FireEye Breach: Leaked Red Team Toolkit Detection

This week the cybersecurity community was struck by the news that one of the top security firms was compromised by an unnamed sophisticated APT group. Adversaries were interested in Red Team tools used by FireEye to test their customers ā€™security and looked for information related to government customers. An investigation is ongoing and F.B.I. Cyber Division is involved. Although no official information about the suspected hackers was reported, according to The New York Times, the involved F.B.I. agents are specializing in investigating Russia-related matters, so there is no question of who the main suspect is.

It will be very interesting to know the details and results of this investigation since it is not often that hackers manage to compromise such well-protected organizations. Florian Roth posted in his Twitter account: “The FireEye breach isn’t really about red team tools or customer data. It’s about possibly stolen confidential data on high profile threat groups. I mean, they know more about some actors than most states’ intelligence apparatus. ” And it really may be so. Having received intelligence data on other threat groups, hackers will be able not only to disguise their actions or effectively use “other people’s” tools but even “hijack” someone else’s infrastructure or use it for their campaigns.

FireEye supposes that the stolen tools will be used in cyberattacks, so they shared countermeasures and IOCs on their GitHub account. Snort, Yara, ClamAV, and HXIOC rules were published, and our content team converted the convertible HXIOC rules into Sigma format so that they can be translated to the rules for multiple security platforms. Community rules to detect possible abuse of FireEye Red Team tools are available at Threat Detection Marketplace.

Thanks to Sittikorn Sangrattanapitak, Emir Erdogan, and Osman Demir, active participants in the Threat Bounty Program, who published their rules for detecting leaked Red Team tools.

Service Failure Abuse Methodology (via registry_event)

Sharpivot utility detection (via cmdline)

Suspicious execution of colorcpl.exe (via cmdline)

Suspicious Process Tree (Methodology) (via cmdline)

TitoSpecial Memory Dump (Credential Stealer) (via file_event)

tmas_wlmhook.dll Hijack (via imageload)

Userinit Process Launch by Msbuild.exe (via cmdline)

Wdscore.dll Hijack detection (via imageload)

X32BRIDGE.dll Hijack (via image load)

FireEye Red Team Tools Detection

Suspicious Child Processes Werfault.exe

FireEye Red Team Tool – MSBUILDME Suspicious Execution of userinit.exe

Fireeye Red Team Tool – Suspicious DLL Load (via ImageLoad)

Fireeye Red Teal Tool- Dism Execuiton in suspicious Location

Fireeye Red Team Tool- RegAsm Parent Process

Fireye Red Team Tool- RUNDLL32 Suspicious Execution (via cmdline)

Fireeye Red Team Tool- texttransform.exe parent process

Possible tmas_wlmhook.dll Hijack (via imageload)

Possible ui.dll Hijack (via imageload)

Possible splash_screen.dll Hijack (via imageload)

Possible sidebar.dll Hijack (via imageload)

Possible ushata.dll Hijack (via imageload)

FireEye Red Team Tool – G2JS Suspicious Process Tree

FireEye Red Team Tool – G2JS Suspicious Execution of colorcpl.exe

Possible fmtoptions.dll Hijack (via imageload)

Possible nflogger.dll Hijack (via imageload)

Possible Wdscore.dll Hijack (via imageload)

Possible X32BRIDGE.dll Hijack (via imageload)

Possible msi.dll Hijack (via imageload)

FireEye Red Team Tool – Modified Impacket WMIEXEC (via cmdline)

PAX dism WIM mount (via cmdline)

Unusual SearchProtocolHost Child Process (via cmdline)

Possible LNK SMASHER Utility (via cmdline)

Possible IMPACKET-OBFUSCATION WMIEXEC or SMBEXEC Utility (via cmdline)

Possible LIBVLC.dll Hijack (via imageload)

Possible mcutil.dll Hijack (via imageload)

Possible pt1.aym Hijack (via imageload)

Possible potplayer.dll Hijack (via imageload)

Possible pc2msupp.dll Hijack (via imageload)

Possible packageIdentification.dll Hijack (via imageload)

Fireeye Red Team Tool – execavator.exe (via registry)

Possible hpcustpartui.dll hijack (via imageload)

Possible goopdate hijack (via imageload)

Possible elogger.dll hijack (via imageload)

Possible dwmapi.dll hijack (via imageload)

Possible dismcore.dll hijack (via imageload)

Possible crshhndl.dll hijack (via imageload)

Possible chrome_frame_helper.dll hijack (via imageload)

Possible ccl110u.dll Hijack (via imageload)

Possible ashldres.dll Hijack (via imageload)

Possible api-ms-win-downloevel-shell32-l1-1-.dll hijack (via imageload)

Possible anything.cpl or anything.dll hijack (via imageload)

FireEye Red Team Tool – Modified Impacket SMBEXEC (via registry)

FireEye Red Team Tool – Modified Impacket SMBEXEC (via cmdline)

Unusual installutil Child Process (via cmdline)

Possible cclib.dll hijack (via imageload)

Possible mscorsvc.dll Hijack (via imageload)

Possible MSBuild Abuse (via cmdline)

COM CLSID registry activity (via registry)

Control Panel Items (via cmdline)

Fireeye Red Team Tool – execavator.exe (via cmdline)

DISM Network Activity (via network)

Unusual DISM Child Process (via cmdline)

FireEye Red Team Tool – ADPASSHunt (via cmdline)




Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts