Mandiant Podcast

State of the Hack

State of the Hack is a podcast series that discusses the latest in information security, digital forensics, incident response, cyber espionage, APT attack trends, and tales from the front lines of significant targeted intrusions. Watch previous editions of the State of the Hack on the Mandiant YouTube channel or listen to the recordings below.

Available on iTunes
Listen on Spotify
Get it on Google Play
Listen on Stitcher
State of the Hack


Extortion, Ransoms & the Wonderful Life of Red Teams

In today's threat landscape, data theft and extortion go hand in hand with ransomware. In this episode of State of the Hack, we'll talk about how data theft plays a role in modern day ransomware incidents, how attackers carry out data theft, and how we simulate data theft during our Red Team assessments so clients can test their detective capabilities.

The Wonderful World of Web Shells

An oft-undiscussed tactic, web shells are a popular way for threat actors of all flavors to gain initial footholds, move laterally, and maintain persistence in a stealthy manner. Austin and Doug discuss a popular exploit that has been observed in the wild leading to web shells and what infosec practitioners can do to protect against this class of malware.

Apex Predators: Inside OpSec Strategy

This episode discusses the idea of operational security ("OPSEC") from an attacker's perspective. OPSEC relates to how an attacker or red team might try to make their activities stealthier to avoid detection. Hosts Evan Pena and Julian Pileggi talk about the various ways the Mandiant Red Team carries out their operational security during an adversary simulation exercise, and interesting techniques they see attackers using that have a high level of operational security.

Azure Got Run Over by a Refresh Token

Join us for our holiday episode as we search for silver bells and silver linings in our move to The Cloud! The cast sits down with Dirk-Jan Mollema to talk Azure AD and Primary Refresh Tokens; and what savvy defenders can do to secure their own cloud credentials.

Weaponizing Office Documents with VBA Purging

Malicious Office document’s module streams that contain source code, but no P-code are more likely to evade YARA rules and AV detection. This evasion technique is called VBA purging; which is different than the observed VBA stomping technique. In this episode we will discuss what VBA purging is, the difference between purging and stomping, the consequences of this technique, and a new tool created by Mandiant’s Red Team called OfficePurge.

KEGTAP-ing Out: Don't be a One Trickbot Pony

State of the Hack is back! Featuring new hosts Doug Bienstock (@doughsec), Austin Baker (@bakedsec), Julian Pileggi (@x64_Julian), and Evan Pena (@evan_pena2003) and new content. Doug and Austin kick things off and dive into a recent flood of phishing campaigns associated with KEGTAP aka BazaaLoader. They discuss some interesting toolmarks of the KEGTAP attack chain and why it is so dangerous.


Hacking Tracking Pix & Macro Stomping Tricks

On today's show, Nick Carr and Christopher Glyer break down the anatomy of a really cool pre-attack technique - tracking pixels - and how it can inform more restrictive & evasive payloads in the next stage of an intrusion. We're joined by Rick Cole (@a_tweeter_user) to explore one such evasive method seen in-the-wild: Macro Stomping. And we close the show by deep-diving with Matt Bromiley (@_bromiley) on critical vulnerability we've been responding to most in 2020 - and what we've seen several attackers do post-compromise.

Spotlight Iran - from Cain & Abel to full SANDSPY

In response to increased U.S.-Iran tensions stemming from the recent death of Quds Force leader Qasem Soleimani by U.S. forces and concerns of potential retaliatory cyber attacks, we're bringing the latest from our front-line experts on all things Iran. Christopher Glyer and Nick Carr are joined by Sarah Jones (@sj94356) and Andrew Thompson (@QW5kcmV3) to provide a glimpse into Iran-nexus threat groups - including APT33, APT34, APT35, APT39, and TEMP.Zagros - as well as the freshest actionable information on suspected Iranian uncategorized (UNC) groups that are active right now.


Rudolph the Redsourced Reindeer

Ho ho homepage! Christopher Glyer and Nick Carr are back for the last episode of 2019. They’re closing the year with a look at this month’s front-line espionage activity and a whole bunch of FIN intrusions! In addition to the threat round-up, they highlight some of our Mandiant consultants doing that work and a few DFIR tricks they included in a recent blog.

Shellcode. DLLy DLLy!

Christopher Glyer and Nick Carr are back with an extremely offensive episode with red teamers Evan Pena (@evan_pena2003) and Casey Erikson (@EriksocSecurity). They get right into why they use shellcode (any piece of self-contained executable code) and some of the latest shellcode execution & injection techniques that are working in-the-wild.

Between Two Steves

Christopher Glyer and Nick Carr spoke with Steven Stone and Steven Miller on their FireEye Cyber Defense Summit technical track, interesting use of PDB and rich header hashes for hunting at scale, FIN7 recent events, and other advanced practices topics.

from MATH import CYBERZ*

Christopher Glyer and Nick Carr interview Matt Berninger (@secbern) about his journey from Incident Responder to Data Scientist and how that has shaped his perspective on ML applications and issues in the industry today. This discussion provides a brief overview of Data Science fundamentals and how they apply to common cybersecurity problems. They also discuss how to navigate the deluge of ML marketing and what considerations to make before including ML in your security stack. Finally, they dive into some recent Data Science projects and explain how the FireEye Data Science team works with practitioners around the company to solve complex problems.

DerbyCon Edition with Dave Kennedy

Christopher Glyer and Nick Carr interview Dave Kennedy (@HackingDave) on his experience running DerbyCon over the years, what conferences he plans to attend next, and future plans to build and support DerbyCon Communities (DerbyCom). Red teaming in the last few years has started to get harder due to improvements in security visibility, improved security tools, and better SOC teams. They discussed how Dave's red team's @TrustedSec use security tools to baseline what their activity looks like so they can try and blend in with legitimate activity. The trend of red teams shifting away from PowerShell to C-based tools/backdoors. Finally, they discussed both new and old (but still effective) techniques recently seen in the wild that can evade detection including using py2exe and pyinstaller based backdoors/tools.

DerbyCon Edition with Nate Warfield

Christopher Glyer and Nick Carr interview Nate Warfield (@n0x08) on his experience working at Microsoft's Security Response Center (MSRC). They discuss how Nate's team manages the vulnerability reporting and fix/remediation process across Microsoft's range of products/services. And debated what makes the BlueKeep and DejaBlue vulnerabilities different from previous vulnerabilities and why this particular set of vulns took so long to have public exploit code available. Nate also shared his first-hand experience with responding to the Shadow Brokers release of exploits and thoughts on the release of the WannaCry worm.

DerbyCon Edition w/ Carlos Perez & Benjamin Delpy

In this episode, Christopher Glyer and Nick Carr interview the Darkoperator (@Carlos_Perez) and Benjamin Delpy (@gentilkiwi) on all things related to Mimikatz and Kekeo. They discuss Carlos' new class on Mimikatz, the background on why he started it, how red teamers can use the features in unique/creative ways, and how blue teamers can detect the activity. Benjamin shared the background on how he developed the tools (hint - he didn't read the kerberos RFC), some of its lesser known capabilities, like cloning near field communication (NFC) proximity badges, how kerberos golden tickets got their default 10 year lifetime, why you only really need to set the expiration to 20 minutes, and his "creative" documentation (e.g. animated GIF posted to Twitter).

APT41 - Double Dragon: The Spy Who Fragged Me

This is our APT group graduation party for APT41: Double Dragon, conducting both Chinese state-sponsored espionage activity and personal financially-motivated activity. You've read the report and on this episode, Christopher Glyer and Nick Carr go behind-the-scenes with two technical experts, Jackie O'Leary and Ray Leong, who worked for months to produce the report. We answer viewer questions and discuss sifting years of incident response data, peppered with Glyer's IR war stories, and fascinating malware and techniques analyzed by our reverse engineers in FLARE.

SotH Convos: Finding Evil in Windows 10 Compressed Memory

We are kicking-off a new segment on State of the Hack - an audio-only deep dive discussion with authors from popular technical blogs. On this episode, Christopher Glyer and Nick Carr spoke with FireEye's Blaine Stancill (@MalwareMechanic) and Omar Sardar (@osardar1) on their recent blog post, "Finding Evil in Windows 10 Compressed Memory."

You can read the full post here.

Your Payment Cards Are Our Business Cards

We interviewed one of our most tenured analysts Barry Vengerik (@barryv) on a range of viewer requested topics including: FIN7 retrospective, recent surge of Iranian threat activity, APT34 targeting organizations via LinkedIn messaging, FSB contractor leaks, APT36 USB drop attacks and some tails of recent investigations involving insider threats.

This episode brought to you by Combi Security: "Creative Red Teaming with Flexible payment options"

Ransom Acts of Flyness

Christopher and Nick kicked-off the latest episode with recent updates to the MITRE ATT&CK framework, including several techniques that they submitted. During the episode they discuss Outlook add-in persistence, renamed binaries, and the high-level increase in execution guardrails observed - all of which were added in the May update to ATT&CK. They also spoke about CARBANAK Week, gave new details on FIN7's on-going operations, broke down the new APT34 "leaks", and gave a threat research blog round-up.

Behind the ATM Heist & Other Red Team Stories

On this episode, we got right into a bunch of new in-the-wild activity! We discussed FIN6's shift to deploying enterprise ransomware, including their recent LOCKERGOGA campaigns. The recent DAYJOB/ShadowHammer supply chain compromises prompted some discussion around this trend and several hunting techniques. We covered our newly-released blog on the techniques that the attackers used to deliver the TRITON malware framework and how to hunt for them. We wanted to learn more about attacker creativity and their mindset by inviting a real-life adversary onto our show: Alyssa Rahman (@ramen0x3f) from our Red Team.

Trending 10 Years of Breach Response (RSAC #SendUsSwag)

In this latest episode, we featured FireEye, Principal Threat Analyst and M-Trends contributor, Regina Elwell to take us on a deep dive of our annual M-Trends report. We discussed how key metrics from our incident response investigations changed including dwell times, source of notification, and what industries were impacted. Additionally, we broke down some of the highlights of four threat actors we upgraded in 2018 including APT37, APT38, APT39, and APT40. Finally we discussed several takeaways from the Mandiant consulting case studies and common remediation recommendations.


We're back for season 2 and discussed reports of destructive/disruptive attacks by APT33 and DNS hijacking. We also spoke with Matthew Dunwoody and Alex Orleans about one of our favorite topics: APT29.


Holiday APT Spectacular

In their final episode of 2018, Christopher Glyer and Nick Carr brought the holiday cheer by providing a wrap-up on interesting targeted attacker activity from the past 90 days, including CNIIHM links to TRITON ICS attacks, suspected APT29 spearphishing campaign, several recent DOJ indictments. They also highlighted some interesting techniques including DNS over HTTPS and profiling victims pre-attack using both compromised websites and Office documents.

Facing Forward: Cyber Security in 2019 and Beyond

In this episode, Christopher Glyer and Nick Carr spoke with Steven Booth, Chief Security Officer at FireEye, to discuss what’s to come in 2019, including attackers and nations attempting to emulate other threat groups, increased leveraging of legitimate services for command and control, machine learning and artificial intelligence, a decreased and more selective use of PowerShell in attacks, and much more. If you want to get into the nitty gritty of cyber security in 2019, you won’t want to miss this episode.

Special Edition: FLARE vs. Carbanak

In this segment, we sit down with two Staff Reverse Engineers on the FLARE team, Michael Bailey (@mykill) and James “Tom” Bennett (@jtbennettjr), who were at CDS this year to discuss the results of nearly 500 total hours of analysis of the Carbanak source code we acquired.

Special Edition: Upgrading to APT38

In this segment, we welcome two core contributors to the APT38 report: Nalani Fraser, Manager of the Advanced Analysis Team, and Jackie O’Leary, Senior Analyst on the Advanced Analysis Team.

Special Edition: Understanding the GRU Indictments

In this segment, we start with the recently announced indictments charging Russian GRU officers with international hacking and related influence and disinformation operations, then bounce to APT28, and the conversation keeps going from there.

Iranian Influence Operation

Christopher Glyer and Nick Carr spoke with FireEye Intel Analyst, Lee Foster on how FireEye identified a suspected influence operation that appears to originate from Iran aimed at audiences in the U.S., U.K., Latin America, and the Middle East.

Special Black Hat Edition: Sean Metcalf

During our chat, Sean explained how he got started in the world of Active Directory security about a decade and a half ago when he was as an Active Directory engineer. He discussed some of the challenges he faced between then and now while traversing relatively uncharted territory.

Special Black Hat Edition: Matt Graeber

Some of the topics covered include PowerShell, Matt’s “Subverting Sysmon” Black Hat USA 2018 talk, and the things that Matt will do in the name of a good cause.

Special Black Hat Edition: Katie Nickels

Special Guest Katie Nickels (@likethecoins) talks about how her team processes new intel as it’s made public (she said she was really excited about our latest FIN7 blog post – thanks Katie!), and about a new ATT&CK philosophy paper MITRE recently released that describes the collaborative process of incorporating new TTPs.

Black Hat USA 2018 Edition

We open up this episode by talking about all things FIN7, including their tools, their tactics, techniques and procedures (TTPs), and some of the ways FIN7 activity changed following arrests made as far back as January.

Down Periscope

In this episode we were joined by Dan Perez (@MrDanPerez) of FireEye’s Adversary Pursuit team. We discussed our experiences from FireEye's Congressional roundtable on artificial intelligence, providing insight into the analysis leading up to our report on TEMP.Periscope targeting Cambodian election operations, and broke down several notable adversary methods observed during the past few weeks of responding to intrusions that matter.

Illuminating the Adversary

In May we were joined by Andrew Thompson (@QW5kcmV3) of FireEye’s Adversary Pursuit team. We explore the evolution and current state of cloud services OAuth abuse, how we do technical intelligence & attribution, and some war stories from the past few weeks of responding to intrusions that matter.

Hunting Targeted Attackers @ Scale, Live-ish from RSA

In episode 3, we were joined by Alex Lanstein (@alex_lanstein) - one of the first employees at FireEye who hunts through product telemetry data to identify new targeted campaigns. During the RSA conference, and with so many others referencing breaches and hunting from the periphery, we thought it would be good to chat about primary source data from our on-going APT and FIN attack investigations and how to identify anomalies the way Alex does.

Cafe Bohannon

“Activity Round-up”: This week, we talk about new techniques being used by Iran's "MuddyWater" (TEMP.Zagros) and Vietnam's APT32. We discuss our Mandiant response efforts into large Chinese espionage campaigns that have picked up in the past year, highlighting both APT20 targeting of service providers and some fresh TEMP.Periscope activity at many clients.

State of the FIRST

Join us as we kick off our FireEye #StateOfTheHack video series. Part podcast, part happy hour hangout, but all freeform and streaming LIVE. We explain who we are and what we’re doing with this series.