OVERRULED: Containing a Potentially Destructive Adversary

Introduction
FireEye assesses APT33 may be behind a series of intrusions and
attempted intrusions within the engineering industry. Public reporting
indicates this activity may be related to recent destructive attacks.
FireEye’s Managed
Defense … Continue reading OVERRULED: Containing a Potentially Destructive Adversary

What are Deep Neural Networks Learning About Malware?

An increasing number of modern antivirus solutions rely on machine
learning (ML) techniques to protect users from malware. While ML-based
approaches, like FireEye Endpoint Security’s MalwareGuard
capability, have done a great job at detecti… Continue reading What are Deep Neural Networks Learning About Malware?

FLARE Script Series: Automating Objective-C Code Analysis with Emulation

This blog post is the next episode in the
FireEye Labs Advanced Reverse Engineering (FLARE) team Script Series.
Today, we are sharing a new IDAPython library – flare-emu – powered by IDA Pro and the Unicorn emulation
Continue reading FLARE Script Series: Automating Objective-C Code Analysis with Emulation

Obfuscated Command Line Detection Using Machine Learning

This blog post presents a machine learning (ML) approach to solving
an emerging security problem: detecting obfuscated Windows command
line invocations on endpoints. We start out with an introduction to
this relatively new threat capability, and … Continue reading Obfuscated Command Line Detection Using Machine Learning

Cmd and Conquer: De-DOSfuscation with flare-qdb

When Daniel
Bohannon released his excellent DOSfuscation
paper, I was fascinated to see how tricks I used as a systems engineer
could help attackers evade detection. I didn’t have much to contribute
to this conversation until I had to ana… Continue reading Cmd and Conquer: De-DOSfuscation with flare-qdb

Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign

Introduction

FireEye devices detected
intrusion attempts against multiple industries, including think
tank, law enforcement, media, U.S. military, imagery,
transportation, pharmaceutical, national government, and defense
contracting.
The… Continue reading Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign

TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers

Overview
In a previous blog post we detailed the TRITON
intrusion that impacted industrial control systems (ICS) at a
critical infrastructure facility. We now track this activity set as
TEMP.Veles. In this blog post we provide additional informat… Continue reading TRITON Attribution: Russian Government-Owned Lab Most Likely Built
Custom Intrusion Tools for TRITON Attackers

ICS Tactical Security Trends: Analysis of the Most Frequent Security Risks Observed in the Field

Introduction
FireEye iSIGHT Intelligence compiled extensive data from dozens of
ICS security health assessment engagements (ICS Healthcheck) performed
by Mandiant, FireEye’s consulting team, to identify the most pervasive
and highest priority sec… Continue reading ICS Tactical Security Trends: Analysis of the Most Frequent Security
Risks Observed in the Field

2018 Flare-On Challenge Solutions

We are pleased to announce the conclusion of the fifth annual
Flare-On Challenge. The numbers are in and we can safely say that this
was by far the most difficult challenge we’ve ever hosted. We plan to
reduce the difficulty next year, so i… Continue reading 2018 Flare-On Challenge Solutions