Lucene search
+L
FireeyeRecent

545 matches found

FireEye
FireEye
added 2019/10/17 3:30 p.m.17 views

Definitive Dossier of Devilish Debug Details – Part Deux: A Didactic Deep Dive into Data Driven Deductions

In Part One of this blog series, Steve Miller outlined what PDB paths are, how they appear in malware, how we use them to detect malicious files, and how we sometimes use them to make associations about groups and actors. As Steve continued his research into PDB paths, we became interested in...

6.4AI score
Exploits0References11
FireEye
FireEye
added 2019/10/15 2:15 p.m.23 views

LOWKEY: Hunting for the Missing Volume Serial ID

In August 2019, FireEye released the “Double Dragon” report on our newest graduated threat group: APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services. This blog...

7.4AI score
Exploits0References6
FireEye
FireEye
added 2019/10/10 12:0 a.m.34 views

Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques

During several recent incident response engagements, FireEye Mandiant investigators uncovered new tools in FIN7’s malware arsenal and kept pace as the global criminal operators attempted new evasion techniques. In this blog, we reveal two of FIN7’s new tools that we have called BOOSTWRITE and...

7.9AI score
Exploits0References27
FireEye
FireEye
added 2019/10/10 12:0 a.m.63 views

Staying Hidden on the Endpoint: Evading Detection with Shellcode

True red team assessments require a secondary objective of avoiding detection. Part of the glory of a successful red team assessment is not getting detected by anything or anyone on the system. As modern Endpoint Detection and Response EDR products have matured over the years, the red teams must...

0.1AI score
Exploits0References3
FireEye
FireEye
added 2019/10/09 9:30 p.m.27 views

Living off the Orchard: Leveraging Apple Remote Desktop for Good and Evil

Attackers often make their lives easier by relying on pre-existing operating system and third party applications in an enterprise environment. Leveraging these applications assists them with blending in with normal network activity and removes the need to develop or bring their own malware. This...

0.1AI score
Exploits0References13
FireEye
FireEye
added 2019/10/03 5:0 p.m.18 views

IDA, I Think It’s Time You And I Had a Talk: Controlling IDA Pro With Voice Control Software

Introduction This blog post is the next episode in the FireEye Labs Advanced Reverse Engineering FLARE team Script Series. Today, we are sharing something quite unusual. It is not a tool or a virtual machine distribution, nor is it a plugin or script for a popular reverse engineering tool or...

0.2AI score
Exploits0References7
FireEye
FireEye
added 2019/10/01 12:0 a.m.18 views

Head Fake: Tackling Disruptive Ransomware Attacks

Within the past several months, FireEye has observed financially-motivated threat actors employ tactics that focus on disrupting business processes by deploying ransomware in mass throughout a victim’s environment. Understanding that normal business processes are critical to organizational succes...

7.6AI score
Exploits0References7
FireEye
FireEye
added 2019/09/30 12:0 a.m.71 views

The FireEye OT-CSIO: An Ontology to Understand, Cross-Compare, and Assess Operational Technology Cyber Security Incidents

The FireEye Operational Technology Cyber Security Incident Ontology OT-CSIO While the number of threats to operational technology OT have significantly increased since the discovery of Stuxnet – driven by factors such as the growing convergence with information technology IT networks and the...

Exploits0References14
FireEye
FireEye
added 2019/09/28 12:0 a.m.70 views

2019 Flare-On Challenge Solutions

We are pleased to announce the conclusion of the sixth annual Flare-On Challenge. The popularity of this event continues to grow and this year we saw a record number of players as well as finishers. We will break down the numbers later in the post, but right now let’s look at the fun stuff: the...

0.2AI score
Exploits0References13
FireEye
FireEye
added 2019/09/07 5:0 p.m.28 views

Open Sourcing StringSifter

Malware analysts routinely use the Strings program during static analysis in order to inspect a binary's printable characters. However, identifying relevant strings by hand is time consuming and prone to human error. Larger binaries produce upwards of thousands of strings that can quickly evoke...

0.4AI score
Exploits0References12
FireEye
FireEye
added 2019/09/05 12:0 a.m.37 views

Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment

UPDATE Oct. 30, 2020: We have updated the report to include additional protection and containment strategies based on front-line visibility and response efforts in combating ransomware. While the full scope of recommendations included within the initial report remain unchanged, the following...

1.6AI score
Exploits0References2
FireEye
FireEye
added 2019/09/03 12:0 a.m.120 views

SharPersist: Windows Persistence Toolkit in C#

Background PowerShell has been used by the offensive community for several years now but recent advances in the defensive security industry are causing offensive toolkits to migrate from PowerShell to reflective C to evade modern security products. Some of these advancements include Script Block...

0.3AI score
Exploits0References5
FireEye
FireEye
added 2019/08/29 12:0 a.m.110 views

Definitive Dossier of Devilish Debug Details – Part One: PDB Paths and Malware

Have you ever wondered what goes through the mind of a malware author? How they build their tools? How they organize their development projects? What kind of computers and software they use? We took a stab and answering some of those questions by exploring malware debug information. We find that...

6.2AI score
Exploits0References43
FireEye
FireEye
added 2019/08/23 6:30 p.m.12 views

Healthcare: Research Data and PII Continuously Targeted by Multiple Threat Actors

The healthcare industry faces a range of threat groups and malicious activity. Given the critical role that healthcare plays within society and its relationship with our most sensitive information, the risk to this sector is especially consequential. It may also be one of the major reasons why we...

Exploits0References5
FireEye
FireEye
added 2019/08/19 12:0 a.m.257 views

GAME OVER: Detecting and Stopping an APT41 Operation

In August 2019, FireEye released the “Double Dragon” report on our newest graduated threat group, APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services. APT41 is...

10CVSS0.4AI score0.99913EPSS
Exploits20References9
FireEye
FireEye
added 2019/08/13 4:45 p.m.23 views

Showing Vulnerability to a Machine: Automated Prioritization of Software Vulnerabilities

Introduction If a software vulnerability can be detected and remedied, then a potential intrusion is prevented. While not all software vulnerabilities are known, 86 percent of vulnerabilities leading to a data breach were patchable, though there is some risk of inadvertent damage when applying...

7AI score
Exploits0References21
FireEye
FireEye
added 2019/08/08 8:45 p.m.28 views

Finding Evil in Windows 10 Compressed Memory, Part Three: Automating Undocumented Structure Extraction

This is the final post in the three-part series: Finding Evil in Windows 10 Compressed Memory. In the first post Volatility and Rekall Tools, the FLARE team introduced updates to both memory forensic toolkits. These updates enabled these open source tools to analyze previously inaccessible...

6.9AI score
Exploits0References8
FireEye
FireEye
added 2019/08/08 8:30 p.m.39 views

Finding Evil in Windows 10 Compressed Memory, Part Two: Virtual Store Deep Dive

Introduction This blog post is the second in a three-part series covering our Windows 10 memory forensics research and it coincides with our BlackHat USA 2019 presentation. In Part One of the series, we covered the integration of the research in both Volatily and Rekall memory forensics tools. We...

6.3AI score
Exploits0References6
FireEye
FireEye
added 2019/08/07 12:0 a.m.34 views

APT41: A Dual Espionage and Cyber Crime Operation

Today, FireEye Intelligence is releasing a comprehensive report detailing APT41, a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. APT41 is unique among tracked China-based actors in that it leverages...

7.1AI score
Exploits0References7
FireEye
FireEye
added 2019/08/07 12:0 a.m.71 views

Commando VM 2.0: Customization, Containers, and Kali, Oh My!

The Complete Mandiant Offensive Virtual Machine “Commando VM” swept the penetration testing community by storm when it debuted in early 2019 at Black Hat Asia Arsenal. Our 1.0 release made headway featuring more than 140 tools. Well now we are back again for another spectacular release, this time...

0.1AI score
Exploits0References28
FireEye
FireEye
added 2019/07/30 4:15 p.m.19 views

Announcing the Sixth Annual Flare-On Challenge

The FireEye Labs Advanced Reverse Engineering FLARE team is thrilled to announce that the popular Flare-On reverse engineering challenge will return for the sixth straight year. The contest will begin at 8:00 p.m. ET on Aug. 16, 2019. This is a CTF-style challenge for all active and aspiring...

Exploits0References1
FireEye
FireEye
added 2019/07/25 12:0 a.m.18 views

Finding Evil in Windows 10 Compressed Memory, Part One: Volatility and Rekall Tools

Paging all digital forensicators, incident responders, and memory manager enthusiasts! Have you ever found yourself at a client site working around the clock to extract evil from a Windows 10 image? Have you hit the wall at step zero, running into difficulties viewing a process tree, or enumerati...

6.4AI score
Exploits0References10
FireEye
FireEye
added 2019/07/18 12:0 a.m.23 views

Hard Pass: Declining APT34’s Invite to Join Their Professional Network

Background With increasing geopolitical tensions in the Middle East, we expect Iran to significantly increase the volume and scope of its cyber espionage campaigns. Iran has a critical need for strategic intelligence and is likely to fill this gap by conducting espionage against decision makers a...

0.6AI score
Exploits0References6
FireEye
FireEye
added 2019/06/11 3:15 p.m.88 views

Hunting COM Objects (Part Two)

Background As a follow up to Part One in this blog series on COM object hunting, this post will talk about taking the COM object hunting methodology deeper by looking at interesting COM object methods exposed in properties and sub-properties of COM objects. What is a COM Object? According to...

0.7AI score
Exploits0References7
FireEye
FireEye
added 2019/06/05 3:0 p.m.1619 views

Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities

FireEye Labs recently observed an attack against the government sector in Central Asia. The attack involved the new HAWKBALL backdoor being delivered via well-known Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802. HAWKBALL is a backdoor that attackers can use to collect...

9.3CVSS0.99945EPSS
Exploits36
FireEye
FireEye
added 2019/06/04 12:0 a.m.38 views

Hunting COM Objects

COM objects have recently been used by penetration testers, Red Teams, and malicious actors to perform lateral movement. COM objects were studied by several other researchers in the past, including Matt Nelson enigma0x3, who published a blog post about it in 2017. Some of these COM objects were...

8.1AI score
Exploits0References4
FireEye
FireEye
added 2019/05/30 3:0 p.m.10 views

Framing the Problem: Cyber Threats and Elections

This year, Canada, multiple European nations, and others will host high profile elections. The topic of cyber-enabled threats disrupting and targeting elections has become an increasing area of awareness for governments and citizens globally. To develop solutions and security programs to counter...

0.6AI score
Exploits0References4
FireEye
FireEye
added 2019/05/29 2:30 p.m.21 views

Learning to Rank Strings Output for Speedier Malware Analysis

Reverse engineers, forensic investigators, and incident responders have an arsenal of tools at their disposal to dissect malicious software binaries. When performing malware analysis, they successively apply these tools in order to gradually gather clues about a binary’s function, design detectio...

7.2AI score
Exploits0References9
FireEye
FireEye
added 2019/05/28 7:0 p.m.14 views

Network of Social Media Accounts Impersonates U.S. Political Candidates, Leverages U.S. and Israeli Media in Support of Iranian Interests

In August 2018, FireEye Threat Intelligence released a report exposing what we assessed to be an Iranian influence operation leveraging networks of inauthentic news sites and social media accounts aimed at audiences around the world. We identified inauthentic social media accounts posing as...

0.2AI score
Exploits0References16
FireEye
FireEye
added 2019/04/25 9:0 a.m.17 views

CARBANAK Week Part Four: The CARBANAK Desktop Video Player

Part One, Part Two and Part Three of CARBANAK Week are behind us. In this final blog post, we dive into one of the more interesting tools that is part of the CARBANAK toolset. The CARBANAK authors wrote their own video player and we happened to come across an interesting video capture from CARBAN...

Exploits0References9
FireEye
FireEye
added 2019/04/24 5:30 p.m.24 views

CARBANAK Week Part Three: Behind the CARBANAK Backdoor

We covered a lot of ground in Part One and Part Two of our CARBANAK Week blog series. Now let's take a look back at some of our previous analysis and see how it holds up. In June 2017, we published a blog post sharing novel information about the CARBANAK backdoor, including technical details, int...

7.4AI score
Exploits0References8
FireEye
FireEye
added 2019/04/23 5:45 p.m.204 views

CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis

Update April 30: Following the release of our four-part CARBANAK Week blog series, many readers have found places to make the data shared in these posts actionable. We have updated this post to include some of this information. In the previous installment, we wrote about how string hashing was us...

7.2CVSS8.5AI score0.87042EPSS
Exploits40References22
FireEye
FireEye
added 2019/04/22 5:0 p.m.19 views

CARBANAK Week Part One: A Rare Occurrence

It is very unusual for FLARE to analyze a prolifically-used, privately-developed backdoor only to later have the source code and operator tools fall into our laps. Yet this is the extraordinary circumstance that sets the stage for CARBANAK Week, a four-part blog series that commences with this...

0.5AI score
Exploits0References11
FireEye
FireEye
added 2019/04/16 7:0 a.m.52 views

Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic

In early 2019, FireEye Threat Intelligence identified a spear phishing email targeting government entities in Ukraine. The spear phishing email included a malicious LNK file with PowerShell script to download the second-stage payload from the command and control C&C server. The email was received...

7.4AI score
Exploits0References3
FireEye
FireEye
added 2019/04/15 3:0 p.m.32 views

FLASHMINGO: The FireEye Open Source Automatic Analysis Tool for Flash

Adobe Flash is one of the most exploited software components of the last decade. Its complexity and ubiquity make it an obvious target for attackers. Public sources list more than one thousand CVEs being assigned to the Flash Player alone since 2005. Almost nine hundred of these vulnerabilities...

7.1AI score
Exploits0References5
FireEye
FireEye
added 2019/04/10 4:0 a.m.23 views

TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping

Overview FireEye can now confirm that we have uncovered and are responding to an additional intrusion by the attacker behind TRITON at a different critical infrastructure facility. In December 2017, FireEye publicly released our first analysis on the TRITON attack where malicious actors used the...

7.8AI score
Exploits0References22
FireEye
FireEye
added 2019/04/09 5:0 p.m.17 views

Churning Out Machine Learning Models: Handling Changes in Model Predictions

Introduction Machine learning ML is playing an increasingly important role in cyber security. Here at FireEye, we employ ML for a variety of tasks such as: antivirus, malicious PowerShell detection, and correlating threat actor behavior. While many people think that a data scientist’s job is...

7.1AI score
Exploits0References8
FireEye
FireEye
added 2019/04/08 4:30 p.m.72 views

Finding Weaknesses Before the Attackers Do

This blog post originally appeared as an article in M-Trends 2019. FireEye Mandiant red team consultants perform objectives-based assessments that emulate real cyber attacks by advanced and nation state attackers across the entire attack lifecycle by blending into environments and observing how...

10CVSS0.9AI score0.79842EPSS
Exploits13References5
FireEye
FireEye
added 2019/04/05 5:0 p.m.94 views

Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware

Summary Recently, FireEye Managed Defense detected and responded to a FIN6 intrusion at a customer within the engineering industry, which seemed out of character due to FIN6’s historical targeting of payment card data. The intent of the intrusion was initially unclear because the customer did not...

10CVSS0.1AI score0.79842EPSS
Exploits13References3
FireEye
FireEye
added 2019/03/29 1:0 a.m.138 views

Commando VM: The First of Its Kind Windows Offensive Distribution

For penetration testers looking for a stable and supported Linux testing platform, the industry agrees that Kali is the go-to platform. However, if you’d prefer to use Windows as an operating system, you may have noticed that a worthy platform didn’t exist. As security researchers, every one of u...

10CVSS9.7AI score0.79842EPSS
Exploits13References22
FireEye
FireEye
added 2019/03/26 3:30 p.m.134 views

WinRAR Zero-day Abused in Multiple Campaigns

WinRAR, an over 20-year-old file archival utility used by over 500 million users worldwide, recently acknowledged a long-standing vulnerability in its code-base. A recently published path traversal zero-day vulnerability, disclosed in CVE-2018-20250 by Check Point Research, enables attackers to...

6.8CVSS8.1AI score0.96274EPSS
Exploits13References6
FireEye
FireEye
added 2019/03/20 3:45 p.m.29 views

SilkETW: Because Free Telemetry is … Free!

Over time people have had an on-again, off-again interest in Event Tracing for Windows ETW. ETW, first introduced in Windows 2000, is a lightweight Kernel level tracing facility that was originally intended for debugging, diagnostics and performance. Gradually, however, defenders realized that ET...

0.1AI score
Exploits0References11
FireEye
FireEye
added 2019/03/15 4:0 p.m.14 views

Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing

Introduction Malware authors attempt to evade detection by executing their payload without having to write the executable file on the disk. One of the most commonly seen techniques of this "fileless" execution is code injection. Rather than executing the malware directly, attackers inject the...

0.2AI score
Exploits0References2
FireEye
FireEye
added 2019/03/13 4:0 p.m.20 views

Breaking the Bank: Weakness in Financial AI Applications

Currently, threat actors possess limited access to the technology required to conduct disruptive operations against financial artificial intelligence AI systems and the risk of this targeting type remains low. However, there is a high risk of threat actors leveraging AI as part of disinformation...

0.4AI score
Exploits0References38
FireEye
FireEye
added 2019/03/12 3:0 p.m.32 views

Going ATOMIC: Clustering and Associating Attacker Activity at Scale

At FireEye, we work hard to detect, track, and stop attackers. As part of this work, we learn a great deal of information about how various attackers operate, including details about commonly used malware, infrastructure, delivery mechanisms, and other tools and techniques. This knowledge is buil...

Exploits0References5
FireEye
FireEye
added 2019/03/04 1:0 p.m.1086 views

APT40: Examining a China-Nexus Espionage Actor

FireEye is highlighting a cyber espionage operation targeting crucial technologies and traditional intelligence targets from a China-nexus state sponsored actor we call APT40. The actor has conducted operations since at least 2013 in support of China’s naval modernization effort. The group has...

9.3CVSS8.1AI score0.99966EPSS
Exploits85References5
FireEye
FireEye
added 2019/02/28 4:30 p.m.28 views

FLARE Script Series: Recovering Stackstrings Using Emulation with ironstrings

This blog post continues our Script Series where the FireEye Labs Advanced Reverse Engineering FLARE team shares tools to aid the malware analysis community. Today, we release ironstrings: a new IDAPython script to recover stackstrings from malware. The script leverages code emulation to overcome...

6.9AI score
Exploits0References11
FireEye
FireEye
added 2019/01/08 11:0 a.m.32 views

Digging Up the Past: Windows Registry Forensics Revisited

Introduction FireEye consultants frequently utilize Windows registry data when performing forensic analysis of computer networks as part of incident response and compromise assessment missions. This can be useful to discover malicious activity and to determine what data may have been stolen from ...

0.2AI score
Exploits0
FireEye
FireEye
added 2018/12/21 2:0 p.m.266 views

OVERRULED: Containing a Potentially Destructive Adversary

Introduction FireEye assesses APT33 may be behind a series of intrusions and attempted intrusions within the engineering industry. Public reporting indicates this activity may be related to recent destructive attacks. FireEye's Managed Defense has responded to and contained numerous intrusions th...

6.8CVSS0.4AI score0.84138EPSS
Exploits15
FireEye
FireEye
added 2018/12/13 12:0 p.m.33 views

What are Deep Neural Networks Learning About Malware?

An increasing number of modern antivirus solutions rely on machine learning ML techniques to protect users from malware. While ML-based approaches, like FireEye Endpoint Security’s MalwareGuard capability, have done a great job at detecting new threats, they also come with substantial development...

6.6AI score
Exploits0
Total number of security vulnerabilities545