Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY, which leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation.Read more...
Entries filed under 'Matthew Dunwoody '
Threat Research Blog
FireEye posts blog entries under threat research to present and discuss cyber attacks and threat intelligence from a technical perspective. These blog posts cover everything from exploits and vulnerabilities, to advanced malware and targeted attacks.
March 27, 2017 8:00 AM By Matthew Dunwoody | Threat Intelligence
APT29 used domain fronting techniques for backdoor access to hide their network traffic. To detect these nation-state attackers requires endpoint visibility, as well as visibility into TLS connections and effective network signatures.
February 11, 2016 7:53 AM By Matthew Dunwoody | Vulnerabilities
Mandiant is continuously investigating attacks that leverage Powershell throughout all phases of the attack. A common issue we experience is a lack of available logging that adequately shows what actions the attacker performed using PowerShell. In those investigations, Mandiant routinely offers guidance on increasing PowerShell logging to provide investigators a detection mechanism for malicious activity and a historical record of how PowerShell was used on systems. This blog post details various PowerShell logging options and how they can help you obtain the visibility needed to better respond, investigate, and remediate attacks involving PowerShell.Read more...