EDR spotlight: Countering the FireEye Red Team tools leak

Next story
Rene Holt

ESET releases a 45-strong rule set for ESET Enterprise Inspector to detect the use of FireEye Red Team tools in customer networks

Conducting penetration tests on your network by emulating adversaries is a robust offensive security exercise that you can use to understand the visibility and capability your organization has to detect, respond to and mitigate cyberattacks. Such exercises usually involve an attack team (the Red Team) that uses a set of tools, both open-source and custom-built, to imitate various techniques typically used by sophisticated adversaries and a defense team (the Blue Team) that will monitor the network for suspicious activity and attempt to detect and fend off the Red Team’s attacks.

FireEye’s Red Team has recently had their tools pilfered by a state-sponsored actor. Although most of the stolen tools were already open-source, together they cover all the phases of the Cyber Kill Chain. In response to the FireEye Red Team tools leak, ESET is offering a custom rule set for customers of ESET Enterprise Inspector that can detect the presence of these tools in their networks.

It is important to note that some of the techniques used by these Red Team tools abuse legitimate system features and mechanisms. Therefore, depending on the specific configuration and setup of customers’ networks, some of the rules (that detect tools abusing legitimate features) may produce a high volume of false positive alerts. Customers should fine-tune the use of these rules for their particular environments by evaluating the binaries and processes related to the alerts and should either create exceptions to the offending rules or add a global exclusion in ESET Enterprise Inspector.

The FireEye Red Team tools covered in this rule package:

FireEye Red Team Tools ESET Enterprise Inspector Rules
ADPasshunt — an Active Directory credentials stealer tool Adpasshunt (credential stealer) [FireEye Tools] [IOC0101]
Beacon — a FireEye version of the Cobalt Strike payload Beacon Renamed msbuild.exe by arguments (methodology) [FireEye Tools][IOC0119]

Renamed regsvr32.exe (methodology) [FireEye Tools][IOC0120]

Suspicious execution of search indexer (methodology) [FireEye Tools][IOC0134]

Suspicious Symerr drop (methodology) [FireEye Tools][IOC0139]

Suspicious Symerr process (methodology)[FireEye Tools][IOC0140]

Suspicious use of workflow compiler for payload execution (methodology) [FireEye Tools][IOC0141]
PayloadGenerationFramework — a backdoor development framework that leverages multiple built-in Windows binaries for masquerading Control Panel items (methodology) [FireEye Tools][IOC0103]

Dism execution in suspicious location (methodology) [FireEye Tools][IOC0104]

Dism network activity (methodology) [FireEye Tools][IOC0105]

Dll hijack (methodology) [FireEye Tools][IOC0107]

Installutil app whitelisting bypass (methodology) [FireEye Tools][IOC0108]

Installutil child process (methodology) [FireEye Tools][IOC0109]

Possible srproxy side-loading (methodology) [FireEye Tools][IOC0117]

Regasm parent process (methodology) [FireEye Tools][IOC0118]

Suspicious execution of searchprotocolhost (methodology) [FireEye Tools][IOC0135]

Suspicious execution of searchprotocolhost (methodology)2 [FireEye Tools][IOC0136]

Texttransform parent process (methodology) [FireEye Tools][IOC0143]
PXELoot — a tool for discovering and exploiting misconfigurations in Windows Deployment Services Pax dism wim mount (utility) [FireEye Tools][IOC0114]
ImpacketObf — a slightly obfuscated version of the open-source Impacket framework. This python-based framework implements various network protocols and contains utilities like smbexec.py and wmiexec.py, which can be used for lateral movement Obfuscated impacket wmiexec (utility) [FireEye Tools][IOC0111]

Obfuscated impacket smbexec (utility) [FireEye Tools][IOC0112]

Obfuscated impacket smbexec (utility)2 [FireEye Tools][IOC0113]
LNKSmasher — a tool for malicious shortcut files (.LNK) generation Lnksmasher commands (utility) [FireEye Tools][IOC0110]
Safetykatz — a credential dumping tool. Creates a minidump of the lsass process and uses a .NET PE loader to load a customized version of Mimikatz Safetykatz (credential stealer) [FireEye Tools][IOC0121]

Safetykatz (credential stealer)2 [FireEye Tools][IOC0122]
Seatbelt — performs enumeration on a number of security-oriented host-survey checks relevant from both offensive and defensive security perspectives Seatbelt (utility) [FireEye Tools][IOC0124]

Seatbelt (utility)2 [FireEye Tools][IOC0125]
GadgetToJScript — an open-source tool for generating .NET gadgets that can trigger .NET assembly load and execution from JavaScript, VBS or VBA scripts Suspicious execution of colorcpl.exe (methodology) [FireEye Tools][IOC0132]

Suspicious execution of colorcpl.exe (methodology) 2 [FireEye Tools][IOC0133]

Suspicious userinit.exe process tree (methodology) [FireEye Tools][IOC0142]
SharPivot — a lateral movement tool written in C#. Utilizes DCOM for executing commands on a remote target Possible handler poisoning (methodology) [FireEye Tools][IOC0115]

Possible handler poisoning (methodology)2 [FireEye Tools][IOC0116]

Sharpivot (utility) [FireEye Tools][IOC0129]
SharPersist — a persistence tool written in C#. Implements a range of methods from adding/modifying scheduled tasks to abusing legitimate software like KeePass Com CLSID registry activity (methodology) [FireEye Tools][IOC0102]

Service failure abuse (methodology) [FireEye Tools][IOC0126]

SharPersist (utility) [FireEye Tools][IOC0127]

SharPersist (utility)2 [FireEye Tools][IOC0128]
Sharpstomp — a C# tool for timestomping (altering MAC timestamps of files) Sharpstomp (utility) dropped [FireEye Tools][IOC0130]

Sharpstomp (utility)executed [FireEye Tools][IOC0131]
TitoSpecial — a variant of the publicly available credential dumping tool AndrewSpecial Titospecial memory dump (credential stealer) [FireEye Tools][IOC0144]
Weaponize — uses the built-in Windows binary TSTheme.exe Suspicious execution of tstheme.exe (methodology) [FireEye Tools][IOC0137]

Suspicious execution of tstheme.exe (methodology)2 [FireEye Tools][IOC0138]
General techniques used during penetration testing Dism.exe suspicious child processes (methodology) [FireEye Tools][IOC0106]

Dll hijack (methodology) [FireEye Tools][IOC0107]

Searchprotocolhost.exe suspicious child processes (methodology) [FireEye Tools][IOC0123]

Werfault.exe suspicious child processes (methodology) [FireEye Tools][IOC0145]