FireEye’s Leaked Red Team Tools Are Mostly Based on Open Source Projects - A Detailed Analysis
We analyzed 60 tools leaked from FireEye Red Team’s arsenal to understand the impact of this breach. We found that 43% of tools are based on public tools. Our analysis shows that this breach will not have high impact on organizations.
We have been routinely reading about new breaches this year, but this last incident is different from all others we have heard so far. FireEye, like all security vendors, fighting for a good cause. We support FireEye and we think that their response so far very mature and transparent sharing countermeasures to detect the use of their stolen tools.
We know that in such a situation and in a limited time, it is not easy to build all possible countermeasures. So we are also doing our best to support the community, sharing analysis, and additional countermeasures to help organizations to validate and improve their security posture for the possible use of the leaked Red Team tools against them.
In this article, we analyzed 60 tools stolen from FireEye Red Team’s arsenal to understand the impact of this breach. We found that:
- 43% of the stolen tools are publicly available tools that are using known attack techniques.
- 40% of tools are developed in-house by FireEye. These tools also utilize known adversary techniques.
- 17% of the stolen tools cannot be identified since FireEye did not share adequate details about these tools. According to their names, we believe that most of these unknown tools are also slightly modified versions of publicly available tools.
FireEye also announced that exploits of 16 vulnerabilities were also stolen. But there is no room for a big concern regarding these vulnerabilities and their exploits since they are already well-known.
At first, this breach remained the stolen NSA hacking tools published in the Shadow Brokers leak. A couple of high severity 0-day exploits were released in the NSA breach. These 0-day exploits caused severe security incidents worldwide, such as WannaCry and NotPetya. However, stolen tools and exploits in the FireEye breach utilizes known attack techniques. Our analysis shows that this breach will not have high impact on organizations.
Still, countermeasures should be taken against the stolen tools since they are frequently used by threat actors. In our new blog post, “ It is Time to Take Action — How to Defend Against FireEye’s Red Team Tools”, we shared our comprehensive Blue Team recommendations, our detection contents as SIGMA and vendor-specific queries, and also vendor-based prevention signatures related to defending against FireEye Red Team tools.
Stolen Red Team Tools
FireEye has not shared details about what the stolen red team tools do. The Red and Blue Team analysts of Picus Labs analyzed the compromised tools to reveal the functionalities and possible impacts of these tools.
We categorized these tools into four sets:
- Tools Based on Open Source Projects: These red team tools are slightly modified versions of open-source tools.
- Tools Based on Built-in Windows Binaries: These tools use built-in Windows binaries known as LOLBINs (Living Off The Land Binaries) .
- Tools Developed In-house for Fireeye’s Red Team: These tools are specially developed for the use of FireEye’s Red Team.
- Tools Without Adequate Data to Analyze: There is not enough data to analyze these tools. The Yara rules published by FireEye for the following tools are specific to ProjectGuid of the tool.
The below chart shows the distribution of stolen red team tools according to the above categories.
In addition to the red team tools, there are also exploit payloads affected by the incident. Leaked payloads exploit the following list of vulnerabilities. According to FireEye’s report, leaked payloads do not include a 0-day exploit.
CVE Number;Vulnerability Type;Affected Product
- CVE-2014–1812;Privilege Escalation;Windows
- CVE-2016–0167;Privilege Escalation;Microsoft Windows
- CVE-2017–11774;Remote Code Execution;Microsoft Outlook
- CVE-2018–13379;Pre-auth Arbitrary File Read;Fortigate SSL VPN
- CVE-2018–15961;Remote Code Execution;Adobe ColdFusion
- CVE-2019–0604;Remote Code Execution;Microsoft Sharepoint
- CVE-2019–0708;Remote Code Execution;Windows Remote Desktop Services (RDS)
- CVE-2019–11510;Pre-auth Arbitrary File Read;Pulse Secure SSL VPN
- CVE-2019–11580;Remote Code Execution;Atlassian Crowd
- CVE-2019–19781;Remote Code Execution;Citrix Application Delivery Controller and Citrix Gateway
- CVE-2019–3398;Authenticated Remote Code Execution;Confluence
- CVE-2019–8394;Pre-auth Arbitrary File Upload;ZoHo ManageEngine ServiceDesk Plus
- CVE-2020–0688;Remote Code Execution;Microsoft Exchange
- CVE-2020–1472;Privilege Escalation;Microsoft Active Directory
- CVE-2018–8581;Privilege Escalation;Microsoft Exchange Server
- CVE-2020–10189;Remote Code Execution;ZoHo ManageEngine Desktop Central
Below chart shows the distribution of the vulnerabilities according to the vulnerability type:
FireEye frequently engages with Russian threat actors being a cybersecurity company fighting with APT groups and nation-state threat actors. According to the Washington Post, APT29 (also known as YTTRIUM, The Dukes, Cozy Bear, and CozyDuke)  carried out the FireEye breach . However, there is no evidence to prove that.
Blue Team Recommendations
Picus Labs’ Blue Team prepared a list of recommendations for preventing and detecting the stolen tools and exploits.
- Mitigating Vulnerabilities: Assess your systems against vulnerabilities listed in the above section using vulnerability scanning and monitoring tools. If there are any gaps you haven’t patched yet, you must fix them, and you should check if they have been abused in your systems.
- Compromise Assessment: You can conduct compromise assessments on your systems by using released Yara rules by FireEye . To utilize Yara rules, you can use an open-source Yara scanning tool or enterprise product and distribute it to the endpoints on your systems, then add the rules and get the results. Moreover, you can use IoCs included in Yara rules and search them in your SIEM environment.
- Utilize IOCs: To prevent and detect future related threats, you can add IOCs given in this report to your security products, such as EDR, EPP, and SIEM. However, keep in mind that these IoCs can easily be changed by adversaries.
- Utilize Snort Rules: Most network security products support Snort rules. You can add released Snort rules to your security devices . If you are already using Snort, you can check the current rules are up to date.
- Update Your Security Products: Security vendors are releasing new signatures and rule sets that include countermeasures against stolen tools. Update your security products and their rule and signature sets.
- Hunting with OpenIOC: FireEye released some countermeasures in the OpenIoC format. You can add these rules to your security devices by developing detection and hunting rules using IoC editors.
Fore more detailed recommendations and our detection contents as SIGMA and vendor-specific (ArcSight, Carbon Black, QRadar, and Splunk) queries, and also vendor-based (CheckPoint, Cisco, Citrix, Fortinet, F5, McAfee, ModSecurity, Palo Alto Networks, Snort, Trend Micro) prevention signatures read our new blog post, “ It is Time to Take Action — How to Defend Against FireEye’s Red Team Tools”.
Picus in Action
The Picus Threat Library includes most of the stolen tools, and the Picus Mitigation Library contains actionable mitigation recommendations and detection rules. Picus Labs’ Red Team and Blue Teams are working on missed tools and adding them and their techniques to our libraries.
So, our users have already assessed their cyber defense against most of the stolen red team tools and their attack techniques. And, they fixed the identified gaps using actionable recommendations provided by Picus platform.
Detailed Analysis of the Tools
1. Tools Based on Open Source Projects:
These red team tools are slightly modified versions of open-source tools.
It is a credential stealer tool that hunts Active Directory credentials. There are two remarkable strings in the YARA rule  of this tool: Get-GPPPasswords and Get-GPPAutologons. Get-GPPPassword is a PowerShell script that retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences (GPP) . Get-GPPAutologons is another PowerShell script that retrieves passwords from Autologon entries that are pushed through GPP. These scripts are used as functions in the PowerSploit, which is an offensive security framework combining PowerShell modules and scripts . You can read our blog post to find out more information on the OS credential dumping technique.
MITRE ATT&CK Techniques
T1003.003 OS Credential Dumping: NTDS
T1552.06 Unsecured Credentials: Group Policy Preferences
Please read our original blog post to learn about other 20 stolen red team tools based on open-source project.
2. Tools Based on Built-in Windows Binaries
These tools use built-in Windows binaries known as LOLBINs (Living Off The Land Binaries) .
DueDLLigence is a shellcode runner framework previously published by FireEye. Red Teams use it for application whitelisting bypass and DLL side-loading. It utilizes built-in Windows binaries Control.exe (Windows Control Panel), Rasautou.exe (Remote Access Dialer), and msiexec.exe (Microsoft Installer Executable) to bypass applications.
MITRE ATT&CK Techniques
T1218.002 Signed Binary Proxy Execution: Control Panel
T1218.007 Signed Binary Proxy Execution: Msiexec
DueDLLinge IOCs (SHA256)
Please read our original blog post to learn about other 4 stolen red team tools based on built-in Windows binaries (LOLBIN / LOLBAS).
3. Tools Developed In-house for Fireeye’s Red Team
These tools are specially developed for the use of FireEye’s Red Team.
This red team tool can dump a process directly or via its service. It is used by red teams to dump credentials from LSASS memory. You can read our Credential Dumping blog to learn the details of this technique.
MITRE ATT&CK Techniques
T1003.001 OS Credential Dumping: LSASS Memory
Excavator IOCs (SHA256)
Please read our original blog post to learn about other 23 stolen red team tools developed in-house for FireEye’s Red Team.
4. Tools without Adequate Data to Analyze
The Yara rules published by FireEye for the following tools are specific to ProjectGuid of the tool. We hope FireEye publishes more detailed countermeasures about this tool.
 “LOLBAS.” [Online]. Available: https://lolbas-project.github.io . [Accessed: 09-Dec-2020]
 “APT29.” [Online]. Available: https://attack.mitre.org/groups/G0016/ . [Accessed: 10-Dec-2020]
 E. Nakashima and J. Marks, “Spies with Russia’s foreign intelligence service believed to have hacked a top American cybersecurity firm and stolen its sensitive tools,” The Washington Post, The Washington Post, 08-Dec-2020 [Online]. Available: https://www.washingtonpost.com/national-security/leading-cybersecurity-firm-fireeye-hacked/2020/12/08/a3369aaa-3988-11eb-98c4-25dc9f4987e8_story.html . [Accessed: 10-Dec-2020]
 fireeye, “fireeye/red_team_tool_countermeasures.” [Online]. Available: https://github.com/fireeye/red_team_tool_countermeasures . [Accessed: 10-Dec-2020]
 “[No title].” [Online]. Available: https://raw.githubusercontent.com/fireeye/
APT_HackTool_MSIL_ADPassHunt_2.yar. [Accessed: 09-Dec-2020]
 Chris and V. my C. Profile, “GPP Password Retrieval with PowerShell.” [Online]. Available: http://obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html . [Accessed: 09-Dec-2020]
 PowerShellMafia, “PowerShellMafia/PowerSploit.” [Online]. Available: https://github.com/PowerShellMafia/PowerSploit . [Accessed: 09-Dec-2020]
Originally published at https://www.picussecurity.com.