Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY, which leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation.Read more...
Entries filed under 'Matthew Dunwoody '
Threat Research Blog
The FireEye Labs team posts blog entries under threat research to present and discuss cyber attacks and threat intelligence from a technical perspective. They cover the full spectrum of exploits and vulnerabilities, including advanced malware and targeted threats.
March 27, 2017 8:00 AM By Matthew Dunwoody | Threat Intelligence, Threat Research
APT29 used domain fronting techniques for backdoor access to hide their network traffic. To detect these nation-state attackers requires endpoint visibility, as well as visibility into TLS connections and effective network signatures.
February 11, 2016 7:53 AM By Matthew Dunwoody | Threat Research, Vulnerabilities
Mandiant is continuously investigating attacks that leverage Powershell throughout all phases of the attack. A common issue we experience is a lack of available logging that adequately shows what actions the attacker performed using PowerShell. In those investigations, Mandiant routinely offers guidance on increasing PowerShell logging to provide investigators a detection mechanism for malicious activity and a historical record of how PowerShell was used on systems. This blog post details various PowerShell logging options and how they can help you obtain the visibility needed to better respond, investigate, and remediate attacks involving PowerShell.Read more...