win32_IP4RouteTable, Win32_DCOMApplication, Win32_SystemDriver, Win32_Share, and Win32_Process for reconnaissance and lateral movement.

    MITRE ATT&CK Techniques
    T1047 Windows Management Instrumentation

    T1021.003 Remote Services: Distributed Component Object Model

  4. Tools without Adequate Data to Analyze

The Yara rules published by FireEye for the following tools are specific to ProjectGuid of the tool. We hope FireEye publishes more detailed countermeasures about this tool.

4.1 AllTheThings
4.2 CoreHound
4.3 Justask
4.4 PrepShellCode
4.5 Revolver
4.6 SharpGenerator
4.7 SharpGrep
4.8 SharpSack
4.9 SharpSectionInjection
4.10 SharPy

red demo banner



[1] “LOLBAS.” [Online]. Available: https://lolbas-project.github.io. [Accessed: 09-Dec-2020]

[2] “APT29.” [Online]. Available: https://attack.mitre.org/groups/G0016/. [Accessed: 10-Dec-2020]

[3] E. Nakashima and J. Marks, “Spies with Russia’s foreign intelligence service believed to have hacked a top American cybersecurity firm and stolen its sensitive tools,” The Washington Post, The Washington Post, 08-Dec-2020 [Online]. Available: https://www.washingtonpost.com/national-security/leading-cybersecurity-firm-fireeye-hacked/2020/12/08/a3369aaa-3988-11eb-98c4-25dc9f4987e8_story.html. [Accessed: 10-Dec-2020]

[4] fireeye, “fireeye/red_team_tool_countermeasures.” [Online]. Available: https://github.com/fireeye/red_team_tool_countermeasures. [Accessed: 10-Dec-2020]

[5] “[No title].” [Online]. Available: https://raw.githubusercontent.com/fireeye/
. [Accessed: 09-Dec-2020]

[6] Chris and V. my C. Profile, “GPP Password Retrieval with PowerShell.” [Online]. Available: http://obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html. [Accessed: 09-Dec-2020]

[7] PowerShellMafia, “PowerShellMafia/PowerSploit.” [Online]. Available: https://github.com/PowerShellMafia/PowerSploit. [Accessed: 09-Dec-2020]

[8] “Beacon Covert C2 Payload - Cobalt Strike.” [Online]. Available: https://www.cobaltstrike.com/help-beacon. [Accessed: 09-Dec-2020]

[9] GhostPack, “GhostPack/Seatbelt.” [Online]. Available: https://github.com/GhostPack/Seatbelt. [Accessed: 09-Dec-2020]

[10] cobbr, “cobbr/SharpSploit.” [Online]. Available: https://github.com/cobbr/SharpSploit. [Accessed: 09-Dec-2020]

[11] med0x2e, “med0x2e/RT-EWS.” [Online]. Available: https://github.com/med0x2e/RT-EWS. [Accessed: 09-Dec-2020]

[12] GhostPack, “GhostPack/Rubeus.” [Online]. Available: https://github.com/GhostPack/Rubeus. [Accessed: 09-Dec-2020]

[13] “Steal or Forge Kerberos Tickets: Kerberoasting.” [Online]. Available: https://attack.mitre.org/techniques/T1558/003/. [Accessed: 09-Dec-2020]

[14] med0x2e, “med0x2e/GadgetToJScript.” [Online]. Available: https://github.com/med0x2e/GadgetToJScript. [Accessed: 09-Dec-2020]

[15] SecureAuthCorp, “SecureAuthCorp/impacket.” [Online]. Available: https://github.com/SecureAuthCorp/impacket. [Accessed: 09-Dec-2020]

[16] denandz, “denandz/KeeFarce.” [Online]. Available: https://github.com/denandz/KeeFarce. [Accessed: 09-Dec-2020]

[17] Kevin-Robertson, “Kevin-Robertson/InveighZero.” [Online]. Available: https://github.com/Kevin-Robertson/InveighZero. [Accessed: 09-Dec-2020]

[18] med0x2e, “med0x2e/NET-Assembly-Inject-Remote.” [Online]. Available: https://github.com/med0x2e/NET-Assembly-Inject-Remote. [Accessed: 09-Dec-2020]

[19] med0x2e, “med0x2e/NoAmci.” [Online]. Available: https://github.com/med0x2e/NoAmci. [Accessed: 09-Dec-2020]

[20] BloodHoundAD, “BloodHoundAD/SharpHound3.” [Online]. Available: https://github.com/BloodHoundAD/SharpHound3. [Accessed: 09-Dec-2020]

[21] BloodHoundAD, “BloodHoundAD/BloodHound.” [Online]. Available: https://github.com/BloodHoundAD/BloodHound. [Accessed: 09-Dec-2020]

[22] GhostPack, “GhostPack/SafetyKatz.” [Online]. Available: https://github.com/GhostPack/SafetyKatz. [Accessed: 09-Dec-2020]

[23] IllidanS, “IllidanS4/SharpUtils.” [Online]. Available: https://github.com/IllidanS4/SharpUtils. [Accessed: 09-Dec-2020]

[24] nccgroup, “nccgroup/nccfsas.” [Online]. Available: https://github.com/nccgroup/nccfsas. [Accessed: 09-Dec-2020]

[25] rasta-mouse, “rasta-mouse/RuralBishop.” [Online]. Available: https://github.com/rasta-mouse/RuralBishop. [Accessed: 09-Dec-2020]

[26] fireeye, “fireeye/DueDLLigence.” [Online]. Available: https://github.com/fireeye/DueDLLigence. [Accessed: 09-Dec-2020]

[27] ghogen, “MSBuild.” [Online]. Available: https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild. [Accessed: 09-Dec-2020]

[28] “Process Injection: Process Hollowing.” [Online]. Available: https://attack.mitre.org/techniques/T1055/012/. [Accessed: 09-Dec-2020]

[29] stevewhims, “mofcomp.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp. [Accessed: 09-Dec-2020]

[30] fireeye, “fireeye/SharPersist.” [Online]. Available: https://github.com/fireeye/SharPersist. [Accessed: 09-Dec-2020]

[31] SolarWinds, SolarWinds Security Advisory, https://www.solarwinds.com/securityadvisory [Accessed: 14-Dec-2020]

[32] Reuters, Technology News, https://www.reuters.com/article/us-usa-solarwinds-cyber-idUSKBN28N0Y7 [Accessed: 14-Dec-2020]