Discover and read the best of Twitter Threads about #FireEyeSummit

Most recents (10)

Hey #ATTACKcon here's a recap of
#GuardrailsOfTheGalaxy: The Prologue
including the *first* three awards โ€“ #Guardies ๐Ÿ†
+ the slides
I'm your thread host, @ItsReallyNick from the #AdvancedPractices ๐Ÿฆ… Adversary Methods team where we "reverse engineer" attacker techniques... ImageImage
Why a lightning talk on Execution Guardrails (#T1480)?
โ€ข We worked with @stromcoffee & @MITREattack team who added the new technique in April 2019:
โ€ข Smart people suggest that guardrails are correlated with adversary sophistication
โ€ข ๐Ÿ’‚๐Ÿ›ค๏ธ are fun! ... ImageImageImage
Guardrail Definition & Detection Concepts
$coverage = /de(fini|tec)tion/

The unique combination of behaviors that define guardrailing โ€“ and their order โ€“ can be used to detect it.

Pitfalls: stage 1 recon, confusing with broader AV/tech evasions, and "legitimate" guardrailing... ImageImageImage
Read 7 tweets
๐ŸŽŸ๏ธ๐ŸฟMovie Night: "Between Two Steves"
๐Ÿ†•#StateOfTheHack

@cglyer & I chat with the top two Steves from #AdvancedPractices ๐Ÿฆ…: @stonepwn3000 & @stvemillertime to talk about the front-line technical stories and research presented at the 2019 #FireEyeSummit.
pscp.tv/w/1YpJkYjBleMKj
@cglyer @stonepwn3000 @stvemillertime ๐Ÿ—ฃ๏ธ
โ€ข tracking the groups and techniques that matter
โ€ข recent #FIN7 events: fireeye.com/blog/threat-reโ€ฆ
โ€ข recent #AdvancedPractices team research, including PDB dossier & summit talks on proactive identification of C2, deep code signing research, and rich header hunting at scale...
We highlight a favorite talk
๐ŸŽ ๐—Ÿ๐—ถ๐˜ƒ๐—ถ๐—ป๐—ด ๐—ผ๐—ณ๐—ณ ๐˜๐—ต๐—ฒ ๐—ข๐—ฟ๐—ฐ๐—ต๐—ฎ๐—ฟ๐—ฑ ๐ŸŽ
by @williballenthin, @nicastronaut, @HighViscosity
revealing TTPs & artifacts left behind from the million mac engagement
fireeye.com/blog/threat-reโ€ฆ
We kinda want to do a full #StateOfTheHack on that one...
Read 5 tweets
๐Ÿค™๐Ÿ’ฐ Mahalo FIN7: fireeye.com/blog/threat-reโ€ฆ
โ€ข On several on-going investigations we saw #FIN7 trying to retool ๐Ÿ„๐Ÿผ
โ€ข Used DLL search order hijacking of a legit POS management utility with a signed backdoor (0 detections on VirusTotal)
โ€ข Hunting for #BOOSTWRITE and #RDFSNIFFER ๐Ÿ’ณ Image
.@josh__yoder & I stayed up much of the night to get this blog out.
The signed #BOOSTWRITE sample is still undetected by static VT scanners: virustotal.com/gui/file/18cc5โ€ฆ
We were fair on why that is and how that doesn't fully represent detection posture.
Then we provided hunting rules. Image
#FIN7's code signing certificate is purportedly from Mango Enterprise Limited in the UK.
Prob not theirs - based on the street address, I suspect there's more car theft than certificate theft ๐Ÿ˜œ: maps.app.goo.gl/MbznDeJPHJr4n5โ€ฆ

We analyze & discuss how to find the certificate anomalies! ImageImageImageImage
Read 7 tweets
Iโ€™m going to be live tweeting the #FireEyeSummit technical track chaired by @stvemillertime
First up is @HoldSecurity discussing how to harvest information from botnets

#FireEyeSummit
@HoldSecurity Harvests information periodically from various botnet information panels (that give them view into the size and systems in the botnet).

Fun fact - Gozi botnet has so many systems connected all queries on the information panel time out

#FireEyeSummit
Read 91 tweets
So FEYE just opened up some internal security APIs (detection as a service, virtual NX) and launched a developer relations program. ๐Ÿ˜ฏ
That's a very... different @FireEye & a surprise even to employees.

๐ŸŒDeveloper hub: fireeye.dev
๐Ÿ”—AWS Apps: aws.amazon.com/marketplace/seโ€ฆ Image
@FireEye @FireEyeDev @GradyS @jtviolet I wasn't involved with this effort, but I just met our new dev relations guy @jtviolet at #FireEyeSummit and this was dropped on the main stage by @GradyS

It looks like more APIs are coming? @FireEyeDev๐Ÿ‘€
Time to go see what we're exposing and hope we're storing *some* telemetry
@FireEye @FireEyeDev @GradyS @jtviolet Hopefully we can get more of our @Mandiant & #FLARE microservices*โƒฃ available via public API for the right price.

~thinking to myself~ "maybe if I post publicly it will happen"
๐Ÿ˜‰๐Ÿ™๐Ÿฝ

*โƒฃconfig extractors, traffic decoders, forensic artifact analyzers, toolmark highlighters
Read 3 tweets
1/ File under #BadSpeaker - Former U.S. Secretary of State Hillary Rodham Clinton is a "featured" keynote at our #FireEyeSummit. Intimate Q&A includes: the old lady wrist prop technique to support your hammer hand; & how to avoid "eye" splatter from bleach-bit by using a cloth.
2/ With special followup diatribe by #CrookedHillary on "how to ignore security warnings for the State Department and #FBI when your computer is infected and forwarding all your E-mails to China". Finally get Hillary's inside scoop on "What Difference Does it [AKAsecurity] Make"
3/ Be amazed that a legitimate security conference actually invited the most inept, corrupt, and "security lazy" SOS in US history.
Read 3 tweets
"You've Got Mail"

@danielcabaniel @CyberAmyntas discussing email phishing and mail server attack trends

#FireEyeSummit
APT34 compromised a trusted partner org - and used that to abuse trust (convinced user to enable macros) and successfully phish victim

Subsequently staged data theft files on the Exchange server as .png files and downloaded from the server.

#FireEyeSummit
C-level credential phished while on vacation - APT34 used account access to phish entire company. Even though infosec team blocked URL on web proxy - employees switched to guest wi-fi to access the URL.

#FireEyeSummit
Read 10 tweets
.@TekDefense introducing our next talk about unmasking APT38 - a North Korean threat actor focused on financial attacks

Blog released today with more details
fireeye.com/blog/threat-reโ€ฆ

#FireEyeSummit
APT38 targeted banks (SWIFT messaging initiated wire transfers you've read about in the news) and crypto currency exchanges (among other orgs)

#FireEyeSummit
Yes - you read that right. APT38 has used multiple different (and escalating tactics over time) to destroy evidence including deploying ransomware and running disk wiping malware

#FireEyeSummit
Read 7 tweets
First up Matias and Adrian discussing investigating the threat actor that MSFT calls Platinum

...and right out of the gate the threat actor steals your EDR agent installer ๐Ÿ˜ฎ #SignsThisProbablyIsntAScriptKiddie

#FireEyeSummit
It's not often that you see ACI Shims used for persistence

#FireEyeSummit
How do you hunt for ACI Shim persistence? Multiple different techniques - but the Windows Program-Telemetry logs are a great place to look

#FireEyeSummit
Read 5 tweets
What they thought *might* be a boring IR based on initial leads, quickly became interesting when the attacker snapped up the endpoint tooling they just deployed.

Peep that renamed rar.exe snapping up our files for nation state attackers (PLATINUM) to analyze ๐Ÿ˜…

#FireEyeSummit
It takes hard #DFIR work to get this point but there is nothing quite like uncovering novel/rare persistence and playing around with new attacker tools to understand them. A bit jealous of Adrien and Matias finding Platinum's #REDSALT.
Platinum undetected for 9 years at victim.
These guys found multiple APT groups on network.

The talk then gets into additional advanced backdoors with crazier capabilities that were first.

There's so much here. I'm hearing we *might* upload #FireEyeSummit videos to YouTube ๐Ÿคž
Read 4 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!