首页 安全文摘 正文


Overview概览A highly sophisticated state-sponsored adversary stole FireEye Red Team tools. Because we believe that an adversary possesses these tools, and we do not know whether the



A highly sophisticated state-sponsored adversary stole FireEye Red TeaM Tools. Because we believe that an adversary possesses these tools, and we do not know whether the attacker intends to use the stolen tools themselves or publicly disclose them, FireEye is releasing hundreds of countermeasures with this blog post to enable the broader security community to protect themselves against these tools. We have incorporated the countermeasures in our FireEye products—and shared these countermeasures with partners, government agencies—to significantly limit the ability of the bad actor to Exploit the Red Team tools.

一个高度复杂的国家支持的对手偷走了火眼红队的工具。因为我们相信敌人拥有这些工具,而且我们不知道攻击者是打算自己使用这些被盗的工具还是公开披露它们,火眼在这篇博客文章中发布了数百个对策,以使更广泛的安全社区能够保护自己免受这些工具的攻击。我们已经将这些对策纳入我们的 FireEye 产品中,并与合作伙伴、政府机构分享了这些对策,以显著限制不良分子利用“红队”工具的能力。

You can find a list of the countermeasures on the FireEye Github repository found HERE.

你可以在 FireEye GitHub 仓库中找到一个对策列表。

Red Team Tools and Techniques


A Red Team is a group of security professionals authorized and organized to mimic a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture. Our Red Team’s objective is to improve enterprise cyber security by demonstrating the impacts of successful attacks and by showing the defenders (i.e., the Blue Team) how to counter them in an operational environment. We have been performing Red Team assessments for customers around the world for over 15 years. In that time, we have built up a set of scripts, tools, scanners, and techniques to help improve our clients’ security postures. Unfortunately, these tools were stolen by a highly sophisticated attacker.

Red Team 是一组安全专业人员,他们经过授权和组织,以模仿潜在对手针对企业安全态势的攻击或开发能力。我们的红色团队的目标是通过演示成功攻击的影响,以及向防御者(即蓝色团队)展示如何在操作环境中对抗这些攻击,从而提高企业网络安全。我们已经为世界各地的客户进行了超过15年的红队评估。在此期间,我们建立了一套脚本、工具、扫描仪和技术,以帮助改善我们客户的安全姿态。不幸的是,这些工具被一个高度复杂的攻击者偷走了。

The stolen tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available technologies such as Cobaltstrike and Metasploit. Many of the Red Team tools have already been released to the community and are already distributed in our open-source virtual machine, CommandoVM.

从用于自动侦察的简单脚本到类似于 CobaltStrikemetasploit 等公开可用技术的整个框架,这些被盗的工具都有。许多 Red Team 工具已经向社区发布,并且已经在我们的开源虚拟机 commandvm 中发布。

Some of the tools are publicly available tools modified to evade basic security detection mechanisms. Other tools and frameworks were developed in-house for our Red Team.


No Zero-Day Exploits or Unknown Techniques


The Red Team tools stolen by the attacker did not contain zero-day exploits. The tools apply well-known and documented methods that are used by other red teams around the world. Although we do not believe that this theft will greatly advance the attacker’s overall capabilities, FireEye is doing everything it can to prevent such a scenario. 


It’s important to note that FireEye has not seen these tools disseminated or used by any adversaries, and we will continue to monitor for any such activity along with our security partners.


Detections to Help the Community


To empower the community to detect these tools, we are publishing countermeasures to help organizations identify these tools if they appear in the wild. In response to the theft of our Red Team tools, we have released hundreds of countermeasures for publicly available technologies like OpenIOC, Yara, Snort, and ClamAV.

为了使社区能够发现这些工具,我们正在发布对策,以帮助组织识别这些在野外出现的工具。为了应对红队工具被盗的情况,我们针对公开可用的技术,如 OpenIOC、 Yara、 Snort 和 ClamAV,发布了数百个对策。

A list of the countermeasure is available on the FireEye GitHub repository found here. We are releasing detections and will continue to update the public repository with overlapping countermeasures for host, network, and file-based indicators as we develop new or refine existing detections. In addition, we are publishing a list of CVEs that need to be addressed to limit the effectiveness of the Red Team tools on the GitHub page.

对策列表可以在 FireEye GitHub 存储库中找到。我们正在发布侦测数据,并将继续更新公共数据库,针对主机、网络和基于文件的指标采取重叠的对策,同时开发新的或改进现有的侦测数据。此外,我们还在 GitHub 页面上发布了一个需要限制 Red Team 工具有效性的 CVEs 列表。

FireEye Products Protect Customers Against These Tools


Teams across FireEye have worked to build the countermeasures to protect our customers and the broader community. We have incorporated these countermeasures into our products and shared these countermeasures with our partners, including the Department of Homeland Security, who have incorporated the countermeasures into their products to provide broad coverage for the community.


More information on the detection signatures available can be found in the GitHub repository.

关于检测签名的更多信息可以在 GitHub 存储库中找到。