Tactics, Techniques and Procedures (TTPs) Utilized by FireEye’s Red Team Tools

We have been routinely reading about new breaches this year, but this last incident is different from all others we have heard so far. FireEye, like all security vendors, fighting for a good cause. We support FireEye and we think that their response so far very mature and transparent sharing countermeasures to detect the use of their stolen tools.

We know that in such a situation and in a limited time, it is not easy to build all possible countermeasures. So we are also doing our best to support the community, sharing analysis, and additional countermeasures to help organizations to validate and improve their security posture for the possible use of the leaked Red Team tools against them.

Executive Summary

In this article, we analyzed 60 tools stolen from FireEye Red Team’s arsenal to understand the impact of this breach. We found that:

• 43% of the stolen tools are publicly available tools that are using known attack techniques.
• 40% of tools are developed in-house by FireEye. These tools also utilize known adversary techniques. 
• 17% of the stolen tools cannot be identified since FireEye did not share adequate details about these tools. According to their names, we believe that most of these unknown tools are also slightly modified versions of publicly available tools.

FireEye also announced that exploits of 16 vulnerabilities were also stolen. But there is no room for a big concern regarding these vulnerabilities and their exploits since they are already well-known.

At first, this breach remained the stolen NSA hacking tools published in the Shadow Brokers leak. A couple of high severity 0-day exploits were released in the NSA breach. These 0-day exploits caused severe security incidents worldwide, such as WannaCry and NotPetya. However, stolen tools and exploits in the FireEye breach utilizes known attack techniques. Our analysis shows that this breach will not have high impact on organizations.

Still, countermeasures should be taken against the stolen tools since they are frequently used by threat actors.  In our new blog post, "It is Time to Take Action - How to Defend Against FireEye’s Red Team Tools", we shared our comprehensive Blue Team recommendations, our detection contents as SIGMA and vendor-specific queries, and also vendor-based prevention signatures related to defending against FireEye Red Team tools.

Stolen Red Team Tools

FireEye has not shared details about what the stolen red team tools do. The Red and Blue Team analysts of Picus Labs analyzed the compromised tools to reveal the functionalities and possible impacts of these tools.

We categorized these tools into four sets:

1. Tools Based on Open Source Projects: These red team tools are slightly modified versions of open-source tools.
2. Tools Based on Built-in Windows Binaries: These tools use built-in Windows binaries known as LOLBINs (Living Off The Land Binaries) [1].
3. Tools Developed In-house for Fireeye’s Red Team: These tools are specially developed for the use of FireEye’s Red Team.
4. Tools Without Adequate Data to Analyze: There is not enough data to analyze these tools. The Yara rules published by FireEye for the following tools are specific to ProjectGuid of the tool. 

The below chart shows the distribution of stolen red team tools according to the above categories.

Stolen Exploits

In addition to the red team tools, there are also exploit payloads affected by the incident. Leaked payloads exploit the following list of vulnerabilities. According to FireEye's report, leaked payloads do not include a 0-day exploit.

Below chart shows the distribution of the vulnerabilities according to the vulnerability type:

Usual Suspects

FireEye frequently engages with Russian threat actors being a cybersecurity company fighting with APT groups and nation-state threat actors. According to the Washington Post, APT29 (also known as YTTRIUM, The Dukes, Cozy Bear, and CozyDuke) [2] carried out the FireEye breach [3]. However, there is no evidence to prove that.

Update (December 14, 2020)

IT company SolarWinds announced on Sunday that the SolarWinds Orion network monitoring product has been tampered by a state-sponsored threat actor via embedding backdoor code into a legitimate SolarWinds library [31]. This leads to the attacker having remote access into the victim’s environment and a foothold in the network, which can be used by the attacker to obtain privileged credentials. Today, SolarWinds breach is connected to the FireEye breach, and suspicions on Russia increased [32].

Blue Team Recommendations

Picus Labs’ Blue Team prepared a list of recommendations for preventing and detecting the stolen tools and exploits.

1. Mitigating Vulnerabilities
   Assess your systems against vulnerabilities listed in the above section using vulnerability scanning and monitoring tools. If there are any gaps you haven't patched yet, you must fix them, and you should check if they have been abused in your systems.

2. Compromise Assessment
   You can conduct compromise assessments on your systems by using released Yara rules by FireEye [4]. To utilize Yara rules, you can use an open-source Yara scanning tool or enterprise product and distribute it to the endpoints on your systems, then add the rules and get the results. Moreover, you can use IoCs included in Yara rules and search them in your SIEM environment.

3. Utilize IOCs
   

   To prevent and detect future related threats, you can add IOCs given in this report to your security products, such as EDR, EPP, and SIEM. However, keep in mind that these IoCs can easily be changed by adversaries.

4. Utilize Snort Rules
   Most network security products support Snort rules. You can add released Snort rules to your security devices[4]. If you are already using Snort, you can check the current rules are up to date.
   
   
5. Update Your Security Products
   Security vendors are releasing new signatures and rule sets that include countermeasures against stolen tools. Update your security products and their rule and signature sets.
   
   
6. Hunting with OpenIOC
   FireEye released some countermeasures in the OpenIoC format. You can add these rules to your security devices by developing detection and hunting rules using IoC editors.
   

Fore more detailed recommendations and our detection contents as SIGMA and vendor-specific (ArcSight, Carbon Black, QRadar, and Splunk) queries, and also vendor-based (CheckPoint, Cisco, Citrix, Fortinet, F5, McAfee, ModSecurity, Palo Alto Networks, Snort, Trend Micro) prevention signatures read our new blog post, "It is Time to Take Action - How to Defend Against FireEye’s Red Team Tools".

Picus in Action

The Picus Threat Library includes most of the stolen tools, and the Picus Mitigation Library contains actionable mitigation recommendations and detection rules. Picus Labs’ Red Team and Blue Teams are working on missed tools and adding them and their techniques to our libraries.

So, our users have already assessed their cyber defense against most of the stolen red team tools and their attack techniques. And, they fixed the identified gaps using actionable recommendations provided by Picus platform.

Detailed Analysis of the Tools

1. Tools Based on Open Source Projects:
   

   These red team tools are slightly modified versions of open-source tools.

   1.1 ADPassHunt

   It is a credential stealer tool that hunts Active Directory credentials. There are two remarkable strings in the YARA rule [5] of this tool: Get-GPPPasswords and Get-GPPAutologons. Get-GPPPassword is a PowerShell script that retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences (GPP) [6]. Get-GPPAutologons is another PowerShell script that retrieves passwords from Autologon entries that are pushed through GPP. These scripts are used as functions in the PowerSploit, which is an offensive security framework combining PowerShell modules and scripts [7]. You can read our blog post to find out more information on the OS credential dumping technique.

   MITRE ATT&CK Techniques T1003.003 OS Credential Dumping: NTDS T1552.06 Unsecured Credentials: Group Policy Preferences

   AdPassHunt IOCs 590bd7609edf9ea8dab0b5fbc38393a870b329de 29385446751ddbca27c26c43015be7ab0d548b895531fba9b03d612e53bd9ff0

   1.2 Beacon

   This red team tool is based on the  CobaltStrike beacon. A beacon is a CobaltStrike payload used by adversaries for several goals, such as  persistence, execution, privilege escalation, credential dumping, lateral movement, and Command and Control (C2) communication over HTTP, HTTPS, DNS, SMB, and TCP protocols [8]. According to countermeasures published by FireEye, the Beacon tool uses HTTP, HTTPS, and DNS beacons. The Beacon tool utilizes built-in Windows binaries, such as msbuild.exe, Microsoft.Workflow.Compiler.exe, and regsvr32.exe to execute arbitrary payloads, and searchindexer.exe for process injection to evade defenses. It renames these binaries to avoid name-based detection rules by masquerading. You can read our blog post to find out more information about the masquerading technique.

   MITRE ATT&CK Techniques T1071.001 Application Layer Protocol: Web Protocols T1029 Scheduled Transfer T1036.003 Masquerading: Rename System Utilities T1036.004 Masquerading: Task or Service T1036.005 Masquerading: Match Legitimate Name or Location T1574.002 Hijack Execution Flow: DLL Side-Loading T1047 Windows Management Instrumentation T1072 Software Deployment Tools T1059.003 Command and Scripting Interpreter: Windows Command Shell

   CobaltStrike Beacon IOCs 03a8efce7fcd5b459adf3426166b8bda56f8d8439c070b620bccb85a283295f4 e4dd5fc22ff3e9b0fa1f5b7b65fb5dfeac24aab741eee8a7af93f397b5720f4a d011a846badec24a48a50d1ab50f57d356b9dd520408cbb3361182f6f0489a1e 0a566a0ddbaf9975221fe842b9b77c4a8b5d71bb2c33e0a46da26deec90dcbea 61cd1311d2e4663b86b5a70c2aafd5af6b247a6ebf407170296e37aaf8c69392

   Picus Threat Library 853411 CobaltStrike Beacon used by OceanLotus Threat Group .DLL File Download Variant-1 748618 CobaltStrike Beacon Hack Tool used in Military Themed Campaign .EXE File Download Variant-1 649065 CobaltStrike Backdoor Malware .EXE File Download Variant-1 655930 CobaltStrike Backdoor Malware used by OceanLotus Threat Group .EXE File Download Variant-1

   1.3 Beltalowda

   Beltalowda is a red team tool based on an open-source utility, SeatBelt. SeatBelt conducts a variety of security-oriented "safety checks" from both offensive and defensive security viewpoints related to the host survey [9].
   

   Beltalowda / SeatBelt IOCs d80b7a31d68b5f483073ff7af0984c1090f6a493f84db7d3a301e3e35fdb4a56 7b7cbb1a62faf7e7a9ee1d0254c5681779b61abd3c9763b6588857c14cccdd9b 8f991317f1473fa8af3c3d6ade2551ddac01425db6e7b0c718b81c324c43730d 1d841ff51f8b5b08d7b4752cd498108d4b3f82864257dbd8e35b097c766f9e24 29054e2cad080a61db11a61791206ea939cbf79abee71c44fa0e7603dd168840 dea11a5bc6ff271e40e477d1645bdeb19454bdd8eac077e598ca56ee885fc06e b89158aeac0e98f7cc2a6c3040ad2f57093bdb9064eab2c585c1250d5efa850e 00d1726e2ba77c4bed66a6c5c7f1a743cf7bb480deff15f034d67cf72d558c83 5cacbf4e84027cb3c0ec55940dddee6f4d368aae778d635003cb3013b547ede0 bb939544ac109ca674ee9de4d8b292f9b117c9c676ddab61d15a6e219ad3986c

   Picus Threat Library 295245 Information Gathering from Browsers using Seatbelt 830665 Information Gathering from Browsers using Seatbelt Variant-2 346711 Information Gathering by using Seatbelt Variant-3

   1.4 Dtrim

   Dtrim is a modified version of SharpSploit, which is an open-source .NET post-exploitation library written in C# [10]. SharpSploit ported modules of PowerShell post-exploitation frameworks like PowerSploit and other tools such as Mimikatz.

   Picus Threat Library 888666 Credential Dumping from Windows Vault by using PowerSploit 841093 Process Injection by using Powersploit's Invoke-DllInjection Function 853912 Credential Dumping via SharpSploit’s Mimikatz Script Attack Scenario 322981 Information Gathering Scenario using Sharpsploit 778874 Credential Dumping by using Sharpsploitconsole and Sharpcradle 430106 Credential Dumping by using SharpSploit Library (compiled by SharpGen)

   1.5 EWS-RT

   EWS-RT is based on an open-source PowerShell tool, RT-EWS [11], which is a couple of cmdlets leveraging EWS (Exchange Web Services) API to perform specific enumeration and exploitation tasks on Microsoft Exchange Servers including Office365 and on-premise servers.

   1.6 Fluffy

   Fluffy is a modified version of Rubeus, which is an open-source C# toolkit for raw Kerberos interaction and abuses [12]. Red teams use Rubeus for Kerberoasting attacks and extracting Kerberos tickets [13].

   MITRE ATT&CK Techniques T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting

   Fluffy IOCs (SHA1) 8bebf19d54c749560301eaada2e92eb240501b8c

   1.7 G2JS

   G2JS (GadgetToJScript) is an open-source tool for generating .NET serialized gadgets that can trigger .NET assembly load and execution when deserialized using BinaryFormatter from JS, VBS, and VBA scripts [14]. G2JS was created mainly for automating Microsoft Windows Script Host (WSH)  scripts weaponization during red team engagements.

   MITRE ATT&CK Techniques T1059.005 Command and Scripting Interpreter: Visual Basic T1059.007 Command and Scripting Interpreter: JavaScript/JScript

   G2JS IOCs (SHA256) dcce258cc818febe2b888c8eee42aa95393b2fb4f1f2406330840ab8ad5c7d50 A3a8dedf82741a1997b17a44fbb1e5712ba3a5db11146519cf39281def9329a7 eed9402cb6fdc047b12f67493ba10970155a00086918eaad9542ab24096cc715 398afc4c33e00b26466abb87668e33be766dbbf4c493fe04d180a14d14a32fa3 da3bdb6b9348a8d9328e669c744d0f21a83937c31894245e3157121342efe52c cdabbe815b7aafa94469b97fa3665137c4d5b2da4fdd7648ba2851cf2df214fc f8c8bb2ac03cc2a037ddde4ad175aa05aa80277483fcdac42627fbdcc36f64ba fd2e546faed7426c448d1a11d8e1d4b8a06b5148c9c8dfa780338fac2ab53c5b 0b8eab0a1961c52c141ac058c11e070d724d600cf903f2457c8ed189e7aae047 117b9c9127beaf2e3ce7837c5e313084fd3926f1ebf1a77563149e08347cb029

   Picus Threat Library 423316 Command Execution by using .NET Serialized Gadgets 467980 GadgetToJSCript (FireEye) HackTool .TXT File Download Variant-1

   1.8 ImpacketObf

   ImpacketObf (ImpacketObfuscation) is a collection of obfuscated Impacket utilities. Impacket is an open-source collection of Python classes for working with network protocols [15].

   1.9 ImpacketOBF (SMBExec)

   This tool is based on Impacket’s smbexec.py tool.

   1.10 ImpacketOBF (WMIExec)

   This tool is based on Impacket’s wmiexec.py tool.

   MITRE ATT&CK Techniques T1047 Windows Management Instrumentation

   1.11 InveighZero

   InveighZero is an open-source spoofer and man-in-the-middle (MitM) attack tool designed to assist red teamers and penetration testers [16], [17]. It can spoof LMNR, NBNS, mDNS, DNS, and DHCPv6 protocols.

   MITRE ATT&CK Techniques T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

   InveighZero IOCs (SHA256) 78fafeb22bf31de02a4b56114e86dcc3394e382658a5c95b1a302d3d8794718d 2728c46f4fcf62f3faee72be30f1dd75528391b0d70da302544f5282d58c931b 715b415647f33937b39aa072001bfb9857a4bea884d009cbe0c27f1422b9f55b 452c6651e79d9f69a55e711c0b4d70eb2b1aaac206b8a274e45d22f9d7cafd2c 50c4f46e43d30c9520be35e294ef98d81f81d60602cd659367bbcf6a91766c0f a66f3a9ddf9343aeed40276c1abfc485f089050074a03801cd9a16787a39c6bf 0c080548e15e7f377baed2a550d48a555e6150d969f7f4b8244c3b3a50afb858

   Picus Threat Library 685789 Credential Access via Network Sniffing by using Inveigh

   1.12 KeeFarce

   KeeFarce is an open-source tool that extracts KeePass 2.x password database information from memory [16]. It uses DLL injection to execute code within the context of a running KeePass process.

   MITRE ATT&CK Techniques T1555.001 Process Injection: Dynamic-link Library Injection

   KeeFarce IOCs (SHA256) 5ea9a04284157081bd5999e8be96dda8fac594ba72955adacb6fa48bdf866434

   Picus Threat Library 206268 Credential Dumping by using KeeFarce

   1.13 NetAssemblyInject

   This tool injects C# .NET assemblies into arbitrary Windows processes. It is based on an open-source tool, NET-Assembly-Inject-Remote [18] . 
   

   Picus Threat Library 459538 Credential Dumping using NetAssembly Injection Tool

   1.14 NoAmci

   NoAmci is an open-source tool that uses DInvoke to patch AMSI.dll to bypass AMSI (Windows Antimalware Scan Interface) detections [19].

   Picus Threat Library 422966 Disabling Security Tools by using NoAmci Tool (AMSI Bypass)

   1.15 PuppyHound

   PuppyHound is a modified version of an open-source tool, SharpHound [20]. It is the C# data collector for the BloodHound Project [21].

   PuppyHound / SharpHound IOCs (SHA256) 23490f7ac40b6b15c228ed8f8e9122d460469aa4025ed7008660e4310ef7e70f a7240d8a7aee872c08b915a58976a1ddee2ff5a8a679f78ec1c7cf528f40deed 5fabe36fb1da700a1c418e184c2e5332fe2f8c575c6148bdac360f69f91be6c2 7b0a7e5d344f8ffa1a097cd9e658ecaa551fd84cfcc92a5fe46f9965661662cc e9e646a9dba31a8e3debf4202ed34b0b22c483f1aca75ffa43e684cb417837fa a07002c5d7712e751dfbcab1f05190793eb417b693b61f8ba0750fa15f88f61b 0d9fbc16c6f316d8ee1b9ff47b300c24a1964fdfc3990b680d05dab5e1905d9f ee72671628902e2cd75fde74b7926355b39d1ab50be0aa8bc06e8f06344fc22c 36d4e69106bc8530d7923442d1929558b876f7f10545316623ae3db1b93ec584 e333444d815055181402f5fdbf60a62c4545e64f3e382c7685b47b7b5a6c27e8

   Picus Threat Library 273197 Domain Information Discovery by using SharpHound

   1.16 Rubeus

   Rubeus is an open-source C# toolkit for raw Kerberos interaction and abuses [12]. Red teams use Rubeus for Kerberoasting attacks and extracting Kerberos tickets [13].

   MITRE ATT&CK Techniques T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting

   Rubeus IOCs (SHA256) a729d51f3deff5065e4978df2f88517d26e0d5db542c9cf8501a4206d8d2432c 9758688dd18db6ec86c4835d9ba67b5e209c32c81981dc69d705670f8b95d5e6 0340043481091d92dcfb2c498aad3c0afca2fd208ef896f65af790cc147f8891 76faeb790d1c1aa5fd3473f86f602b371682415368ddd553ebc60eb3c7683f7f 0097d59dc02cbac14df25ef05fc6d75f835d1db68f760d71fa4a0a57d9960606 c74352729dd49829f5e398a7fc7dd033d9e4aba3d93162c4fbcbe394cc31c3d4 9c6a910a047e29e07b4015866dc05e00829b888a86d1d357ed49652a9b73f1b6 6c1829be1c49c04b956b431386c389a6bf83327a5e7e68ff453103820ad4464d 817867c23a7bf47e99c93201f99f5eb805396327765aa76338c5f9e0c89eac4a 65044ea9fea1e34042adf3ff5e5fb17fc021ba4b0775415fad2465558a782c5e

   Picus Threat Library 471775 Pass the Hash by using Rubeus Tool with asktgt Module (Pass The Key) 479855 Kerberoasting Attack by using Rubeus Tool 217117 Kerberoasting Attack by using Rubeus Tool Variant-2 893519 Pass the Hash by using Rubeus Tool (1.5.0) with asktgt Module (Pass The Key) 789965 Kerberoasting Attack by using Rubeus Tool (1.5.0) 509384 AS-REP Roasting Attack by using Rubeus Tool

   1.17 SafetyKatz

   SafetyKatz is a combination of Mimikatz and .NET PE Loader [22].  It creates a minidump of LSASS and uses PELoader to load a customized version of Mimikatz for credential dumping.

   MITRE ATT&CK Techniques T1003.001 OS Credential Dumping: LSASS Memory

   SafetyKatz IOCs (SHA256) 2b3cab071ca6f104377a7684eb586150fdec11df2dc8cebcb468f57a82f10c73 89a456943cf6d2b3cd9cdc44f13a23640575435ed49fa754f7ed358c1a3b6ba9 3547d857af012c643a75bd3c1d3226c98e8181dc6e92872eb0746b26f6cc1a09 d1d3b00e8be37b30abfe2ff2aca90073ae517a27635a9fbb2e222981cf1ae817 796f70f7e01257c5b79e398851c836e915f6518e1e3ecd07bcd29233cf78f13d bcf1857fe1eb566c0dbd032f7ec186bc1a31895861ac36887ad034501794fd00 4542ebba83ef6e16db6dc30383614bf52cb7c3f2fbd1577de10f02d6bf7dfc50 291a6968a3f7f2092c656d0275c604182d6f7ee7b813460aeb8b28c06d804b5e b0a55532654bbfd0aafa59dfe26b576a095d9ac4a4af2f99bca442a1d87ce29b 27dd261ad7f3ad7d782625c2a459caf6ae81109ffe8f830b68b154f02d578658

   Picus Threat Library 416382 Credential Dumping by using SafetyKatz Tool 549536 Credential Dumping by using SafetyKatz Tool Variant-2 764801 Mimikatz Execution with Evasion by using BetterSafetyKatz 779384 Credential Dumping using SafetyKatz Tool with AmsiScanBufferBypass

   1.18 SharpUtils

   It is an open-source collection of red team utilities written in C# language [23].

   1.19 SharpZeroLogon

   It is an open-source exploit for the Zerologon vulnerability (CVE-2020-1472) [24]. It exploits the cryptographic vulnerability in Netlogon to bypass authentication.

   SharpZeroLogon IOCs (SHA256) c4a97815d2167df4bdf9bfb8a9351f4ca9a175c3ef7c36993407c766b57c805b b9088bea916e1d2137805edeb0b6a549f876746999fbb1b4890fb66288a59f9d 24d425448e4a09e1e1f8daf56a1d893791347d029a7ba32ed8c43e88a2d06439 7a05fd67e9344d27c90a7196ab32cbaf1ee8c14f8655e87cc3ebddca7eacebdf eec19dd96f08c4b6c61e079cbff058bb79d928a3c3dd01b397222a3f5bfe2dd9 fa032802537b61f0e5f3645229a0758114b0c00ddc95273efba7a17ed18e2e00 10ed27a6dad3793933262c0a0b4ec1837c7127cde872acf23e4c42a8ecfd9109 7bcf833ab795b3a2cbd5df2e8caf5d664534b4623d0864dda73222dc47c56ec7

   Picus Threat Library 792844 Exploitation of Zerologon Vulnerability via SharpZeroLogon Tool

   1.20 TitoSpecial

   TitoSpecial is based on an open-source tool AndrewSpecial, which is a credential stealer. It dumps credentials from LSASS memory. We explained this technique in our Credential Dumping blog.

   MITRE ATT&CK Techniques T1003.001 OS Credential Dumping: LSASS Memory

   TitoSpecial / AndreSpecial IOCs (SHA256) 7bcf833ab795b3a2cbd5df2e8caf5d664534b4623d0864dda73222dc47c56ec7

   Picus Threat Library 797345 TitoSpecial (FireEye) Infostealer .EXE File Download Variant-1

   1.21 TrimBishop

   This tool is based on an open-source tool, Rural Bishop [25].

   TrimBishop / RuralBishop IOCs (SHA256) 38e7e5250287542688b12e216d9b25388061decde2f7255969a7a914cda0faf4 60247aa54635a0788f636aeab9752cc4e83ba4ae3ec336f60e01ab8dec856a05 7127e4b634f2bf6b9965d183c3dd61540ed4e08c4d60123da44892cf509cfe94 f821c3b8274d69e6948dea823682d16be0b23da3ea5363d6ffa0ea05e8654c05 b40c8fcb20acf66db418078f0d6099145b220dc056d095beb54665faf6c726c7

   Picus Threat Library 754289 TrimBishop (FireEye) RAT .EXE File Download Variant-5 451090 TrimBishop (FireEye) RAT .EXE File Download Variant-4 854677 TrimBishop (FireEye) RAT .EXE File Download Variant-3 759601 TrimBishop (FireEye) RAT .EXE File Download Variant-2 746754 TrimBishop (FireEye) RAT .EXE File Download Variant-1

2. Tools Based on Built-in Windows Binaries
   
   

   These tools use built-in Windows binaries known as LOLBINs (Living Off The Land Binaries) [1].

   2.1 DueDLLigence

   
   

   DueDLLigence is a shellcode runner framework previously published by FireEye[26]. Red Teams use it for application whitelisting bypass and DLL side-loading. It utilizes built-in Windows binaries Control.exe (Windows Control Panel), Rasautou.exe (Remote Access Dialer), and msiexec.exe  (Microsoft Installer Executable) to bypass applications.

   MITRE ATT&CK Techniques T1218.002 Signed Binary Proxy Execution: Control Panel T1218.007 Signed Binary Proxy Execution: Msiexec

   DueDLLinge IOCs (SHA256) 9ff0c4211b7e0b6b9789c4a8576a5e2d1085ca729047a97518f46073ba558956 bcbc2f9367a909de763dca4d46d8328b65593df72abb5e61d2b8b104245f4814 df50e66c9f384a5ff9e3b23272677f3cc2962759947bffbfb905a12f21fd7a3d 71227bc1534a092ba03e6374cad929b193d1f6667cb781efd059b7d7d8e09c1d aac1cd7e70f87d29504a017c7c1fe4ad276980d624d1f3651565cada52a37031

   Picus Threat Library 590774 Dism.exe OS Binary (Lolbas) used in Signed Binary Proxy Executio 288390 DueDLLigence (FireEye) RAT .DLL File Download Variant-4 380893 DueDLLigence (FireEye) RAT .DLL File Download Variant-3 664528 DueDLLigence (FireEye) RAT .DLL File Download Variant-2 755632 DueDLLigence (FireEye) RAT .DLL File Download Variant-1

   2.2 MSBuildMe

   
   

   This red team tool is based on the MSBuild (Microsoft Build Engine),  which is a platform for building applications [27]. It is used to compile and execute code and bypass the Application Whitelisting (AWL).

   MITRE ATT&CK Techniques T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild

   Picus Threat Library 422325 Microsoft Build Engine (MSBuild) Attack Scenario 395873 Parent PID Spoofing using APC Queue Code Injection 817545 Mimikatz Execution using MSBuild Task Property

   2.3 NetshShellCodeRunner

   
   

   This tool is based on Netsh.exe, which is a Windows tool used to manipulate network interface settings. Netsh.exe is used by adversaries and red teamers to execute a .dll file.

   MITRE ATT&CK Techniques T1546.007 Event Triggered Execution: Netsh Helper DLL

   2.4 Uncategorized

   
   

   This is a collection of tools that utilize built-in Windows binaries dism.exe, searchprotocolhost.exe, and werfault.exe for Process Injection.

   MITRE ATT&CK Techniques T1055 Process Injection

   2.5 Weaponize

   
   

   This tool uses the built-in Windows binary TSTheme.exe (TSTheme Server Module).

   
   
3. Tools Developed In-house for Fireeye’s Red Team
   

   
   These tools are specifically developed for the use of FireEye’s Red Team.

   3.1 DShell

   
   

   DShell red team tool is a backdoor written in the D programming language. Its payload is encoded in Base64 format. According to Windows functions used by DShell, we guess it uses the process injection technique to inject its payload into a legitimate process.

   DShell IOCs (SHA256): 747941f972e786f9a93c809247dc776d1fe348e004b1c087683756ae48acfdfe 4647ead22996882f3e17104040605473309f460d4f8d00f07395de89d81a039c a6834eb32f20a52786ce1c5e99b94baec4d251414a97ca4717b2b06c88340a4b 2b4d48aac9c6885f50f5f95c10385aa10f7de9c8f393e64777b544e8fae8c95b 5e53ce8f7f5f0b9c85bcb15becc5ae4ce9f8fc01504e76deaafbf70ffa1cda9d 6500e845c478dc26d950b913da2fb85d6b180275827737062f23c8671b2cbd0e c32514711f72002e9a540c2434dee7b239485d01a95a7530b939fed43f277f6d 77dedb037985896646ee3a65687dca17f669750133893209ea765c991a2c39a0 0c55581575708818bd5b58cd9647f1112f97a921f36227d4fe512e710e0a0dbf 225d4be8f66361b82dd89fc14496a1ebe37049c1930672dde2ccb6aab068aff1

   Picus Threat Library 679074 DShell (FireEye) Backdoor .EXE File Download Variant-4 820177 DShell (FireEye) Backdoor .EXE File Download Variant-3 657835 DShell (FireEye) Backdoor .EXE File Download Variant-2 565235 DShell (FireEye) Backdoor .EXE File Download Variant-1

   3.2 Excavator

   
   

   This red team tool can dump a process directly or via its service.  It is used  by red teams to dump credentials from LSASS memory. You can read our Credential Dumping blog to learn the details of this technique.

   MITRE ATT&CK Techniques T1003.001 OS Credential Dumping: LSASS Memory

   Excavator IOCs (SHA256): efb533249f71ea6ebfb6418bb67c94e8fbd5f2a26cbd82ef8ec1d30c0c90c6c1 27a5e3795e150eb9d3af99a654be7d9a684983c0bbccc9ba0b4efa4301404760 31d06aa9ceb13c28b6af76d6b5cc33dc14c59e4496c9265cee60cbad3d89b863

   3.2 Excavator Excavator IOCs (SHA256) kutusu altına:Picus Threat Library 470104 Excavator (FireEye) Infostealer .DLL File Download Variant-1

   Picus Threat Library 624090 Excavator (FireEye) Infostealer .DLL File Download Variant-2 244487 Excavator (FireEye) Infostealer .EXE File Download Variant-1 470104 Excavator (FireEye) Infostealer .DLL File Download Variant-1

   3.3 GetDomainPasswordPolicy

   It is a reconnaissance tool that obtains the password policy for an Active Directory domain.

   3.4 GPOHunt

   It is a reconnaissance tool that retrieves Group Policy configurations.

   3.5 KeePersist

   It is a tool developed in-house for Fireeye’s Red Team that is used for persistence.

   3.6 LNKSmasher

   LNKSmasher is a tool that generates malicious .LNK files. LNK is a file format used for shortcut files that point to an executable file. This red team tool can embed an arbitrary payload in an LNK file.

   MITRE ATT&CK Techniques T1547.009 Boot or Logon Autostart Execution: Shortcut Modification T1204.002 User Execution: Malicious File

   3.7 LuaLoader

   
   

   LuaLoader is a red team tool that can load arbitrary codes written in the Lua language. It is a tool developed in-house for Fireeye’s Red Team.

   3.8 Matryoshka

   
   

   Matryoshka is a tool written in the Rust programming language. It is a multi-stage tool. After downloading the first-stage payload, it runs the second-stage malware via its dropper and installs the real payload. It uses the process hollowing technique [28] to evade defenses.

   3.9 MemComp

   
   

   The MemComp tool is used for in-memory compilation.

   3.10 MOFComp

   
   

   MOFComp (MOF Compiler) is a built-in Windows tool that parses a file containing MOF (Managed Object Format) statements and adds the classes and class instances defined in the file to the WMI (Windows Management Instrumentation) repository [29].

   MITRE ATT&CK Techniques T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

   3.11 PGF

   
   

   PGF is a backdoor development framework that utilizes several LOLBINs, such as Netsh, InstallUtil, Regasm, RunDLL32, Control, and Cstmp.exe.

   MITRE ATT&CK Techniques T1218.001 Signed Binary Proxy Execution: Compiled HTML File T1218.002 Signed Binary Proxy Execution: Control Panel T1218.003 Signed Binary Proxy Execution: CMSTP T1218.004 Signed Binary Proxy Execution: InstallUtil T1218.005 Signed Binary Proxy Execution: Mshta T1218.007 Signed Binary Proxy Execution: Msiexec T1218.008 Signed Binary Proxy Execution: Odbcconf T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm T1218.010 Signed Binary Proxy Execution: Regsvr32 T1218.011 Signed Binary Proxy Execution: Rundll32 T1216.001 Signed Script Proxy Execution: PubPrn T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control T1036.005 Masquerading: Match Legitimate Name or Location T1055 Process Injection T1574.002 Hijack Execution Flow: DLL Search Order Hijacking T1574.002 Hijack Execution Flow: DLL Side-Loading

   PGF IOCs (SHA256) 1208a9fcee5cf7522676427a7b8ceb6d49f7fcb6295f759b8cda0c3b3066a7e1 a0d5f287b9b3c0f540d5a59db423b86776a81181f81e14082d7b72ac1d99f8ea 86313ef291ebc5905837f16a8a99992550f986feca21fdc40f554b674c7298f7 1a9d041c82423805bc01b4cb1f5c20c5d58ebc4b525fd88553803a2f148ebd8d ebc16780fe7083af5a9e143b56e0a791115f8b37b83f1bad5bab4828623e1224 032d1aa450227df5d23cc304009ad2db48b33e78191f464a1acc101807845aa7 65e7006479b5be1d094047a201da9a83e3ed424835752c62534bac32a9f3153b 24e37e197bdbabf8a2bc63e0776e82c00a440febe171ec1e648f024338c0871c e1a42ea65004088638bd06353c14f85dcb0030e9fb6975425c6916d8f4f36dd3 304ee129a947706c6436d89215034332554cbb30cde833ce1d368d5b4b97eb3b

   Picus Threat Library 573139 PGF (FireEye) Hacking Tool .EXE File Download Variant-3 819174 PGF (FireEye) Hacking Tool .EXE File Download Variant-2 674310 PGF (FireEye) Hacking Tool .EXE File Download Variant-1

   3.12 PXELoot

   
   

   It is a red team tool that discovers and exploits misconfigurations in Windows Deployment Services (WDS).

   3.13 RedFlare

   
   

   RedFlare is a Trojan development framework that includes builder, controller, downloader, and keylogger. It can generate Trojans for Windows and Linux systems.

   RedFlare IOCs (SHA256): 037a51ea69153ce7044f85bb11d54f825b9fed904dac1b7c3f505c50cc8a43ab 42192e9df6321af2a1039a2353f1abe2aa53174582c7623cb1e42c9accc24720 11ddfdf2f102cb1518c0dc8d9021d8c16c9da3ae1b99ff3abc77467e7709ef23 dd5157b908d14f09cedc7ce687056a57a883fd796624e42f731c57630d7b43b4 34acd86d85b018feecc9adcd7985f15678306f518c21fcd6b34d62b27521fea5 4b3629ff14f5dc465d628cadc2f0c0b7503979078b1f9559fc35f6b0b1c7299d 7ecb85692b45c28300144c1451ef9e94cdd1964f40cd809e4b9b423581b2843e 9033aff8650ff5236b696561f7b0546581c74d715301a22584fdfca59ec444a2 68e376573d59d8f4e626d34df4ed8c16bae409fd95ca5f7215c9e483422ea429 8118b4c86db92483bf20e466f3ff664a4ea25e728a480282b498e95673bbb4f5 546a7635330fdefc2a084483eb2a43187d302de5bdfbe7a36364f8ed019f8f36 914cb1bcb371622923ac70bea30eb9bd6ff6f75c189d110de0be6adc30002157 28d9875c987188f940606459fd9b9dd65df224dfeb31e552e5b564a71b1eb7ce ed2898dbbb1c9f3ba50adb64d17b1ce4ab31b3b0b8e18160ec6b6800f3922f9b 312ca68ff36542efe4f4b545230fc579269b477ec59f735081f395a5094c55c2

   Picus Threat Library 809371 RedFlare (FireEye) Hacking Tool .EXE File Download Variant-3 207277 RedFlare (FireEye) Hacking Tool .EXE File Download Variant-2 867336 RedFlare (FireEye) Hacking Tool .EXE File Download Variant-1

   3.14 RedFlare (GoRAT)

   
   

   GoRAT is a RAT (Remote Access Trojan) written in the Golang programming language.

   GoRAT IOCs (SHA256) 1381107c1f473b3dce170356158be445afc76ec3c0661d8429ef1f5a591e76f0 39845d02f72d83ef342b62b7348776d44cdb3eb6416b83ea2167b301d306cd58

   3.15 ResumePlease

   
   

   It is a Microsoft Office macro malware template that includes malicious VBA (Visual Basic for Application) codes.

   ResumePlease IOCs (SHA256) 1866449e8ad2c55240eafdf14fc835138ca3e99a7b180c2150cef047868f56cc a841a86fe10e11ced850a471cc3256e37d9435e292cac2a9c00f55592b2bf0de

   Picus Threat Library 637798 ResumePlease (FireEye) Office Exploit Payload .Doc File Download Variant-1

   3.16 SharPersist

   
   

   It is a Windows persistence toolkit written in C# for FireEye Red Team [30]. It provides persistence via several methods, such as modifying registry run keys, adding payload to the startup folder, and adding a new scheduled task that runs on each startup.

   MITRE ATT&CK Techniques T1112 Modify Registry T1546.015 Event Triggered Execution: Component Object Model Hijacking T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1047 Windows Management Instrumentation T1053.005 Scheduled Task/Job: Scheduled Task

   SharPersist IOCs (SHA256) e9711f47cf9171f79bf34b342279f6fd9275c8ae65f3eb2c6ebb0b8432ea14f8 455aab141cc9945899c9838b187251c7f647470d827a1d4ce8e833f04a6dd386 68c3388de07d92023490fb47caf1b6f92556959f2267cc3b3d2fcd5018cd3d72 0a443ea08c23991d229ee89a92bc23f959e17819027bb71f6267a7dfeeb9793d 4c3d4cbeec3d722929d86c0bf19108b3eac090fc5dc8fcde2cf818ff16e6fc5b

   Picus Threat Library 206268 Registry Run Keys / Startup Folder Persistence by using SharPersist Tool 478660 SharpPersist (FireEye) Hacking Tool .EXE File Download Variant-3 286882 SharpPersist (FireEye) Hacking Tool .EXE File Download Variant-2 479515 SharpPersist (FireEye) Hacking Tool .EXE File Download Variant-1

   3.17 SharPivot

   
   

   SharPivot is a .NET console application. This red team tool executes commands on a remote target for lateral movement by utilizing DCOM (Distributed Component Object Model)

   MITRE ATT&CK Techniques T1021.003 Remote Services: Distributed Component Object Model T1559.001 Inter-Process Communication: Component Object Model T1059.003 Command and Scripting Interpreter: Windows Command Shell

   3.18 SharpSchTask

   
   

   It is a persistence tool written in C# that utilizes the scheduled task feature of Windows.

   MITRE ATT&CK Techniques Scheduled Task/Job: Scheduled Task

   3.19 SharpStomp

   
   

   SharpStomp is a C# utility that can be used to modify creation, last access, and last write time of a file. In other words, it is a timestomping tool.

   MITRE ATT&CK Techniques T1070.006 Indicator Removal on Host: Timestomp

   3.20 SinfulOffice

   
   

   This tool is used to create malicious Microsoft Office documents using the OLE (Object Linking and Embedding) feature.

   SinfulOffice IOCs (SHA256) 4c5e5e172d233680fee184643b4b79dbf1f97674807c7e40bcfaac8675016c0d a099840e55c6d813db791842efb1512e401af03e4fd9e285b6e906b615cc477a

   Picus Threat Library 589557 OLE_CharENCODING (FireEye) Office Exploit Payload .DOC File Download Variant-1

   
   

   3.21 WildChild

   
   

   WildChild is a builder tool that is used to create malicious HTA (HTML Application) files. Microsoft HTML Application Host (Mshta.exe) runs HTA files.

   MITRE ATT&CK Techniques T1218.005 Signed Binary Proxy Execution: Mshta

   3.22 WMIRunner

   
   

   This tool is used to run WMI commands.

   MITRE ATT&CK Techniques T1047 Windows Management Instrumentation

   3.23 WMISharp

   
   

   This tool includes WMI commands used in Red Team engagements.

   MITRE ATT&CK Techniques T1047 Windows Management Instrumentation

   3.24 WMISpy

   
   

   WMISpy tool uses several WMI classes such as Win32_NetworkLoginProfile, MSFT_NetNeighbor, Win32_IP4RouteTable, Win32_DCOMApplication, Win32_SystemDriver, Win32_Share, and Win32_Process for reconnaissance and lateral movement.

   MITRE ATT&CK Techniques T1047 Windows Management Instrumentation T1021.003 Remote Services: Distributed Component Object Model

4. Tools without Adequate Data to Analyze

The Yara rules published by FireEye for the following tools are specific to ProjectGuid of the tool. We hope FireEye publishes more detailed countermeasures about this tool.

4.1 AllTheThings
4.2 CoreHound
4.3 Justask
4.4 PrepShellCode
4.5 Revolver
4.6 SharpGenerator
4.7 SharpGrep
4.8 SharpSack
4.9 SharpSectionInjection
4.10 SharPy

References

[1] “LOLBAS.” [Online]. Available: https://lolbas-project.github.io. [Accessed: 09-Dec-2020]

[2] “APT29.” [Online]. Available: https://attack.mitre.org/groups/G0016/. [Accessed: 10-Dec-2020]

[3] E. Nakashima and J. Marks, “Spies with Russia’s foreign intelligence service believed to have hacked a top American cybersecurity firm and stolen its sensitive tools,” The Washington Post, The Washington Post, 08-Dec-2020 [Online]. Available: https://www.washingtonpost.com/national-security/leading-cybersecurity-firm-fireeye-hacked/2020/12/08/a3369aaa-3988-11eb-98c4-25dc9f4987e8_story.html. [Accessed: 10-Dec-2020]

[4] fireeye, “fireeye/red_team_tool_countermeasures.” [Online]. Available: https://github.com/fireeye/red_team_tool_countermeasures. [Accessed: 10-Dec-2020]

[5] “[No title].” [Online]. Available: https://raw.githubusercontent.com/fireeye/
red_team_tool_countermeasures/master/rules/
ADPASSHUNT/production/yara/
APT_HackTool_MSIL_ADPassHunt_2.yar. [Accessed: 09-Dec-2020]

[6] Chris and V. my C. Profile, “GPP Password Retrieval with PowerShell.” [Online]. Available: http://obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html. [Accessed: 09-Dec-2020]

[7] PowerShellMafia, “PowerShellMafia/PowerSploit.” [Online]. Available: https://github.com/PowerShellMafia/PowerSploit. [Accessed: 09-Dec-2020]

[8] “Beacon Covert C2 Payload - Cobalt Strike.” [Online]. Available: https://www.cobaltstrike.com/help-beacon. [Accessed: 09-Dec-2020]

[9] GhostPack, “GhostPack/Seatbelt.” [Online]. Available: https://github.com/GhostPack/Seatbelt. [Accessed: 09-Dec-2020]

[10] cobbr, “cobbr/SharpSploit.” [Online]. Available: https://github.com/cobbr/SharpSploit. [Accessed: 09-Dec-2020]

[11] med0x2e, “med0x2e/RT-EWS.” [Online]. Available: https://github.com/med0x2e/RT-EWS. [Accessed: 09-Dec-2020]

[12] GhostPack, “GhostPack/Rubeus.” [Online]. Available: https://github.com/GhostPack/Rubeus. [Accessed: 09-Dec-2020]

[13] “Steal or Forge Kerberos Tickets: Kerberoasting.” [Online]. Available: https://attack.mitre.org/techniques/T1558/003/. [Accessed: 09-Dec-2020]

[14] med0x2e, “med0x2e/GadgetToJScript.” [Online]. Available: https://github.com/med0x2e/GadgetToJScript. [Accessed: 09-Dec-2020]

[15] SecureAuthCorp, “SecureAuthCorp/impacket.” [Online]. Available: https://github.com/SecureAuthCorp/impacket. [Accessed: 09-Dec-2020]

[16] denandz, “denandz/KeeFarce.” [Online]. Available: https://github.com/denandz/KeeFarce. [Accessed: 09-Dec-2020]

[17] Kevin-Robertson, “Kevin-Robertson/InveighZero.” [Online]. Available: https://github.com/Kevin-Robertson/InveighZero. [Accessed: 09-Dec-2020]

[18] med0x2e, “med0x2e/NET-Assembly-Inject-Remote.” [Online]. Available: https://github.com/med0x2e/NET-Assembly-Inject-Remote. [Accessed: 09-Dec-2020]

[19] med0x2e, “med0x2e/NoAmci.” [Online]. Available: https://github.com/med0x2e/NoAmci. [Accessed: 09-Dec-2020]

[20] BloodHoundAD, “BloodHoundAD/SharpHound3.” [Online]. Available: https://github.com/BloodHoundAD/SharpHound3. [Accessed: 09-Dec-2020]

[21] BloodHoundAD, “BloodHoundAD/BloodHound.” [Online]. Available: https://github.com/BloodHoundAD/BloodHound. [Accessed: 09-Dec-2020]

[22] GhostPack, “GhostPack/SafetyKatz.” [Online]. Available: https://github.com/GhostPack/SafetyKatz. [Accessed: 09-Dec-2020]

[23] IllidanS, “IllidanS4/SharpUtils.” [Online]. Available: https://github.com/IllidanS4/SharpUtils. [Accessed: 09-Dec-2020]

[24] nccgroup, “nccgroup/nccfsas.” [Online]. Available: https://github.com/nccgroup/nccfsas. [Accessed: 09-Dec-2020]

[25] rasta-mouse, “rasta-mouse/RuralBishop.” [Online]. Available: https://github.com/rasta-mouse/RuralBishop. [Accessed: 09-Dec-2020]

[26] fireeye, “fireeye/DueDLLigence.” [Online]. Available: https://github.com/fireeye/DueDLLigence. [Accessed: 09-Dec-2020]

[27] ghogen, “MSBuild.” [Online]. Available: https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild. [Accessed: 09-Dec-2020]

[28] “Process Injection: Process Hollowing.” [Online]. Available: https://attack.mitre.org/techniques/T1055/012/. [Accessed: 09-Dec-2020]

[29] stevewhims, “mofcomp.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp. [Accessed: 09-Dec-2020]

[30] fireeye, “fireeye/SharPersist.” [Online]. Available: https://github.com/fireeye/SharPersist. [Accessed: 09-Dec-2020]

[31] SolarWinds, SolarWinds Security Advisory, https://www.solarwinds.com/securityadvisory [Accessed: 14-Dec-2020]

[32] Reuters, Technology News, https://www.reuters.com/article/us-usa-solarwinds-cyber-idUSKBN28N0Y7 [Accessed: 14-Dec-2020]