FireEye’s Leaked Red Team Tools Are Mostly Based on Open Source Projects - A Detailed Analysis

We analyzed 60 tools leaked from FireEye Red Team’s arsenal to understand the impact of this breach. We found that 43% of tools are based on public tools. Our analysis shows that this breach will not have high impact on organizations.

Published in

Picus Security

8 min readDec 13, 2020

Originally published at https://www.picussecurity.com/resource/blog/techniques-tactics-procedures-utilized-by-fireeye-red-team-tools

We have been routinely reading about new breaches this year, but this last incident is different from all others we have heard so far. FireEye, like all security vendors, fighting for a good cause. We support FireEye and we think that their response so far very mature and transparent sharing countermeasures to detect the use of their stolen tools.

We know that in such a situation and in a limited time, it is not easy to build all possible countermeasures. So we are also doing our best to support the community, sharing analysis, and additional countermeasures to help organizations to validate and improve their security posture for the possible use of the leaked Red Team tools against them.

In this article, we analyzed 60 tools stolen from FireEye Red Team’s arsenal to understand the impact of this breach. We found that:

43% of the stolen tools are publicly available tools that are using known attack techniques.
40% of tools are developed in-house by FireEye. These tools also utilize known adversary techniques.
17% of the stolen tools cannot be identified since FireEye did not share adequate details about these tools. According to their names, we believe that most of these unknown tools are also slightly modified versions of publicly available tools.

FireEye also announced that exploits of 16 vulnerabilities were also stolen. But there is no room for a big concern regarding these vulnerabilities and their exploits since they are already well-known.

At first, this breach remained the stolen NSA hacking tools published in the Shadow Brokers leak. A couple of high severity 0-day exploits were released in the NSA breach. These 0-day exploits caused severe security incidents worldwide, such as WannaCry and NotPetya. However, stolen tools and exploits in the FireEye breach utilizes known attack techniques. Our analysis shows that this breach will not have high impact on organizations.

Still, countermeasures should be taken against the stolen tools since they are frequently used by threat actors. In our new blog post, “ It is Time to Take Action — How to Defend Against FireEye’s Red Team Tools”, we shared our comprehensive Blue Team recommendations, our detection contents as SIGMA and vendor-specific queries, and also vendor-based prevention signatures related to defending against FireEye Red Team tools.

Stolen Red Team Tools

FireEye has not shared details about what the stolen red team tools do. The Red and Blue Team analysts of Picus Labs analyzed the compromised tools to reveal the functionalities and possible impacts of these tools.

We categorized these tools into four sets:

Tools Based on Open Source Projects: These red team tools are slightly modified versions of open-source tools.
Tools Based on Built-in Windows Binaries: These tools use built-in Windows binaries known as LOLBINs (Living Off The Land Binaries) [1].
Tools Developed In-house for Fireeye’s Red Team: These tools are specially developed for the use of FireEye’s Red Team.
Tools Without Adequate Data to Analyze: There is not enough data to analyze these tools. The Yara rules published by FireEye for the following tools are specific to ProjectGuid of the tool.

The below chart shows the distribution of stolen red team tools according to the above categories.

Stolen Exploits

In addition to the red team tools, there are also exploit payloads affected by the incident. Leaked payloads exploit the following list of vulnerabilities. According to FireEye’s report, leaked payloads do not include a 0-day exploit.

CVE Number;Vulnerability Type;Affected Product
- CVE-2014–1812;Privilege Escalation;Windows
- CVE-2016–0167;Privilege Escalation;Microsoft Windows
- CVE-2017–11774;Remote Code Execution;Microsoft Outlook
- CVE-2018–13379;Pre-auth Arbitrary File Read;Fortigate SSL VPN
- CVE-2018–15961;Remote Code Execution;Adobe ColdFusion
- CVE-2019–0604;Remote Code Execution;Microsoft Sharepoint
- CVE-2019–0708;Remote Code Execution;Windows Remote Desktop Services (RDS)
- CVE-2019–11510;Pre-auth Arbitrary File Read;Pulse Secure SSL VPN
- CVE-2019–11580;Remote Code Execution;Atlassian Crowd
- CVE-2019–19781;Remote Code Execution;Citrix Application Delivery Controller and Citrix Gateway
- CVE-2019–3398;Authenticated Remote Code Execution;Confluence
- CVE-2019–8394;Pre-auth Arbitrary File Upload;ZoHo ManageEngine ServiceDesk Plus
- CVE-2020–0688;Remote Code Execution;Microsoft Exchange
- CVE-2020–1472;Privilege Escalation;Microsoft Active Directory
- CVE-2018–8581;Privilege Escalation;Microsoft Exchange Server
- CVE-2020–10189;Remote Code Execution;ZoHo ManageEngine Desktop Central

Below chart shows the distribution of the vulnerabilities according to the vulnerability type:

Usual Suspects

FireEye frequently engages with Russian threat actors being a cybersecurity company fighting with APT groups and nation-state threat actors. According to the Washington Post, APT29 (also known as YTTRIUM, The Dukes, Cozy Bear, and CozyDuke) [2] carried out the FireEye breach [3]. However, there is no evidence to prove that.

Blue Team Recommendations

Picus Labs’ Blue Team prepared a list of recommendations for preventing and detecting the stolen tools and exploits.

Mitigating Vulnerabilities: Assess your systems against vulnerabilities listed in the above section using vulnerability scanning and monitoring tools. If there are any gaps you haven’t patched yet, you must fix them, and you should check if they have been abused in your systems.
Compromise Assessment: You can conduct compromise assessments on your systems by using released Yara rules by FireEye [4]. To utilize Yara rules, you can use an open-source Yara scanning tool or enterprise product and distribute it to the endpoints on your systems, then add the rules and get the results. Moreover, you can use IoCs included in Yara rules and search them in your SIEM environment.
Utilize IOCs: To prevent and detect future related threats, you can add IOCs given in this report to your security products, such as EDR, EPP, and SIEM. However, keep in mind that these IoCs can easily be changed by adversaries.
Utilize Snort Rules: Most network security products support Snort rules. You can add released Snort rules to your security devices [4]. If you are already using Snort, you can check the current rules are up to date.
Update Your Security Products: Security vendors are releasing new signatures and rule sets that include countermeasures against stolen tools. Update your security products and their rule and signature sets.
Hunting with OpenIOC: FireEye released some countermeasures in the OpenIoC format. You can add these rules to your security devices by developing detection and hunting rules using IoC editors.

Fore more detailed recommendations and our detection contents as SIGMA and vendor-specific (ArcSight, Carbon Black, QRadar, and Splunk) queries, and also vendor-based (CheckPoint, Cisco, Citrix, Fortinet, F5, McAfee, ModSecurity, Palo Alto Networks, Snort, Trend Micro) prevention signatures read our new blog post, “ It is Time to Take Action — How to Defend Against FireEye’s Red Team Tools”.

Picus in Action

The Picus Threat Library includes most of the stolen tools, and the Picus Mitigation Library contains actionable mitigation recommendations and detection rules. Picus Labs’ Red Team and Blue Teams are working on missed tools and adding them and their techniques to our libraries.

So, our users have already assessed their cyber defense against most of the stolen red team tools and their attack techniques. And, they fixed the identified gaps using actionable recommendations provided by Picus platform.

Detailed Analysis of the Tools

1. Tools Based on Open Source Projects:

These red team tools are slightly modified versions of open-source tools.

1.1 ADPassHunt

It is a credential stealer tool that hunts Active Directory credentials. There are two remarkable strings in the YARA rule [5] of this tool: Get-GPPPasswords and Get-GPPAutologons. Get-GPPPassword is a PowerShell script that retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences (GPP) [6]. Get-GPPAutologons is another PowerShell script that retrieves passwords from Autologon entries that are pushed through GPP. These scripts are used as functions in the PowerSploit, which is an offensive security framework combining PowerShell modules and scripts [7]. You can read our blog post to find out more information on the OS credential dumping technique.

MITRE ATT&CK Techniques
T1003.003 OS Credential Dumping: NTDS
T1552.06 Unsecured Credentials: Group Policy Preferences

AdPassHunt IOCs

590bd7609edf9ea8dab0b5fbc38393a870b329de
29385446751ddbca27c26c43015be7ab0d548b895531fba9b03d612e53bd9ff0

Please read our original blog post to learn about other 20 stolen red team tools based on open-source project.

2. Tools Based on Built-in Windows Binaries

These tools use built-in Windows binaries known as LOLBINs (Living Off The Land Binaries) [1].

2.1 DueDLLigence

DueDLLigence is a shellcode runner framework previously published by FireEye[26]. Red Teams use it for application whitelisting bypass and DLL side-loading. It utilizes built-in Windows binaries Control.exe (Windows Control Panel), Rasautou.exe (Remote Access Dialer), and msiexec.exe (Microsoft Installer Executable) to bypass applications.

MITRE ATT&CK Techniques
T1218.002 Signed Binary Proxy Execution: Control Panel
T1218.007 Signed Binary Proxy Execution: Msiexec

DueDLLinge IOCs (SHA256)

9ff0c4211b7e0b6b9789c4a8576a5e2d1085ca729047a97518f46073ba558956
bcbc2f9367a909de763dca4d46d8328b65593df72abb5e61d2b8b104245f4814
df50e66c9f384a5ff9e3b23272677f3cc2962759947bffbfb905a12f21fd7a3d
71227bc1534a092ba03e6374cad929b193d1f6667cb781efd059b7d7d8e09c1d
aac1cd7e70f87d29504a017c7c1fe4ad276980d624d1f3651565cada52a37031

Please read our original blog post to learn about other 4 stolen red team tools based on built-in Windows binaries (LOLBIN / LOLBAS).

3. Tools Developed In-house for Fireeye’s Red Team

These tools are specially developed for the use of FireEye’s Red Team.

3.2 Excavator

This red team tool can dump a process directly or via its service. It is used by red teams to dump credentials from LSASS memory. You can read our Credential Dumping blog to learn the details of this technique.

MITRE ATT&CK Techniques
T1003.001 OS Credential Dumping: LSASS Memory

Excavator IOCs (SHA256)
efb533249f71ea6ebfb6418bb67c94e8fbd5f2a26cbd82ef8ec1d30c0c90c6c1
27a5e3795e150eb9d3af99a654be7d9a684983c0bbccc9ba0b4efa4301404760
31d06aa9ceb13c28b6af76d6b5cc33dc14c59e4496c9265cee60cbad3d89b863

Please read our original blog post to learn about other 23 stolen red team tools developed in-house for FireEye’s Red Team.

4. Tools without Adequate Data to Analyze

The Yara rules published by FireEye for the following tools are specific to ProjectGuid of the tool. We hope FireEye publishes more detailed countermeasures about this tool.

4.1 AllTheThings
4.2 CoreHound
4.3 Justask
4.4 PrepShellCode
4.5 Revolver
4.6 SharpGenerator
4.7 SharpGrep
4.8 SharpSack
4.9 SharpSectionInjection
4.10 SharPy

Originally published at https://www.picussecurity.com/resource/blog/techniques-tactics-procedures-utilized-by-fireeye-red-team-tools

References

[1] “LOLBAS.” [Online]. Available: https://lolbas-project.github.io . [Accessed: 09-Dec-2020]

[2] “APT29.” [Online]. Available: https://attack.mitre.org/groups/G0016/ . [Accessed: 10-Dec-2020]

[3] E. Nakashima and J. Marks, “Spies with Russia’s foreign intelligence service believed to have hacked a top American cybersecurity firm and stolen its sensitive tools,” The Washington Post, The Washington Post, 08-Dec-2020 [Online]. Available: https://www.washingtonpost.com/national-security/leading-cybersecurity-firm-fireeye-hacked/2020/12/08/a3369aaa-3988-11eb-98c4-25dc9f4987e8_story.html . [Accessed: 10-Dec-2020]

[4] fireeye, “fireeye/red_team_tool_countermeasures.” [Online]. Available: https://github.com/fireeye/red_team_tool_countermeasures . [Accessed: 10-Dec-2020]

[5] “[No title].” [Online]. Available: https://raw.githubusercontent.com/fireeye/
red_team_tool_countermeasures/master/rules/
ADPASSHUNT/production/yara/
APT_HackTool_MSIL_ADPassHunt_2.yar. [Accessed: 09-Dec-2020]

[6] Chris and V. my C. Profile, “GPP Password Retrieval with PowerShell.” [Online]. Available: http://obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html . [Accessed: 09-Dec-2020]

[7] PowerShellMafia, “PowerShellMafia/PowerSploit.” [Online]. Available: https://github.com/PowerShellMafia/PowerSploit . [Accessed: 09-Dec-2020]

Originally published at https://www.picussecurity.com.