Discover and read the best of Twitter Threads about #FireEyeSummit
Most recents (10)
Hey #ATTACKcon here's a recap of
#GuardrailsOfTheGalaxy: The Prologue
including the *first* three awards โ #Guardies ๐
+ the slides
I'm your thread host, @ItsReallyNick from the #AdvancedPractices ๐ฆ Adversary Methods team where we "reverse engineer" attacker techniques...
#GuardrailsOfTheGalaxy: The Prologue
including the *first* three awards โ #Guardies ๐
+ the slides
I'm your thread host, @ItsReallyNick from the #AdvancedPractices ๐ฆ Adversary Methods team where we "reverse engineer" attacker techniques...
Why a lightning talk on Execution Guardrails (#T1480)?
โข We worked with @stromcoffee & @MITREattack team who added the new technique in April 2019:
โข Smart people suggest that guardrails are correlated with adversary sophistication
โข ๐๐ค๏ธ are fun! ...
โข We worked with @stromcoffee & @MITREattack team who added the new technique in April 2019:
โข Smart people suggest that guardrails are correlated with adversary sophistication
โข ๐๐ค๏ธ are fun! ...
Guardrail Definition & Detection Concepts
$coverage = /de(fini|tec)tion/
The unique combination of behaviors that define guardrailing โ and their order โ can be used to detect it.
Pitfalls: stage 1 recon, confusing with broader AV/tech evasions, and "legitimate" guardrailing...
$coverage = /de(fini|tec)tion/
The unique combination of behaviors that define guardrailing โ and their order โ can be used to detect it.
Pitfalls: stage 1 recon, confusing with broader AV/tech evasions, and "legitimate" guardrailing...
๐๏ธ๐ฟMovie Night: "Between Two Steves"
๐#StateOfTheHack
@cglyer & I chat with the top two Steves from #AdvancedPractices ๐ฆ : @stonepwn3000 & @stvemillertime to talk about the front-line technical stories and research presented at the 2019 #FireEyeSummit.
pscp.tv/w/1YpJkYjBleMKj
๐#StateOfTheHack
@cglyer & I chat with the top two Steves from #AdvancedPractices ๐ฆ : @stonepwn3000 & @stvemillertime to talk about the front-line technical stories and research presented at the 2019 #FireEyeSummit.
pscp.tv/w/1YpJkYjBleMKj
@cglyer @stonepwn3000 @stvemillertime ๐ฃ๏ธ
โข tracking the groups and techniques that matter
โข recent #FIN7 events: fireeye.com/blog/threat-reโฆ
โข recent #AdvancedPractices team research, including PDB dossier & summit talks on proactive identification of C2, deep code signing research, and rich header hunting at scale...
โข tracking the groups and techniques that matter
โข recent #FIN7 events: fireeye.com/blog/threat-reโฆ
โข recent #AdvancedPractices team research, including PDB dossier & summit talks on proactive identification of C2, deep code signing research, and rich header hunting at scale...
We highlight a favorite talk
๐ ๐๐ถ๐๐ถ๐ป๐ด ๐ผ๐ณ๐ณ ๐๐ต๐ฒ ๐ข๐ฟ๐ฐ๐ต๐ฎ๐ฟ๐ฑ ๐
by @williballenthin, @nicastronaut, @HighViscosity
revealing TTPs & artifacts left behind from the million mac engagement
fireeye.com/blog/threat-reโฆ
We kinda want to do a full #StateOfTheHack on that one...
๐ ๐๐ถ๐๐ถ๐ป๐ด ๐ผ๐ณ๐ณ ๐๐ต๐ฒ ๐ข๐ฟ๐ฐ๐ต๐ฎ๐ฟ๐ฑ ๐
by @williballenthin, @nicastronaut, @HighViscosity
revealing TTPs & artifacts left behind from the million mac engagement
fireeye.com/blog/threat-reโฆ
We kinda want to do a full #StateOfTheHack on that one...
๐ค๐ฐ Mahalo FIN7: fireeye.com/blog/threat-reโฆ
โข On several on-going investigations we saw #FIN7 trying to retool ๐๐ผ
โข Used DLL search order hijacking of a legit POS management utility with a signed backdoor (0 detections on VirusTotal)
โข Hunting for #BOOSTWRITE and #RDFSNIFFER ๐ณ
โข On several on-going investigations we saw #FIN7 trying to retool ๐๐ผ
โข Used DLL search order hijacking of a legit POS management utility with a signed backdoor (0 detections on VirusTotal)
โข Hunting for #BOOSTWRITE and #RDFSNIFFER ๐ณ
.@josh__yoder & I stayed up much of the night to get this blog out.
The signed #BOOSTWRITE sample is still undetected by static VT scanners: virustotal.com/gui/file/18cc5โฆ
We were fair on why that is and how that doesn't fully represent detection posture.
Then we provided hunting rules.
The signed #BOOSTWRITE sample is still undetected by static VT scanners: virustotal.com/gui/file/18cc5โฆ
We were fair on why that is and how that doesn't fully represent detection posture.
Then we provided hunting rules.
#FIN7's code signing certificate is purportedly from Mango Enterprise Limited in the UK.
Prob not theirs - based on the street address, I suspect there's more car theft than certificate theft ๐: maps.app.goo.gl/MbznDeJPHJr4n5โฆ
We analyze & discuss how to find the certificate anomalies!
Prob not theirs - based on the street address, I suspect there's more car theft than certificate theft ๐: maps.app.goo.gl/MbznDeJPHJr4n5โฆ
We analyze & discuss how to find the certificate anomalies!
@HoldSecurity Harvests information periodically from various botnet information panels (that give them view into the size and systems in the botnet).
Fun fact - Gozi botnet has so many systems connected all queries on the information panel time out
#FireEyeSummit
Fun fact - Gozi botnet has so many systems connected all queries on the information panel time out
#FireEyeSummit
So FEYE just opened up some internal security APIs (detection as a service, virtual NX) and launched a developer relations program. ๐ฏ
That's a very... different @FireEye & a surprise even to employees.
๐Developer hub: fireeye.dev
๐AWS Apps: aws.amazon.com/marketplace/seโฆ
That's a very... different @FireEye & a surprise even to employees.
๐Developer hub: fireeye.dev
๐AWS Apps: aws.amazon.com/marketplace/seโฆ
@FireEye @FireEyeDev @GradyS @jtviolet I wasn't involved with this effort, but I just met our new dev relations guy @jtviolet at #FireEyeSummit and this was dropped on the main stage by @GradyS
It looks like more APIs are coming? @FireEyeDev๐
Time to go see what we're exposing and hope we're storing *some* telemetry
It looks like more APIs are coming? @FireEyeDev๐
Time to go see what we're exposing and hope we're storing *some* telemetry
@FireEye @FireEyeDev @GradyS @jtviolet Hopefully we can get more of our @Mandiant & #FLARE microservices*โฃ available via public API for the right price.
~thinking to myself~ "maybe if I post publicly it will happen"
๐๐๐ฝ
*โฃconfig extractors, traffic decoders, forensic artifact analyzers, toolmark highlighters
~thinking to myself~ "maybe if I post publicly it will happen"
๐๐๐ฝ
*โฃconfig extractors, traffic decoders, forensic artifact analyzers, toolmark highlighters
1/ File under #BadSpeaker - Former U.S. Secretary of State Hillary Rodham Clinton is a "featured" keynote at our #FireEyeSummit. Intimate Q&A includes: the old lady wrist prop technique to support your hammer hand; & how to avoid "eye" splatter from bleach-bit by using a cloth.
2/ With special followup diatribe by #CrookedHillary on "how to ignore security warnings for the State Department and #FBI when your computer is infected and forwarding all your E-mails to China". Finally get Hillary's inside scoop on "What Difference Does it [AKAsecurity] Make"
3/ Be amazed that a legitimate security conference actually invited the most inept, corrupt, and "security lazy" SOS in US history.
"You've Got Mail"
@danielcabaniel @CyberAmyntas discussing email phishing and mail server attack trends
#FireEyeSummit
@danielcabaniel @CyberAmyntas discussing email phishing and mail server attack trends
#FireEyeSummit
APT34 compromised a trusted partner org - and used that to abuse trust (convinced user to enable macros) and successfully phish victim
Subsequently staged data theft files on the Exchange server as .png files and downloaded from the server.
#FireEyeSummit
Subsequently staged data theft files on the Exchange server as .png files and downloaded from the server.
#FireEyeSummit
C-level credential phished while on vacation - APT34 used account access to phish entire company. Even though infosec team blocked URL on web proxy - employees switched to guest wi-fi to access the URL.
#FireEyeSummit
#FireEyeSummit
.@TekDefense introducing our next talk about unmasking APT38 - a North Korean threat actor focused on financial attacks
Blog released today with more details
fireeye.com/blog/threat-reโฆ
#FireEyeSummit
Blog released today with more details
fireeye.com/blog/threat-reโฆ
#FireEyeSummit
APT38 targeted banks (SWIFT messaging initiated wire transfers you've read about in the news) and crypto currency exchanges (among other orgs)
#FireEyeSummit
#FireEyeSummit
Yes - you read that right. APT38 has used multiple different (and escalating tactics over time) to destroy evidence including deploying ransomware and running disk wiping malware
#FireEyeSummit
#FireEyeSummit
First up Matias and Adrian discussing investigating the threat actor that MSFT calls Platinum
...and right out of the gate the threat actor steals your EDR agent installer ๐ฎ #SignsThisProbablyIsntAScriptKiddie
#FireEyeSummit
...and right out of the gate the threat actor steals your EDR agent installer ๐ฎ #SignsThisProbablyIsntAScriptKiddie
#FireEyeSummit
How do you hunt for ACI Shim persistence? Multiple different techniques - but the Windows Program-Telemetry logs are a great place to look
#FireEyeSummit
#FireEyeSummit
What they thought *might* be a boring IR based on initial leads, quickly became interesting when the attacker snapped up the endpoint tooling they just deployed.
Peep that renamed rar.exe snapping up our files for nation state attackers (PLATINUM) to analyze ๐
#FireEyeSummit
Peep that renamed rar.exe snapping up our files for nation state attackers (PLATINUM) to analyze ๐
#FireEyeSummit
It takes hard #DFIR work to get this point but there is nothing quite like uncovering novel/rare persistence and playing around with new attacker tools to understand them. A bit jealous of Adrien and Matias finding Platinum's #REDSALT.
Platinum undetected for 9 years at victim.
These guys found multiple APT groups on network.
The talk then gets into additional advanced backdoors with crazier capabilities that were first.
There's so much here. I'm hearing we *might* upload #FireEyeSummit videos to YouTube ๐ค
These guys found multiple APT groups on network.
The talk then gets into additional advanced backdoors with crazier capabilities that were first.
There's so much here. I'm hearing we *might* upload #FireEyeSummit videos to YouTube ๐ค
