S2E12: Shellcode. DLLy DLLy!
Christopher Glyer and Nick Carr are back with an extremely offensiveepisode with red teamers Evan Pena (@evan_pena2003) and Casey Erikson(@EriksocSecurity). They get right into why they use shellcode (anypiece of self-contained executable code) and some of the latestshellcode execution & injection techniques that are workingin-the-wild.In previous episodes, the gang has discussed attackers - bothauthorized and unauthorized - shift away from PowerShell andscripting-based tooling to C# and shellcode due to improvedvisibility, detection, and prevention provided by more logging, AMSI,and endpoint security tooling. In this episode, they explore howFireEye's Mandiant Red Team has responded to this pressure and thetechniques they've used to continue to operate.Casey and Evan share their research around the benefits & drawbacks ofthe three primary techniques for running shellcode and a project theyjust released - DueDLLigence - to enable conversion of any shellcodeinto flexible DLLs for sideloading or LOLbin'ing:https://github.com/fireeye/DueDLLigenceIf you want to learn more, check out their blog and #DailyToolDrop at:https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.htmlShellabrate good times come on!
17 Oct 2019
S3E2: Hacking Tracking Pix & Macro Stomping Tricks
On today's show, Nick Carr and Christopher Glyer break down theanatomy of a really cool pre-attack technique - tracking pixels - andhow it can inform more restrictive & evasive payloads in the nextstage of an intrusion. We're joined by Rick Cole (@a_tweeter_user) toexplore one such evasive method seen in-the-wild: Macro Stomping. Andwe close the show by deep-diving with Matt Bromiley (@_bromiley) oncritical vulnerability we've been responding to most in 2020 - andwhat we've seen several attackers do post-compromise.Just as a targeted intruder might, we start our operation with emailtracking pixels. We break down how these legitimate marketing toolsare leveraged by attackers looking to learn more about their plannedvictim's behavior and system - prior to sending any first stagemalware.We break down the different variations on these trackers for bothbenign and malicious uses. For examples of each style of trackingpixel, see Glyer's recent tweet thread(https://twitter.com/cglyer/status/1222255759687372801). We talkthrough additional red team operators' responses to how they use thistechnique in their campaigns today - discussion sparked from thisgreat offensive security discussion(https://twitter.com/malcomvetter/status/1222539003565694985). Thistrend of professional target profiling - drawing both inspiration andspecific tracking tools from the marketing industry - is highlyeffective and a trend we expect to continue.Next on the episode, we explain how document profiling accomplishesthe same end goal as email pixels - and how it can share informationabout the current version of Microsoft Office on the potentialvictim's system. Similar to execution guardrails, this Office versioninformation for Microsoft Word or Excel could be used to delivermalware that is highly evasive and only runs on that profile.We also pivot into some potential use cases for fingerprinting Officeversions. We discuss VBA macro stomping and file format intricaciesthat require attackers to understand the version of office a targetmay be using, in order to create evasive spear phishing lures that maybypass both static and dynamic detections. Rick Cole joins us to talkthrough an active attacker using macro stomping for evasion - bothp-code compiling and PROJECT stream manipulation. Rick walks through abrief overview of the technique and a particular financial threatactor who loves macro stomping as much as they love Onyx. Rickco-authored a blog on the topic(https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html) and has an excellent tweet threadlinking to other research(https://twitter.com/a_tweeter_user/status/1225062617632428033).Finally, we're joined by a surprise second guest! Matt Bromiley dropsin to discuss FireEye's efforts to respond to the critical Citrixvulnerability, CVE-2019-19781, that went public on January 10, 2020.Matt helps us break down some of the activity we've seen since then,including distinct uncategorized clusters of activity for NOTROBIN,coin-mining, and attempted ETERNALBLUE-laced ransomware.In addition to securing his customers in Managed Defense, Matt's beenworking with the team to release several blogs, defender tips, andtools on the vulnerability:• Matt and Nick published an initial blog on the topic – detailingexploit timelines, evasive attackers, and resilient approaches todetection(https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html)• Our colleagues Willi Ballenthin and Josh Madeley unveiled NOTROBINand the concept of exploit squatter's rights in the blog with thetitl
10 Feb 2020
S2E10: from MATH import CYBERZ*
Christopher Glyer and Nick Carr interview Matt Berninger (@secbern)about his journey from Incident Responder to Data Scientist and howthat has shaped his perspective on ML applications and issues in theindustry today.This discussion provides a brief overview of Data Science fundamentalsand how they apply to common cybersecurity problems. They also discusshow to navigate the deluge of ML marketing and what considerations tomake before including ML in your security stack. Finally, they diveinto some recent Data Science projects and explain how the FireEyeData Science team works with practitioners around the company to solvecomplex problems.
3 Oct 2019
S1E06.1: Special Black Hat Edition: Katie Nickels
“Special Guest Katie Nickels (@likethecoins)”: Katie Nickels attendeda liberal arts school and intended to get into journalism, but insteadshe took on a researcher role and the rest is history. Now Katie isthe Lead Cyber Security Engineer at MITRE. MITRE is a not-for-profitthat operates federally funded research and development centers(FFRDC) responsible for R&D that helps the U.S. government. Katiespecializes in cyber threat intelligence and how it can improvenetwork defenses. Part of that involves applying threat intelligenceto ATT&CK, a knowledge base of real-world attacker tactics, techniquesand procedures (TTPs) that is used to assist analysts. Very coolstuff! During our chat, Katie talked about how her team processes newintel as it’s made public (she said she was really excited about ourlatest FIN7 blog post – thanks Katie!), and about a new ATT&CKphilosophy paper MITRE recently released that describes thecollaborative process of incorporating new TTPs. We also talked aboutPRE-ATT&CK, which focuses on what threat actors do to prepare for anattack, such as reconnaissance and weaponizing.
20 Aug 2018
Most Popular Podcasts
S2E06: APT41 - Double Dragon: The Spy Who Fragged Me
This is our APT group graduation party for APT41: Double Dragon,conducting both Chinese state-sponsored espionage activity andpersonal financially-motivated activity. You've read the report* andon this episode, Christopher Glyer and Nick Carr go behind-the-sceneswith two technical experts, Jackie O'Leary and Ray Leong, who workedfor months to produce the report. We answer viewer questions anddiscuss sifting years of incident response data, peppered with Glyer'sIR war stories, and fascinating malware and techniques analyzed by ourreverse engineers in FLARE. Ray and Jackie share their experienceswith the threat group and challenges in the graduation process. Wecover what makes them sophisticated and deep-dive on their supplychain attacks & guardrails, passive & cross-platform backdoors,rootkits & bootkits, legit services usage, and third party access viaTeamViewer.
14 Aug 2019
S1E03: Hunting Targeted Attackers @ Scale, Live-ish from RSA
In episode 3, we were joined by Alex Lanstein (@alex_lanstein) - oneof the first employees at FireEye who hunts through product telemetrydata to identify new targeted campaigns. During the RSA conference,and with so many others referencing breaches and hunting from theperiphery, we thought it would be good to chat about primary sourcedata from our on-going APT and FIN attack investigations and how toidentify anomalies the way Alex does.We live streamed this episode from the RSA Conference 2018 expo floor.In an unforeseen twist of events, the sheer number of cyber threatmaps on the conference floor degraded the bandwidth and video quality.We re-recorded the episode the next day from an undisclosed locationwith a better connection.“Community Protection: Southeast Asian Campaign”: We discuss ouron-going Community Protection Event (CPE) where we’ve pulled togetherteams within the company to identify and protect against a suspectedChinese attack group using new methods to compromise Southeast Asianentities. We explore how it was found with custom passwords to decryptphishing docs as well as the unique PowerShell-laden shortcut (.LNK)builder that was last seen with APT29 campaign around the 2016 U.S.election.“APT19 and RepeaTTPs”: We chat about APT19 resuming their targeting oflaw firms this month using many of the exact same techniques as our2017 blog post on the activity. Alex shares some insight intointeresting APT19 phishing lure choices.• 2017 TTPs: https://www.fireeye.com/blog/threat-r...“RO-BORAT Kazakhstani Attribution”: #ThreatIntel attribution can bedifficult, but not always. We chat about the level of rigor we appliedto analyzing some recent activity that we attributed to Kazakhstan.Very nice!• Related reading - https://www.eff.org/press/releases/ma...“What’s M-Trending”: We close out the show by some round-robindiscussion of evolving attacker methods and what we found mostinteresting within our M-Trends 2018 report released in April, whichcompiled technical intelligence and #DFIR breach data from our 500+Mandiant investigations in 2017.• https://www.fireeye.com/content/dam/c...State of the Hack is FireEye’s monthly live broadcast series, hostedby Christopher Glyer (@cglyer) and Nick Carr (@itsreallynick), thatdiscusses the latest in information security, cyber espionage, attacktrends, and tales from the front lines of responding to targetedintrusions. You can catch it live each month on FireEye's Twitteraccount: https://twitter.com/fireeye
26 Apr 2018
S1E06.2: Special Black Hat Edition: Matt Graeber
“Special Guest Matt Graeber (@mattifestation)”: Early in MattGraeber’s professional life he was a rock climbing instructor, butthen he joined the Navy and that decision kicked off his journey intothe wonderful world of InfoSec. Matt is now a security Researcher atSpecterOps, a company that provides adversary-focused solutions tohelp organizations better defend themselves against the types ofattacks we see every day. At SpecterOps, Matt specializes in reverseengineering and advancement of attacker tradecraft and detection.Prior to SpecterOps, Matt did a stint with FireEye on a team thatwould go on to become our FLARE unit, so of course we took a moment togo down memory lane. Some of the other topics we covered includePowerShell, Matt’s “Subverting Sysmon” Black Hat USA 2018 talk, andthe things that Matt will do in the name of a good cause.
20 Aug 2018
SotH Convos: Finding Evil in Windows 10 Compressed Memory
We are kicking-off a new segment on State of the Hack - an audio-onlydeep dive discussion with authors from popular technical blogs. Onthis episode, Christopher Glyer and Nick Carr spoke with FireEye'sBlaine Stancill (@MalwareMechanic) and Omar Sardar (@osardar1) ontheir recent blog post, "Finding Evil in Windows 10 CompressedMemory." You can read the full post here: https://feye.io/33dzIQD
7 Aug 2019
S2E09: DerbyCon Edition with Dave Kennedy
Christopher Glyer and Nick Carr interview Dave Kennedy (@HackingDave)on his experience running DerbyCon over the years, what conferences heplans to attend next, and future plans to build and support DerbyConCommunities (DerbyCom). Red teaming in the last few years has startedto get harder due to improvements in security visibility, improvedsecurity tools, and better SOC teams. They discussed how Dave's redteam's @TrustedSec use security tools to baseline what their activitylooks like so they can try and blend in with legitimate activity. Thetrend of red teams shifting away from PowerShell to C-basedtools/backdoors. Finally, they discussed both new and old (but stilleffective) techniques recently seen in the wild that can evadedetection including using py2exe and pyinstaller basedbackdoors/tools.
18 Sep 2019
S1E06: Black Hat USA 2018 Edition
“FIN7”: It’s a matter of “when, not if” for organizations andbreaches, and the same goes for criminals and getting caught. The U.S.District Attorney’s Office for the Western District of Washingtonrecently unsealed indictments and announced the arrests of threeleaders in a criminal organization we have tracked since 2015 as FIN7.Referred to by many vendors as “Carbanak Group” (although we don’tattribute all usage of the CARBANAK backdoor with the group), FIN7 iswell-known for the technical innovation, social engineering ingenuity,and other creativity that has fueled their success. We open up thisepisode by talking about all things FIN7, including their tools, theirtactics, techniques and procedures (TTPs), and some of the ways FIN7activity changed following arrests made as far back as January.• On the Hunt for FIN7: Pursuing an Enigmatic and Evasive GlobalCriminal Operation• To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases forPersistence• FIN7 Evolution and the Phishing LNK• FIN7 Spear Phishing Campaign Targets Personnel Involved in SECFilings• Tracking a Cyber Crime Group: FIN7 at a Glance“Special Guest Katie Nickels (@likethecoins)”: Katie Nickels attendeda liberal arts school and intended to get into journalism, but insteadshe took on a researcher role and the rest is history. Now Katie isthe Lead Cyber Security Engineer at MITRE. MITRE is a not-for-profitthat operates federally funded research and development centers(FFRDC) responsible for R&D that helps the U.S. government. Katiespecializes in cyber threat intelligence and how it can improvenetwork defenses. Part of that involves applying threat intelligenceto ATT&CK, a knowledge base of real-world attacker tactics, techniquesand procedures (TTPs) that is used to assist analysts. Very coolstuff! During our chat, Katie talked about how her team processes newintel as it’s made public (she said she was really excited about ourlatest FIN7 blog post – thanks Katie!), and about a new ATT&CKphilosophy paper MITRE recently released that describes thecollaborative process of incorporating new TTPs. We also talked aboutPRE-ATT&CK, which focuses on what threat actors do to prepare for anattack, such as reconnaissance and weaponizing.“Special Guest Matt Graeber (@mattifestation)”: Early in MattGraeber’s professional life he was a rock climbing instructor, butthen he joined the Navy and that decision kicked off his journey intothe wonderful world of InfoSec. Matt is now a security Researcher atSpecterOps, a company that provides adversary-focused solutions tohelp organizations better defend themselves against the types ofattacks we see every day. At SpecterOps, Matt specializes in reverseengineering and advancement of attacker tradecraft and detection.Prior to SpecterOps, Matt did a stint with FireEye on a team thatwould go on to become our FLARE unit, so of course we took a moment togo down memory lane. Some of the other topics we covered includePowerShell, Matt’s “Subverting Sysmon” Black Hat USA 2018 talk, andthe things that Matt will do in the name of a good cause.“Special Guest Sean Metcalf (@Pyrotek)”: Sean Metcalf is a trailblazerin the InfoSec field who is most well-known for his expertise inActive Directory security. He’s given talks on the topic at severalsecurity conferences, including Black Hat USA, DEF CON, DerbyCon andBSides. Fun fact about Sean: he is one of roughly 100 MicrosoftCertified Masters (MCMs) in Directory Services in the world. ActiveDirectory security plays a huge part in his current role as Founderand Chief Technology Officer of Trimarc Security. Trimarc is a companythat protects organizations primarily through the security of ActiveDirector
20 Aug 2018
S2E07: DerbyCon Edition w/ Carlos Perez & Benjamin Delpy
In this episode, Christopher Glyer and Nick Carr interview theDarkoperator (@Carlos_Perez) and Benjamin Delpy (@gentilkiwi) on allthings related to Mimikatz and Kekeo. They discuss Carlos' new classon Mimikatz, the background on why he started it, how red teamers canuse the features in unique/creative ways, and how blue teamers candetect the activity. Benjamin shared the background on how hedeveloped the tools (hint - he didn't read the kerberos RFC), some ofits lesser known capabilities, like cloning near field communication(NFC) proximity badges, how kerberos golden tickets got their default10 year lifetime, why you only really need to set the expiration to 20minutes, and his "creative" documentation (e.g. animated GIF posted toTwitter).
12 Sep 2019
S2E08: DerbyCon Edition with Nate Warfield
Christopher Glyer and Nick Carr interview Nate Warfield (@n0x08) onhis experience working at Microsoft's Security Response Center (MSRC).They discuss how Nate's team manages the vulnerability reporting andfix/remediation process across Microsoft's range of products/services.And debated what makes the BlueKeep and DejaBlue vulnerabilitiesdifferent from previous vulnerabilities and why this particular set ofvulns took so long to have public exploit code available. Nate alsoshared his first-hand experience with responding to the Shadow Brokersrelease of exploits and thoughts on the release of the WannaCry worm.
16 Sep 2019
S3E1: Spotlight Iran - from Cain & Abel to full SANDSPY
In response to increased U.S.-Iran tensions stemming from the recentdeath of Quds Force leader Qasem Soleimani by U.S. forces and concernsof potential retaliatory cyber attacks, we're bringing the latest fromour front-line experts on all things Iran. Christopher Glyer and NickCarr are joined by Sarah Jones (@sj94356) and Andrew Thompson(@QW5kcmV3) to provide a glimpse into Iran-nexus threat groups -including APT33, APT34, APT35, APT39, and TEMP.Zagros - as well as thefreshest actionable information on suspected Iranian uncategorized(UNC) groups that are active right now.We get right into it with a picture of Iranian compromise activityfrom just a few years ago - what we observed and the basic,cookie-cutter approach to their intrusions - and then begin to walkthrough the stark contrast to their TTPs today. We discuss how and whytheir Computer Network Operations (CNO) has evolved quickly andprovide a detailed walk through all of the graduated Iranian APTgroups.Our experts share their experiences with each group, moments in timethat surprised or impressed us from Iranian threat actors, and notableshifts in behavior - as well as our standing questions. Iranianintrusion operators have come a long way from DDoS & defacement, basicscanning, Cain & Abel and ASPXspy... to DNS hijacking, socialengineering via LinkedIn, information operations, and backdoors likeQUADAGENT, SANDSPY, TANKSHELL - then filling in the gaps with thequick adoption of offensive security post-compromise tools andtechniques.We close this first episode of season 3 with an overview of actionablemitigations to secure against both Iranian intrusions and severalother threats, including disruptive and destructive ransomwareattacks. For more information on these mitigations as well as ourpublic source material supporting the discussion from the show, pleasecheck out:• APT33 graduation:https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.htmlhttps://www.brighttalk.com/webcast/10703/275683• APT33 webinar & examples:https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html• An example TEMP.Zagros phishing campaign:https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html• APT35 highlights in MTrends 2018:https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf• Iranian information operations:https://www.fireeye.com/blog/threat-research/2018/08/suspected-iranian-influence-operation.html• RULER home page usage by Iranian groups & mitigations:https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html• APT39 graduation:https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html• Iranian DNS Hijacking (DNSpionage):https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html• More Iranian influence operations:https://www.fireeye.com/blog/threat-research/2019/05/social-media-network-impersonates-us-political-candidates-supports-iranian-interests.html• APT34 social engineering via LinkedIn:http://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html• FireEye response to mounting U.S.-Iran tensions:https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-response-to-mounting-us-iran-tensions.html• U.S.-Iran tensions webinar & mitigations overview:https://www.brighttalk.com/webcast/7451/382779
17 Jan 2020
S1E05: Down Periscope
In this episode we were joined by Dan Perez (@MrDanPerez) of FireEye’sAdversary Pursuit team. We discussed our experiences from FireEye'sCongressional roundtable on artificial intelligence, providing insightinto the analysis leading up to our report on TEMP.Periscope targetingCambodian election operations, and broke down several notableadversary methods observed during the past few weeks of responding tointrusions that matter.
12 Jul 2018
S2E11: Between Two Steves
Christopher Glyer and Nick Carr sit down with the top two Steves fromAdvanced Practices: Steve Stone (@stonepwn3000) and Steve Miller(@stvemillertime) to talk about the front-line technical stories andresearch presented at the 2019 #FireEyeSummit.With team members embedded on every investigation, they dissect thekey takeaways from the past year’s responses and trends in trackingthe groups and techniques that matter. They cover thebehind-the-scenes of recent FIN7 events* and put that in perspectiveagainst Steve’s PDB research** and other research presented at thesummit, including talks from Advanced Practices team members onproactive identification of C2, deep code signing research, and richheader hunting at scale. We quickly highlight a favorite talk “Livingoff the Orchard”*** revealing TTPs and artifacts left behind from themillion mac engagement. There’s double the chance you’ll enjoy Steveas a guest – and we were pleased to finally have them on.NOTE: Glyer live-tweeted the technical track**** throughout the summituntil additional blogs and videos are expected to release.*https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html**https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html***https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html**** https://twitter.com/cglyer/status/1181978827028873221
11 Oct 2019