目录导航
fireeye简介
火眼是一家公开上市的美国网络安全公司,提供用于应对高级网络威胁的自动威胁取证及动态恶意软件防护服务,如高级持续性威胁和鱼叉式网络钓鱼。 FireEye成立于2004年,公司总部位于加利福尼亚州米尔皮塔斯。FireEye是第一家由美国国土安全部颁发认证的网络安全公司—维基百科
总览
一个由国家赞助的高度复杂的对手偷走了FireEye Red Team工具。因为我们认为攻击者拥有这些工具,并且我们不知道攻击者是否打算自己使用被盗的工具还是公开披露它们,所以FireEye在此博客中发布了数百种对策,以使更广泛的安全社区能够保护自己免受攻击这些工具。我们已将对策整合到我们的FireEye产品中,并与合作伙伴,政府机构共享了这些对策,以显着限制不良行为者利用Red Team工具的能力。
为了限制红队工具的有效性,应该处理的CVEs列表:
[CVE-2014-1812]
(https://nvd.nist.gov/vuln/detail/CVE-2014-1812)
Windows本地提权
[CVE-2019-0708]
(https://nvd.nist.gov/vuln/detail/CVE-2019-0708)
Windows远程桌面服务(RDS)的远程代码执行漏洞(RCE)
[CVE-2017-11774]
(https://nvd.nist.gov/vuln/detail/CVE-2017-11774)
通过精心制作的文档执行(网络钓鱼)在Microsoft Outlook中的远程代码执行漏洞(RCE)
[CVE-2018-15961]
(https://nvd.nist.gov/vuln/detail/CVE-2018-15961)
通过Adobe ColdFusion(可用于上传JSP web shell的任意文件上传)远程代码执行漏洞(RCE)
[CVE-2019-19781]
(https://nvd.nist.gov/vuln/detail/CVE-2019-19781)
Citrix应用程序交付控制器和网关的远程代码执行漏洞(RCE)
[CVE-2019-3398]
(https://nvd.nist.gov/vuln/detail/CVE-2019-3398)
Confluence认证远程代码执行漏洞(RCE)
[CVE-2019-11580]
(https://nvd.nist.gov/vuln/detail/CVE-2019-11580)
Atlassian Crowd远程代码执行漏洞(RCE)
[CVE-2018-13379]
(https://nvd.nist.gov/vuln/detail/CVE-2018-13379)
预认证从Fortinet Fortigate SSL VPN读取任意文件
[CVE-2020-0688]
(https://nvd.nist.gov/vuln/detail/CVE-2020-0688)
在microsoft exchange中远程执行命令
[CVE-2019-11510]
(https://nvd.nist.gov/vuln/detail/CVE-2019-11510)
预认证从脉冲安全SSL vpn读取任意文件
[CVE-2019-0604]
(https://nvd.nist.gov/vuln/detail/CVE-2019-0604)
微软Sharepoint的远程代码执行漏洞(RCE)
[CVE-2020-10189]
(https://nvd.nist.gov/vuln/detail/CVE-2020-10189)
ZoHo ManageEngine桌面中心的远程代码执行漏洞(RCE)
[CVE-2019-8394]
(https://nvd.nist.gov/vuln/detail/CVE-2019-8394)
任意的预认证文件上载到ZoHo ManageEngine ServiceDesk Plus
[CVE-2016-0167]
(https://nvd.nist.gov/vuln/detail/CVE-2016-0167)
旧版本Microsoft Windows上的本地提权
[CVE-2020-1472]
(https://nvd.nist.gov/vuln/detail/CVE-2020-1472)
Microsoft Active Directory提权
[CVE-2018-8581]
(https://nvd.nist.gov/vuln/detail/CVE-2018-8581)
Microsoft Exchange 服务器提权您可以在此处找到的FireEye GitHub存储库中找到对策列表。
检测此类工具攻击的yara规则下载地址
①GitHub: github.com/r0eXpeR/redteam_vul.zip
②雨苁网盘: w.ddosi.workers.dev
③迅雷网盘: pan.xunlei.com 提取码 3gu4
④蓝奏云: waf.lanzoui.com
火眼公司发布的检测规则列表
支持以下软件
- Snort
- Yara
- ClamAV
- HXIOC
rules
├─ADPASSHUNT
│ └─production
│ ├─hxioc
│ │ ADPASSHUNT (CREDENTIAL STEALER).ioc
│ │
│ └─yara
│ APT_HackTool_MSIL_ADPassHunt_1.yar
│ APT_HackTool_MSIL_ADPassHunt_2.yar
│ CredTheft_MSIL_ADPassHunt_1.yar
│ CredTheft_MSIL_ADPassHunt_2.yar
│
├─ALLTHETHINGS
│ └─production
│ └─yara
│ Loader_MSIL_AllTheThings_1.yar
│
├─BEACON
│ ├─production
│ │ ├─hxioc
│ │ │ CobaltStrike Custom Config Artifacts.ioc
│ │ │ POTENTIAL COBALT STRIKE PROFILE (FAMILY).ioc
│ │ │ RENAMED MSBUILD.EXE BY ARGUMENTS (METHODOLOGY).ioc
│ │ │ RENAMED REGSVR32.EXE BY ARGUMENTS (METHODOLOGY).ioc
│ │ │ RENAMED WORKFLOW COMPILER BY FILE WRITE (METHODOLOGY).ioc
│ │ │ SUSPICIOUS EXECUTION OF SEARCH INDEXER (METHODOLOGY).ioc
│ │ │
│ │ └─snort
│ │ Backdoor.DNS.BEACON.[CSBundle DNS].rules
│ │ Backdoor.HTTP.BEACON.[CSBundle CDN GET].rules
│ │ Backdoor.HTTP.BEACON.[CSBundle MSOffice GET].rules
│ │ Backdoor.HTTP.BEACON.[CSBundle MSOffice POST].rules
│ │ Backdoor.HTTP.BEACON.[CSBundle MSOffice Server].rules
│ │ Backdoor.HTTP.BEACON.[CSBundle NYTIMES GET].rules
│ │ Backdoor.HTTP.BEACON.[CSBundle NYTIMES POST].rules
│ │ Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server].rules
│ │ Backdoor.HTTP.BEACON.[CSBundle Original GET].rules
│ │ Backdoor.HTTP.BEACON.[CSBundle Original POST].rules
│ │ Backdoor.HTTP.BEACON.[CSBundle Original Server 2].rules
│ │ Backdoor.HTTP.BEACON.[CSBundle Original Server 3].rules
│ │ Backdoor.HTTP.BEACON.[CSBundle Original Server].rules
│ │ Backdoor.HTTP.BEACON.[CSBundle Original Stager 2].rules
│ │ Backdoor.HTTP.BEACON.[CSBundle Original Stager].rules
│ │ Backdoor.HTTP.BEACON.[CSBundle USAToday GET].rules
│ │ Backdoor.HTTP.BEACON.[CSBundle USAToday Server].rules
│ │ Backdoor.HTTP.BEACON.[Yelp GET].rules
│ │ Backdoor.HTTP.BEACON.[Yelp Request].rules
│ │ Backdoor.SSL.BEACON.[CSBundle Ajax].rules
│ │
│ └─supplemental
│ ├─hxioc
│ │ SUSPICIOUS SYMERR PROCESS (METHODOLOGY).ioc
│ │ SUSPICIOUS USE OF WORKFLOW COMPILER FOR PAYLOAD EXECUTION (METHODOLOGY).ioc
│ │
│ └─yara
│ Loader_Win_Generic_17.yar
│ Loader_Win_Generic_18.yar
│ Trojan_Raw_Generic_4.yar
│ Trojan_Win_Generic_101.yar
│
├─BELTALOWDA
│ ├─production
│ │ ├─hxioc
│ │ │ SEATBELT (UTILITY).ioc
│ │ │
│ │ └─yara
│ │ HackTool_MSIL_SEATBELT_1.yar
│ │ HackTool_MSIL_SEATBELT_2.yar
│ │
│ └─supplemental
│ └─hxioc
│ SEATBELT (UTILITY).ioc
│
├─COREHOUND
│ └─production
│ └─yara
│ HackTool_MSIL_CoreHound_1.yar
│
├─DSHELL
│ ├─production
│ │ └─yara
│ │ APT_Backdoor_Win_DShell_1.yar
│ │ APT_Backdoor_Win_DShell_3.yar
│ │ APT_Loader_Win32_DShell_1.yar
│ │ APT_Loader_Win32_DShell_2.yar
│ │ APT_Loader_Win32_DShell_3.yar
│ │
│ └─supplemental
│ └─yara
│ APT_Backdoor_Win_DShell_2.yar
│
├─DTRIM
│ └─production
│ └─yara
│ APT_HackTool_MSIL_DTRIM_1.yar
│
├─DUEDLLIGENCE
│ ├─production
│ │ ├─hxioc
│ │ │ DueDLLigence FileWrites (Utility).ioc
│ │ │
│ │ └─yara
│ │ HackTool_MSIL_HOLSTER_1.yar
│ │ MSIL_Launcher_DUEDLLIGENCE_1.yar
│ │
│ └─supplemental
│ └─hxioc
│ anything.cpl Hijack (Methodology).ioc
│ anything.dll Hijack (Methodology).ioc
│ LIBVLC.dll Hijack (Methodology).ioc
│ X32BRIDGE.dll Hijack (Methodology).ioc
│
├─EWSRT
│ └─production
│ └─clamav
│ HackTool_HTML_EWSRT_1.ldb
│ HackTool_HTML_EWSRT_2.ldb
│ HackTool_PS1_EWSRT_1.ldb
│ HackTool_PS1_EWSRT_2.ldb
│
├─EXCAVATOR
│ ├─production
│ │ ├─hxioc
│ │ │ EXCAVATOR (UTILITY).ioc
│ │ │ Excavator Memory Dump (Utility).ioc
│ │ │
│ │ └─yara
│ │ APT_HackTool_Win64_EXCAVATOR_1.yar
│ │ APT_HackTool_Win64_EXCAVATOR_2.yar
│ │ CredTheft_Win_EXCAVATOR_1.yar
│ │ CredTheft_Win_EXCAVATOR_2.yar
│ │
│ └─supplemental
│ └─yara
│ Trojan_Win64_Generic_22.yar
│ Trojan_Win64_Generic_23.yar
│
├─FLUFFY
│ └─production
│ ├─snort
│ │ HackTool.TCP.Rubeus.[nonce 2].rules
│ │ HackTool.TCP.Rubeus.[nonce].rules
│ │ HackTool.TCP.Rubeus.[User32LogonProcesss].rules
│ │ HackTool.UDP.Rubeus.[nonce 2].rules
│ │ HackTool.UDP.Rubeus.[nonce].rules
│ │
│ └─yara
│ APT_HackTool_MSIL_FLUFFY_1.yar
│ APT_HackTool_MSIL_FLUFFY_2.yar
│
├─G2JS
│ ├─production
│ │ ├─hxioc
│ │ │ GADGETTOJSCRIPT PAYLOAD (UTILITY).ioc
│ │ │ SUSPICIOUS EXECUTION OF COLORCPL.EXE (METHODOLOGY).ioc
│ │ │ Suspicious Process Tree (Methodology).ioc
│ │ │
│ │ └─yara
│ │ Builder_MSIL_G2JS_1.yar
│ │ Hunting_B64Engine_DotNetToJScript_Dos.yar
│ │ Hunting_DotNetToJScript_Functions.yar
│ │ Hunting_GadgetToJScript_1.yar
│ │
│ └─supplemental
│ └─clamav
│ Trojan_Script_Generic_1.ldb
│ Trojan_Script_Generic_2.ldb
│ Trojan_Script_Generic_3.ldb
│
├─GETDOMAINPASSWORDPOLICY
│ └─production
│ └─yara
│ HackTool_MSIL_GETDOMAINPASSWORDPOLICY_1.yar
│
├─GPOHUNT
│ └─production
│ └─yara
│ APT_HackTool_MSIL_GPOHUNT_1.yar
│
├─IMPACKETOBF
│ └─production
│ ├─clamav
│ │ APT_HackTool_PY_ImpacketObfuscation_2.ldb
│ │ HackTool_PY_ImpacketObfuscation_1.ldb
│ │
│ └─hxioc
│ IMPACKET-OBFUSCATION SMBEXEC (UTILITY).ioc
│ IMPACKET-OBFUSCATION WMIEXEC (UTILITY).ioc
│ Obfuscacted Impacket wmiexec (Utility).ioc
│ Obfuscated Impacket smbexec (Utility).ioc
│
├─IMPACKETOBF (Smbexec)
│ └─production
│ ├─snort
│ │ Methodology.SMB.Impacket-Obfuscation.[Service Names].rules
│ │
│ └─yara
│ HackTool_PY_ImpacketObfuscation_1.yar
│
├─IMPACKETOBF (Wmiexec)
│ └─production
│ └─yara
│ HackTool_PY_ImpacketObfuscation_2.yar
│
├─INVEIGHZERO
│ └─production
│ └─yara
│ HackTool_MSIL_INVEIGHZERO_1.yar
│
├─JUSTASK
│ └─production
│ └─yara
│ APT_HackTool_MSIL_JUSTASK_1.yar
│
├─KEEFARCE
│ └─production
│ └─yara
│ HackTool_MSIL_KeeFarce_1.yar
│
├─KEEPERSIST
│ └─production
│ └─yara
│ HackTool_MSIL_KeePersist_1.yar
│
├─LNKSMASHER
│ ├─production
│ │ ├─clamav
│ │ │ APT_Builder_PY_LNKSMASHER_1.ldb
│ │ │ APT_Trojan_LNK_LNKSMASHER_1.ldb
│ │ │ APT_Trojan_LNK_LNKSMASHER_2.ldb
│ │ │
│ │ ├─hxioc
│ │ │ LNKSMASHER COMMANDS.ioc
│ │ │
│ │ └─yara
│ │ Dropper_LNK_LNKSmasher_1.yar
│ │
│ └─supplemental
│ ├─hxioc
│ │ LNK SMASHER (UTILITY).ioc
│ │
│ └─yara
│ Hunting_LNK_Win_GenericLauncher.yar
│
├─LUALOADER
│ └─production
│ └─yara
│ APT_HackTool_MSIL_LUALOADER_1.yar
│
├─MATRYOSHKA
│ └─production
│ ├─clamav
│ │ APT_Builder_PY_MATRYOSHKA_1.ldb
│ │
│ └─yara
│ APT_Builder_PY_MATRYOSHKA_1.yar
│ APT_Builder_Win64_MATRYOSHKA_1.yar
│ APT_Dropper_Win64_MATRYOSHKA_1.yar
│ APT_Dropper_Win_MATRYOSHKA_1.yar
│ APT_Loader_Win64_MATRYOSHKA_1.yar
│ APT_Loader_Win64_MATRYOSHKA_2.yar
│ APT_Loader_Win_MATRYOSHKA_1.yar
│
├─MEMCOMP
│ └─production
│ └─yara
│ Loader_MSIL_InMemoryCompilation_1.yar
│
├─MOFCOMP
│ └─production
│ └─hxioc
│ Suspicious MOF File.ioc
│
├─MSBUILDME
│ └─supplemental
│ └─hxioc
│ USERINIT PROCESS LAUNCH BY MSBUILD.EXE (METHODOLOGY).ioc
│
├─NETASSEMBLYINJECT
│ └─production
│ └─yara
│ Loader_MSIL_NETAssemblyInject_1.yar
│
├─NETSHSHELLCODERUNNER
│ └─production
│ └─yara
│ Loader_MSIL_NetshShellCodeRunner_1.yar
│
├─NOAMCI
│ └─production
│ └─yara
│ APT_HackTool_MSIL_NOAMCI_1.yar
│
├─PGF
│ ├─production
│ │ ├─clamav
│ │ │ APT_Builder_PY_PGF_1.ldb
│ │ │ APT_Loader_CSPROJ_PGF_1.ldb
│ │ │ APT_Loader_TT_PGF_1.ldb
│ │ │ APT_Loader_XOML_PGF_1.ldb
│ │ │
│ │ ├─hxioc
│ │ │ INSTALLUTIL APP WHITELISTING BYPASS (METHODOLOGY).ioc
│ │ │ PayloadGenerationFramework FileWrites (Utility).ioc
│ │ │
│ │ └─yara
│ │ APT_Loader_MSIL_PGF_1.yar
│ │ APT_Loader_MSIL_PGF_2.yar
│ │ APT_Loader_Win32_PGF_1.yar
│ │ APT_Loader_Win32_PGF_2.yar
│ │ APT_Loader_Win32_PGF_3.yar
│ │ APT_Loader_Win32_PGF_4.yar
│ │ APT_Loader_Win32_PGF_5.yar
│ │ APT_Loader_Win64_PGF_1.yar
│ │ APT_Loader_Win64_PGF_2.yar
│ │ APT_Loader_Win64_PGF_3.yar
│ │ APT_Loader_Win64_PGF_4.yar
│ │ APT_Loader_Win64_PGF_5.yar
│ │ APT_Loader_Win_PGF_1.yar
│ │ APT_Loader_Win_PGF_2.yar
│ │
│ └─supplemental
│ └─hxioc
│ api-ms-win-downlevel-shell32-l1-1-0.dll Hijack (Methodology).ioc
│ ashldres.dll Hijack (Methodology).ioc
│ ccl110u.dll Hijack (Methodology).ioc
│ cclib.dll Hijack (Methodology).ioc
│ chrome_frame_helper.dll Hijack (Methodology).ioc
│ CONTROL PANEL ITEMS (METHODOLOGY).ioc
│ crshhndl.dll Hijack (Methodology).ioc
│ DISM EXECUTION IN SUSPICIOUS LOCATION (METHODOLOGY).ioc
│ DISM NETWORK ACTIVITY (METHODOLOGY).ioc
│ dismcore.dll Hijack (Methodology).ioc
│ dwmapi.dll Hijack (Methodology).ioc
│ elogger.dll Hijack (Methodology).ioc
│ fmtoptions.dll Hijack (Methodology).ioc
│ goopdate.dll Hijack (Methodology).ioc
│ hpcustpartui.dll Hijack (Methodology).ioc
│ INSTALLUTIL CHILD PROCESS (METHODOLOGY).ioc
│ LOLBIN EXECUTION (METHODOLOGY).ioc
│ mcutil.dll Hijack (Methodology).ioc
│ mscorsvc.dll Hijack (Methodology).ioc
│ msi.dll Hijack (Methodology).ioc
│ NETSH EXECUTION (METHODOLOGY).ioc
│ nflogger.dll Hijack (Methodology).ioc
│ PackageIdentification.dll Hijack (Methodology).ioc
│ pc2msupp.dll Hijack (Methodology).ioc
│ POSSIBLE SRPROXY SIDE-LOADING (METHODOLOGY).ioc
│ PotPlayer.dll Hijack (Methodology).ioc
│ pt1.aym Hijack (Methodology).ioc
│ REGASM PARENT PROCESS (METHODOLOGY).ioc
│ RUNDLL32 EXECUTION (METHODOLOGY).ioc
│ sidebar.dll Hijack (Methodology).ioc
│ splash_screen.dll Hijack (Methodology).ioc
│ SUSPICIOUS DLL LOAD (METHODOLOGY).ioc
│ SUSPICIOUS EXECUTION OF SEARCHPROTOCOLHOST (METHODOLOGY).ioc
│ TEXTTRANSFORM PARENT PROCESS (METHODOLOGY).ioc
│ tmas_wlmhook.dll Hijack (Methodology).ioc
│ ui.dll Hijack (Methodology).ioc
│ ushata.dll Hijack (Methodology).ioc
│ Wdscore.dll Hijack (Methodology).ioc
│
├─PREPSHELLCODE
│ └─production
│ └─yara
│ HackTool_MSIL_PrepShellcode_1.yar
│
├─PUPPYHOUND
│ └─production
│ └─yara
│ HackTool_MSIL_PuppyHound_1.yar
│ HackTool_MSIL_SharpHound_3.yar
│
├─PXELOOT
│ └─production
│ ├─hxioc
│ │ PAX dism WIM mount (utility).ioc
│ │ PXELOOT (UTILITY).ioc
│ │
│ └─yara
│ HackTool_MSIL_PXELOOT_1.yar
│ HackTool_MSIL_PXELOOT_2.yar
│
├─REDFLARE
│ ├─production
│ │ └─yara
│ │ APT_Builder_PY_REDFLARE_1.yar
│ │ APT_Builder_PY_REDFLARE_2.yar
│ │ APT_Controller_Linux_REDFLARE_1.yar
│ │ APT_Downloader_Win32_REDFLARE_1.yar
│ │ APT_Downloader_Win64_REDFLARE_1.yar
│ │ APT_Keylogger_Win32_REDFLARE_1.yar
│ │ APT_Keylogger_Win64_REDFLARE_1.yar
│ │ APT_Loader_Raw32_REDFLARE_1.yar
│ │ APT_Loader_Raw64_REDFLARE_1.yar
│ │ APT_Loader_Win32_REDFLARE_1.yar
│ │ APT_Loader_Win32_REDFLARE_2.yar
│ │ APT_Loader_Win64_REDFLARE_1.yar
│ │ APT_Loader_Win64_REDFLARE_2.yar
│ │ APT_Trojan_Win_REDFLARE_1.yar
│ │ APT_Trojan_Win_REDFLARE_2.yar
│ │ APT_Trojan_Win_REDFLARE_3.yar
│ │ APT_Trojan_Win_REDFLARE_4.yar
│ │ APT_Trojan_Win_REDFLARE_5.yar
│ │ APT_Trojan_Win_REDFLARE_7.yar
│ │ APT_Trojan_Win_REDFLARE_8.yar
│ │
│ └─supplemental
│ └─yara
│ APT_Trojan_Linux_REDFLARE_1.yar
│ APT_Trojan_Win_REDFLARE_6.yar
│
├─REDFLARE (Gorat)
│ └─production
│ ├─snort
│ │ Backdoor.HTTP.GORAT.[Build ID].rules
│ │ Backdoor.HTTP.GORAT.[POST].rules
│ │ Backdoor.HTTP.GORAT.[SID1].rules
│ │
│ └─yara
│ APT_Backdoor_MacOS_GORAT_1.yar
│ APT_Backdoor_Win_GORAT_1.yar
│ APT_Backdoor_Win_GORAT_2.yar
│ APT_Backdoor_Win_GORAT_3.yar
│ APT_Backdoor_Win_GORAT_4.yar
│ APT_Backdoor_Win_GoRat_Memory.yar
│ Trojan_MSIL_GORAT_Module_PowerShell_1.yar
│ Trojan_MSIL_GORAT_Plugin_DOTNET_1.yar
│
├─RESUMEPLEASE
│ └─production
│ ├─clamav
│ │ Trojan_Macro_RESUMEPLEASE_1.ldb
│ │
│ └─yara
│ Trojan_Macro_RESUMEPLEASE_1.yar
│
├─REVOLVER
│ └─production
│ └─yara
│ APT_HackTool_MSIL_REVOLVER_1.yar
│
├─RUBEUS
│ └─production
│ └─yara
│ HackTool_MSIL_Rubeus_1.yar
│
├─SAFETYKATZ
│ └─production
│ ├─hxioc
│ │ SAFETYKATZ (CREDENTIAL STEALER).ioc
│ │ SafetyKatz A (Credential Stealer).ioc
│ │
│ └─yara
│ HackTool_MSIL_SAFETYKATZ_4.yar
│
├─SHARPERSIST
│ ├─production
│ │ ├─hxioc
│ │ │ Service Failure Abuse (Methodology).ioc
│ │ │ SHARPERSIST (UTILITY).ioc
│ │ │ SHARPERSIST A (UTILITY).ioc
│ │ │ SharPersist B (utility).ioc
│ │ │
│ │ └─yara
│ │ HackTool_MSIL_SharPersist_1.yar
│ │ HackTool_MSIL_SharPersist_2.yar
│ │
│ └─supplemental
│ └─hxioc
│ COM CLSID registry activity (METHODOLOGY).ioc
│ HOTKEY PERSISTENCE (METHODOLOGY).ioc
│
├─SHARPGENERATOR
│ └─production
│ └─yara
│ Builder_MSIL_SharpGenerator_1.yar
│
├─SHARPIVOT
│ └─production
│ ├─hxioc
│ │ Possible Handler Poisoning (Methodology).ioc
│ │ SHARPIVOT (UTILITY).ioc
│ │
│ └─yara
│ HackTool_MSIL_SharPivot_1.yar
│ HackTool_MSIL_SharPivot_2.yar
│ HackTool_MSIL_SharPivot_3.yar
│ HackTool_MSIL_SharPivot_4.yar
│
├─SHARPPGREP
│ └─production
│ └─yara
│ Tool_MSIL_SharpGrep_1.yar
│
├─SHARPSACK
│ └─production
│ └─yara
│ APT_HackTool_MSIL_SHARPSACK_1.yar
│
├─SHARPSCHTASK
│ └─production
│ └─yara
│ HackTool_MSIL_SharpSchtask_1.yar
│
├─SHARPSECTIONINJECTION
│ └─production
│ └─yara
│ Loader_MSIL_CSharpSectionInjection_1.yar
│
├─SHARPSTOMP
│ └─production
│ ├─hxioc
│ │ SHARPSTOMP (UTILITY).ioc
│ │
│ └─yara
│ APT_HackTool_MSIL_SHARPSTOMP_1.yar
│ APT_HackTool_MSIL_SHARPSTOMP_2.yar
│ HackTool_MSIL_SharpStomp_1.yar
│
├─SHARPUTILS
│ └─production
│ └─yara
│ Tool_MSIL_CSharpUtils_1.yar
│
├─SHARPY
│ └─production
│ └─yara
│ Loader_MSIL_SharPy_1.yar
│
├─SHARPZEROLOGON
│ └─production
│ └─yara
│ HackTool_MSIL_SHARPZEROLOGON_1.yar
│
├─SINFULOFFICE
│ ├─production
│ │ └─yara
│ │ Builder_MSIL_SinfulOffice_1.yar
│ │
│ └─supplemental
│ └─yara
│ Methodology_OLE_CHARENCODING_2.yar
│
├─TITOSPECIAL
│ └─production
│ ├─hxioc
│ │ TitoSpecial Memory Dump (Credential Stealer).ioc
│ │
│ └─yara
│ APT_HackTool_MSIL_TITOSPECIAL_1.yar
│ CredTheft_MSIL_TitoSpecial_1.yar
│ CredTheft_MSIL_TitoSpecial_2.yar
│ HackTool_Win32_AndrewSpecial_1.yar
│ HackTool_Win64_AndrewSpecial_1.yar
│
├─TRIMBISHOP
│ ├─new
│ │ └─yara
│ │ Loader_MSIL_RURALBISHOP_1.yar
│ │ Loader_MSIL_RURALBISHOP_2.yar
│ │
│ └─production
│ └─yara
│ APT_Loader_MSIL_TRIMBISHOP_1.yar
│ APT_Loader_MSIL_TRIMBISHOP_2.yar
│ Loader_MSIL_RuralBishop_1.yar
│ Loader_MSIL_TrimBishop_1.yar
│
├─UNCATEGORIZED
│ ├─production
│ │ ├─hxioc
│ │ │ DISM.EXE SUSPICIOUS CHILD PROCESSES (METHODOLOGY).ioc
│ │ │ SEARCHPROTOCOLHOST.EXE SUSPICIOUS CHILD PROCESSES (METHODOLOGY).ioc
│ │ │ WERFAULT.EXE SUSPICIOUS CHILD PROCESSES (METHODOLOGY).ioc
│ │ │
│ │ └─yara
│ │ APT_HackTool_MSIL_DNSOVERHTTPS_C2_1.yar
│ │ APT_HackTool_MSIL_MODIFIEDSHARPVIEW_1.yar
│ │ APT_HackTool_MSIL_PRAT_1.yar
│ │ APT_HackTool_MSIL_REDTEAMMATERIALS_1.yar
│ │ APT_HackTool_MSIL_SHARPDACL_1.yar
│ │ APT_HackTool_MSIL_SHARPDNS_1.yar
│ │ APT_HackTool_MSIL_SHARPGOPHER_1.yar
│ │ APT_HackTool_MSIL_SHARPNATIVEZIPPER_1.yar
│ │ APT_HackTool_MSIL_SHARPNFS_1.yar
│ │ APT_HackTool_MSIL_SHARPPATCHCHECK_1.yar
│ │ APT_HackTool_MSIL_SHARPSQLCLIENT_1.yar
│ │ APT_HackTool_MSIL_SHARPTEMPLATE_1.yar
│ │ APT_HackTool_MSIL_SHARPWEBCRAWLER_1.yar
│ │ APT_HackTool_MSIL_SHARPZIPLIBZIPPER_1.yar
│ │ CredTheft_MSIL_CredSnatcher_1.yar
│ │ CredTheft_MSIL_WCMDump_1.yar
│ │
│ └─supplemental
│ ├─clamav
│ │ Dropper_HTA_Generic_1.ldb
│ │ Trojan_HTA_Generic_1.ldb
│ │ Trojan_PS1_Generic_4.ldb
│ │ Trojan_PY_Generic_1.ldb
│ │ Trojan_VBS_Generic_4.ldb
│ │
│ └─yara
│ Loader_MSIL_Generic_1.yar
│ Loader_Win_Generic_19.yar
│ Loader_Win_Generic_20.yar
│
├─WEAPONIZE
│ └─supplemental
│ └─hxioc
│ SUSPICIOUS EXECUTION OF TSTHEME.EXE (METHODOLOGY).ioc
│
├─WILDCHILD
│ └─production
│ ├─hxioc
│ │ WildChild Filewrite (Utility).ioc
│ │
│ └─yara
│ APT_Loader_MSIL_WILDCHILD_1.yar
│ Dropper_HTA_WildChild_1.yar
│ Loader_MSIL_WildChild_1.yar
│
├─WMIRUNNER
│ └─production
│ └─yara
│ Loader_MSIL_WMIRunner_1.yar
│
├─WMISHARP
│ └─production
│ └─yara
│ HackTool_MSIL_WMISharp_1.yar
│
└─WMISPY
└─production
└─yara
APT_HackTool_MSIL_WMISPY_2.yar
HackTool_MSIL_WMIspy_1.yar
红队工具与技术
红队是一组安全专家,经授权和组织以模仿潜在对手针对企业安全状况的攻击或利用能力。我们的红队的目标是通过演示成功攻击的影响并向防御者(即,蓝队)展示防御方法,以改善企业网络安全。过去15年来,我们一直在为全球客户进行Red Team评估。到那时,我们已经建立了一套脚本,工具,扫描程序和技术来帮助改善客户的安全状况。不幸的是,这些工具被高度复杂的攻击者窃取。
被盗工具的范围从用于自动化侦察的简单脚本到类似于CobaltStrike和Metasploit等公开可用技术的整个框架。许多Red Team工具已经发布给社区,并已分发到我们的开源虚拟机CommandoVM中。
其中一些工具是公开可用的工具,经过修改可以逃避基本的安全检测机制。还为我们的红色团队内部开发了其他工具和框架。
没有零日漏洞利用或未知技术
攻击者窃取的Red Team工具不包含零日漏洞。这些工具采用了全世界其他红色团队所使用的众所周知且有据可查的方法。尽管我们认为这种盗窃不会大大提高攻击者的整体能力,但FireEye会尽一切努力防止这种情况的发生。
重要的是要注意,FireEye尚未看到任何对手散布或使用这些工具,我们将继续与安全合作伙伴一起监视任何此类活动。
检测有助于社区
为了使社区能够检测到这些工具,我们正在发布对策,以帮助组织识别这些工具(如果它们在野外出现)。为了响应我们的红色团队工具的盗窃,我们针对OpenIOC,Yara,Snort和ClamAV等公开可用技术发布了数百种对策。
在此处找到的FireEye GitHub存储库上提供了对策列表。我们将发布检测,并将随着我们开发新的或改进现有检测的主机,网络和基于文件的指标的重叠对策而继续更新公共存储库。此外,我们在GitHub页面上发布了需要解决的CVE列表,以限制Red Team工具的有效性。
FireEye产品保护客户免受这些工具的侵害
FireEye的团队一直在努力制定对策,以保护我们的客户和广大社区。我们已将这些对策整合到我们的产品中,并与我们的合作伙伴(包括国土安全部)共享了这些对策,这些合作伙伴已将这些对策纳入其产品中,从而为社区提供了广泛的覆盖范围。
可以在GitHub存储库中找到有关可用检测签名的更多信息。