F5 SIRT FireEye Breach Guidance

Update - 12/17/2020


If you are looking for F5's guidance on how to use F5 products to detect or mitigate the SolarWinds Orion issues related to the FireEye disclosure, please see this article: https://devcentral.f5.com/s/articles/F5-SIRT-FireEye-SolarWinds-Guidance-Update


FireEye red-team tool leak


FireEye recently disclosed an incident that has apparently resulted in a malicious actor gaining access to tools used during FireEye red-team engagements for the purposes of penetration testing; this includes tools that could be used to exploit and/or gain a persistent foothold on a target.

It appears that none of the tools contain approaches or techniques novel to FireEye nor any that were previously unknown, as confirmed by FireEye themselves in their blog post on the subject.

FireEye has published a GitHub repository containing information they hope will help the community ensure they are protected against these tools and techniques. Again, none of these tools & techniques are new or unique to FireEye and it is quite likely that you are already well protected, assuming your organisation has a robust defence-in-depth approach to security and implements processes to ensure timely patching of known vulnerabilities in the software platforms you use.

Firstly, we must state that none of the targeted CVEs affect any F5 products and so there is no increased risk of exposure to any F5 products you may have deployed in your network. All of the tools and techniques listed target web-based applications (such as Sharepoint), Microsoft infrastructure services (such as Active Directory) or non-F5 products.

The repository includes ClamAV and Yara rules intended to discover and alert on malicious binaries stored on or running on target endpoints – these are not directly applicable to F5 products and we would encourage you to work with your antivirus or malware protection vendor to ensure they have coverage for these artefacts.

The repository also includes a list of CVEs targeted by FireEye’s red team toolset – many of which are accessed via HTTP – as well as a list of Snort rules designed to detect outbound traffic from a compromised host (e.g., to a command-and-control server). This article will concentrate on the F5 aspect of this information.

Protecting yourself against the FireEye target CVEs

F5 has investigated the list of published CVEs and whether or not they are covered by current or future Advanced WAF signatures:

The two local privilege escalations (CVE-2016-0167 & CVE-2017-11774) cannot be detected by Advanced WAF, of course, as they are exploited directly on a target machine via local access or a local user receiving a specifically crafted email.

The vulnerabilities marked “Non-HTTP” are not exploited via HTTP and are not candidates for Advanced WAF signatures and should be protected against by patching or other mechanisms.

The remaining HTTP vulnerabilities, however, are covered either by generic Advanced WAF signatures (the type of which is noted above) or signatures created specifically for the CVE in which case the signature number is noted so that you can ensure you have the relevant signature included in your Advanced WAF policy where appropriate. 

*Note: Non-HTTP services may be protected by the AFM Protocol Inspection signatures, e.g. CVE-2019-0708 is covered by AFM Signature 2626. See the next section for more information on the AFM Protocol Inspection engine. 

Detecting exploitation using the FireEye Snort rules

As previously mentioned, FireEye have released a set of Snort rules to detect the outbound traffic sent by the toolset installed on compromised hosts. While BIG-IP does not consume Snort rules directly, these rules are (with the exception of four) excellent candidates for translation into BIG-IP AFM Protocol Inspection rules. This optional feature of BIG-IP AFM comes bundled with a large number of rules but also allows the administrator to create their own custom rules using very similar syntax to that of the Snort rules, allowing for easy translation between the two.

F5 has converted these rules as a service to its customers, however we must note that these converted rules are provided on an as-is basis – they have not been tested against traffic generated by the stolen FireEye tools and there may be errors in transcription or indeed in the original rules. F5 is not responsible for defects in these signatures and does not warranty them for performance or accuracy and will not provide support for them – you should apply them in Alarm and Log mode only if you are concerned about false positive and move them to a Blocking configuration only when you are satisfied of their efficacy in your network.

The rules can be found in the appendix of this article.

As mentioned, four rules provided by FireEye do not translate directly into F5 Protocol Inspection syntax – the Snort rules are written to look for traffic (TCP and UDP) on specific port numbers. Since the Protocol Inspection engine operates above Layer 4, the port information is not available and there is a chance that these rules could trigger false positives. F5 advises undertaking a longer period of observation to ensure that these rules do not trigger false positives in your specific environment before applying them in a Blocking mode.

More information on the AFM Protocol Inspection feature and how to apply these rules to traffic on your network can be found in the AFM Operations Guide or the manual chapter titled "Inspecting Protocol Anomalies" for your software version. 

Conclusions

As widely reported, the FireEye breach has not exposed any novel or previously undocumented tools and techniques and does not release any zero-day vulnerabilities into the wild; in reality it provides little in the way of additional information that any competent attacker did not already have access to.

All but four of the target vulnerabilities are from 2019 or earlier, and indications are present that at least some of the stolen tools were based on well-known frameworks such as Cobalt Strike which are likely already well monitored for in any organisation.

Assuming, therefore, that any potential target organisation had a pre-existing robust security posture, including patching known vulnerabilities in a timely manner, adequate controls and inspection of endpoints, alerting and logging of anomalies and virtual patching (e.g., via a WAF) then it is unlikely that the release of these tools into the wild has made any material difference to the security of the target organisation.

Appendix – BIG-IP AFM Protocol Inspection Rules

While we hope they are of value and use, these converted Snort rules are provided as-is and have not been tested against traffic generated by any FireEye tools.

With thanks to James Affeld of F5 Engineering Services for his work converting Snort rules into F5 syntax.

There may be errors in transcription or in the original rules. F5 is not responsible for defects in these signatures and does not warranty them for performance or accuracy and will not provide support for them. These rules are written in syntax applicable to BIG-IP AFM 15.0 and later; they would require some adjustment to suit BIG-IP AFM 14.1.

These rules can be copied and pasted into a tmsh session by an Administrative user. To do so you should ensure you are in the Signature context of Protocol Inspection, within Security. For example: 

[user@host5:Active:Standalone] config # tmsh
user@(host)(cfg-sync Standalone)(Active)(/Common)(tmos)# security protocol-inspection signature
user@(host)(cfg-sync Standalone)(Active)(/Common)(tmos.security.protocol-inspection.signature)#

Once in the correct context (and partition, if applicable) the rules below can simply be copied & pasted, ensuring you maintain quotes and escaping exactly as-is (taking care to ensure any quote marks remain ASCII quotes and are not converted into “smart quotes”)

create Backdoor.HTTP.BEACON.CSBundle_USAToday_Server protocol { tcp } direction to-client id 125894 reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html " description "Backdoor.HTTP.BEACON.[CSBundle USAToday Server]" references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" sig "content:\"{\"navgd\":\"<div class=gnt_n_dd_ls_w><div class=gnt_n_dd_nt>ONLY AT USA TODAY:</div><div class=gnt_n_dd_ls><a class=gnt_n_dd_ls_a href=https://supportlocal.usatoday.com/\";" service http

create Backdoor.HTTP.BEACON.CSBundle_USAToday_Server2 description "Backdoor.HTTP.BEACON.CSBundle_USAToday_Server" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" direction to-client sig "content:\"HTTP/1.\"; depth:7; content:\"Connection: close\"; content:\"Content-Type: application/json\; charset=utf-8\"; content:\"Content-Security-Policy: upgrade-insecure-requests\"; content:\"Strict-Transport-Security: max-age=10890000\"; content:\"Cache-Control: public, immutable, max-age=315360000\"; content:\"Accept-Ranges: bytes\"; content:\"X-Cache: HIT, HIT\"; content:\"X-Timer: S1593010188.776402,VS0,VE1\"; content:\"Vary: X-AbVariant, X-AltUrl, Accept-Encoding\";" id 125893 service http

create Backdoor.HTTP.BEACON.CSBundle_Original_Server protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125874 direction to-client sig " content:\"HTTP/1.\"; depth:7; content:\"Content-Type: text/json|0d 0a|\"; content:\"Server: Microsoft-IIS/10.0|0d 0a|\"; content:\"X-Powered-By: ASP.NET|0d 0a|\"; content:\"Cache-Control: no-cache, no-store, max-age=0, must-revalidate|0d 0a|\"; content:\"Pragma: no-cache|0d 0a|\"; content:\"X-Frame-Options: SAMEORIGIN|0d 0a|\"; content:\"Connection: close|0d 0a|\"; content:\"{\"meta\":{},\"status\":\"OK\",\"saved\":\"1\",\"starttime\":17656184060,\"id\":\"\",\"vims\":{\"dtc\":\";" description Backdoor.HTTP.BEACON.CSBundle_Original_Server

create Backdoor.HTTP.BEACON.CSBundle_NYTIMES_GET protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125881 direction to-server sig "content:\"GET\"; depth:3; content:\"Accept: */*\"; content:\"Accept-Encoding: gzip, deflate, br\"; content:\"Accept-Language: en-US,en\;q=0.5\"; content:\"nyt-a=\"; content:\"nyt-gdpr=0\;nyt-purr=cfh\;nyt-geo=US}\"; fast_pattern; content:\"|0d 0a|Cookie:\"; pcre:\"/^GET\s(:\/ads\/google|\/vi-assets\/static-assets|\/v1\/preferences|\/idcta\/translations|\/v2\/preferences)/\";" description Backdoor.HTTP.BEACON.CSBundle_NYTIMES_GET

create Backdoor.HTTP.BEACON.CSBundle_Original_Stager protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125879 direction to-server sig "content:\"T \"; offset:2; depth:3; content:\"Accept: */*\"; content:\"Accept-Language: en-US\"; content:\"Accept-Encoding: gzip, deflate\"; content:\"Cookie: SIDCC=AN0-TYutOSq-fxZK6e4kagm70VyKACiG1susXcYRuxK08Y-rHysliq0LWklTqjtulAhQOPH8uA\"; pcre:\"/\/api\/v1\/user\/(:512|124)\/avatar/\";" description Backdoor.HTTP.BEACON.CSBundle_Original_Stager

create Backdoor.HTTP.GORAT.SID1 protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125848 direction to-server sig "content:\"GET\"; depth:3; content:\"|0d 0a|Cookie: SID1=\"; content:!\"|0d 0a|Referer:\"; content:!\"|0d 0a|Accept\";" description Backdoor.HTTP.GORAT.SID1

create Backdoor.HTTP.BEACON.CSBundle_MSOffice_Server description "Backdoor.HTTP.BEACON.[CSBundle MSOffice Server]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125887 direction to-client sig "content:\"HTTP/1.\"; depth:7; content:\"{\"meta\":{},\"status\":\"OK\",\"saved\":\"1\",\"starttime\":17656184060,\"id\":\"\",\"vims\":{\"dtc\":\"\";"

create Backdoor.SSL.BEACON.CSBundle_Ajax description "Backdoor.SSL.BEACON.[CSBundle Ajax]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125873 direction to-server sig "content:\"|16 03|\"; depth:2; content:\"US\"; content:\"US\"; distance:0; content:\"ajax.microsoft.com\"; content:\"ajax.microsoft.com\"; distance:0; content:\"Seattle\"; content:\"Seattle\"; distance:0; content:\"Microsoft\"; content:\"Microsoft\"; distance:0; content:\"Information Technologies\"; content:\"Information Technologies\"; distance:0; content:\"WA\"; content:\"WA\"; distance:0;"

#Deleted a fastpattern invocation
create Backdoor.HTTP.BEACON.Yelp_GET description "Backdoor.HTTP.BEACON.[Yelp GET]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 133355045 direction to-server sig "content:\"GET \"; depth:4; content:\"&parent_request_id=\"; distance:0; within:256; content:\" HTTP/1\"; distance:0; within:1024; content:\"|0d 0a|Sec-Fetch-Dest: empty|0d 0a|\"; distance:0; within:256; content:\"request_origin=user\"; offset:0; depth:256; pcre:\"/^GET [^\r\n]{0,256}&parent_request_id=(:[A-Za-z0-9_\/\+\-%]{128,1024})={0,2}[^\r\n]{0,256} HTTP\/1\.[01]/\";"

create Backdoor.DNS.BEACON.CSBundle_DNS description "Backdoor.DNS.BEACON.[CSBundle DNS]" protocol { udp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service dns id 125872 direction any sig "content:\"|00 01 00 01|\"; offset:4; depth:4; content:\"|0a|_domainkey\"; distance:0; content:\"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 02 01 00 ff|v=DKIM1\; p=\"; distance:0;"

create Backdoor.HTTP.BEACON.CSBundle_CDN_GET description "Backdoor.HTTP.BEACON.[CSBundle CDN GET]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125890 direction to-server sig "content:\"GET\"; depth:3; content:\"Accept: */*\"; content:\"Accept-Encoding: gzip, deflate, br\"; content:\"Accept-Language: en-US|0d 0a|\"; content:\"client-=\"; content:\"\;auth=1}\"; content:\"Cookie:\"; pcre:\"/^GET\s(:\/v1\/queue|\/v1\/profile|\/v1\/docs\/wsdl|\/v1\/pull)/\";"

create Backdoor.HTTP.BEACON.CSBundle_USAToday_GET description "Backdoor.HTTP.BEACON.[CSBundle USAToday GET]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125892 direction to-server sig "content:\"GET\"; depth:3; content:\"Connection: close|0d 0a|\"; content:\"Accept: */*|0d 0a|\"; content:\"gnt_ub=86\;gnt_sb=18\;usprivacy=1YNY\;DigiTrust.v1.identity=\"; content:\"%3D\;GED_PLAYLIST_ACTIVITY=W3sidSI6IkZtTWUiLCJ0c2wiOjE1OTMwM\;\"; content:\"Cookie:\"; pcre:\"/^GET\s(:\/USAT-GUP\/user\/|\/entertainment\/|\/entertainment\/navdd-q1a2z3Z6TET4gv2PNfXpaJAniOzOajK7M\.min\.json|\/global-q1a2z3C4M2nNlQYzWhCC0oMSEFjQbW1KA\.min\.json|\/life\/|\/news\/weather\/|\/opinion\/|\/sports\/|\/sports\/navdd-q1a2z3JHa8KzCRLOQAnDoVywVWF7UwxJs\.min\.json|\/tangstatic\/js\/main-q1a2z3b37df2b1\.min\.js|\/tangstatic\/js\/pbjsandwich-q1a2z300ab4198\.min\.js|\/tangstatic\/js\/pg-q1a2z3bbc110a4\.min\.js|\/tangsvc\/pg\/3221104001\/|\/tangsvc\/pg\/5059005002\/|\/tangsvc\/pg\/5066496002\/|\/tech\/|\/travel\/)/\";"

create Backdoor.HTTP.BEACON.CSBundle_Original_POST description "Backdoor.HTTP.BEACON.[CSBundle Original POST]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125878 direction to-server sig "content:\"POST\"; depth:4; content:\"Accept: */*|0d 0a|\"; content:\"Accept-Language: en-US|0d 0a|\"; content:\"Accept-Encoding: gzip, deflate|0d 0a|\"; content:\"{\"locale\":\"en\",\"channel\":\"prod\",\"addon\":\"\"; pcre:\"/^POST\s(:\/v4\/links\/check-activity\/check|\/v1\/stats|\/gql|\/api2\/json\/check\/ticket|\/1.5\/95648064\/storage\/history|\/1.5\/95648064\/storage\/tabs|\/u\/0\/_\/og\/botguard\/get|\/ev\/prd001001|\/ev\/ext001001|\/gp\/aw\/ybh\/handlers|\/v3\/links\/ping-beat\/check)/\"; content:\"ses-\";"

create Backdoor.HTTP.BEACON.CSBundle_MSOffice_POST description "Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125891 direction to-server sig "content:\"POST /v1/push\"; depth:13; content:\"Accept: */*\"; content:\"Accept-Encoding: gzip, deflate, br\"; content:\"Accept-Language: en-US|0d 0a|\"; content:\"{\"locale\":\"en\",\"channel\":\"prod\",\"addon\":\"\"; content:\"cli\"; content:\"l-\";"

create M.HackTool.SMB.Impacket-Obfuscation.Service_Names description "M.HackTool.SMB.Impacket-Obfuscation.[Service Names]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service netbios_ssn id 125857 direction to-server sig "content:\"|ff 53 4d 42|\"; offset:4; depth:4; pcre:\"/(:\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x55\x00\x70\x00\x64\x00\x61\x00\x74\x00\x65\x00\x20\x00\x43\x00\x6f\x00\x6e\x00\x74\x00\x72\x00\x6f\x00\x6c\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65|\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x31\x00\x30\x00\x20\x00\x44\x00\x65\x00\x66\x00\x65\x00\x6e\x00\x64\x00\x65\x00\x72|\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x4c\x00\x69\x00\x63\x00\x65\x00\x6e\x00\x73\x00\x65\x00\x20\x00\x4b\x00\x65\x00\x79\x00\x20\x00\x41\x00\x63\x00\x74\x00\x69\x00\x76\x00\x61\x00\x74\x00\x69\x00\x6f\x00\x6e|\x4f\x00\x66\x00\x66\x00\x69\x00\x63\x00\x65\x00\x20\x00\x33\x00\x36\x00\x35\x00\x20\x00\x50\x00\x72\x00\x6f\x00\x78\x00\x79|\x4d\x00\x69\x00\x63\x00\x72\x00\x6f\x00\x73\x00\x6f\x00\x66\x00\x74\x00\x20\x00\x53\x00\x65\x00\x63\x00\x75\x00\x72\x00\x69\x00\x74\x00\x79\x00\x20\x00\x43\x00\x65\x00\x6e\x00\x74\x00\x65\x00\x72|\x4f\x00\x6e\x00\x65\x00\x44\x00\x72\x00\x69\x00\x76\x00\x65\x00\x20\x00\x53\x00\x79\x00\x6e\x00\x63\x00\x20\x00\x43\x00\x65\x00\x6e\x00\x74\x00\x65\x00\x72|\x42\x00\x61\x00\x63\x00\x6b\x00\x67\x00\x72\x00\x6f\x00\x75\x00\x6e\x00\x64\x00\x20\x00\x41\x00\x63\x00\x74\x00\x69\x00\x6f\x00\x6e\x00\x20\x00\x4d\x00\x61\x00\x6e\x00\x61\x00\x67\x00\x65\x00\x72|\x53\x00\x65\x00\x63\x00\x75\x00\x72\x00\x65\x00\x20\x00\x54\x00\x6f\x00\x6b\x00\x65\x00\x6e\x00\x20\x00\x4d\x00\x65\x00\x73\x00\x73\x00\x61\x00\x67\x00\x69\x00\x6e\x00\x67\x00\x20\x00\x53\x00\x65\x00\x72\x00\x76\x00\x69\x00\x63\x00\x65|\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x20\x00\x55\x00\x70\x00\x64\x00\x61\x00\x74\x00\x65)/R\";"

create Backdoor.HTTP.BEACON.CSBundle_Original_Stager_2 description "Backdoor.HTTP.BEACON.[CSBundle Original Stager 2]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125880 direction to-client sig "content:\"HTTP/1.\"; depth:7; content:\"Content-Type: text/json|0d 0a|\"; content:\"Server: Microsoft-IIS/10.0|0d 0a|\"; content:\"X-Powered-By: ASP.NET|0d 0a|\"; content:\"Cache-Control: no-cache, no-store, max-age=0, must-revalidate|0d 0a|\"; content:\"Pragma: no-cache|0d 0a|\"; content:\"X-Frame-Options: SAMEORIGIN|0d 0a|\"; content:\"Connection: close|0d 0a|\"; content:\"Content-Type: image/gif\"; content:\"|01 00 01 00 00 02 01 44 00 3b|\"; content:\"|ff ff ff 21 f9 04 01 00 00 00 2c 00 00 00 00|\"; content:\"|47 49 46 38 39 61 01 00 01 00 80 00 00 00 00|\";"

create Backdoor.HTTP.BEACON.CSBundle_NYTIMES_POST description "Backdoor.HTTP.BEACON.[CSBundle NYTIMES POST]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125885 direction to-server sig "content:\"POST\"; depth:4; content:\"Accept: */*\"; content:\"Accept-Encoding: gzip, deflate, br\"; content:\"Accept-Language: en-US,en\;q=0.5\"; content:\"id-\"; content:\"{\"locale\":\"en\",\"channel\":\"prod\",\"addon\":\"\"; pcre:\"/^POST\s(:\/track|\/api\/v1\/survey\/embed|\/svc\/weather\/v2)/\";"

#Deleted a fastpattern invocation
create Backdoor.HTTP.BEACON.Yelp_Request description "Backdoor.HTTP.BEACON.[Yelp Request]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 162010239 direction to-server sig "content:\"T \"; depth:5; content:\" HTTP/1\"; distance:0; within:256; content:\"Cookie: hl=en|3b|bse=\"; distance:0; within:256; content:\"|3b|_gat_global=1|3b|recent_locations|3b|_gat_www=1|3b||0d 0a|\"; pcre:\"/Cookie: hl=en\x3bbse=(:[A-Za-z0-9_\/\+\-]{128,1024})={0,2}\x3b_gat_global=1\x3brecent_locations\x3b_gat_www=1\x3b\r\n/\";"

create Backdoor.HTTP.BEACON.CSBundle_MSOffice_GET description "Backdoor.HTTP.BEACON.[CSBundle MSOffice GET]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125886 direction to-server sig "content:\"GET\"; depth:3; content:\"Accept: */*\"; content:\"Accept-Encoding: gzip, deflate, br\"; content:\"Accept-Language: en-US|0d 0a|\"; content:\"sess-=\"; content:\"auth=0\;loc=US}\"; content:\"Cookie:\"; pcre:\"/^GET\s(:\/updates|\/license\/eula|\/docs\/office|\/software-activation)/\";"

create Backdoor.HTTP.BEACON.CSBundle_Original_Server_2 description "Backdoor.HTTP.BEACON.[CSBundle Original Server 2]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http direction to-client id 125875 sig "content:\"{\"meta\":{},\"status\":\"OK\",\"saved\":\"1\",\"starttime\":17656184060,\"id\":\"\",\"vims\":{\"dtc\":\";"

create Backdoor.HTTP.BEACON.CSBundle_MSOffice_POST2 description "Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125889 direction to-server sig "content:\"POST /notification\"; depth:18; content:\"Accept: */*\"; content:\"Accept-Encoding: gzip, deflate, br\"; content:\"Accept-Language: en-US|0d 0a|\"; content:\"{\"locale\":\"en\",\"channel\":\"prod\",\"addon\":\"\"; content:\"nid\"; content:\"msg-\";"

create Backdoor.HTTP.BEACON.CSBundle_Original_GET description "Backdoor.HTTP.BEACON.[CSBundle Original GET]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125877 direction to-server sig "content:\"GET\"; depth:3; content:\"Accept: */*|0d 0a|\"; content:\"Accept-Language: en-US|0d 0a|\"; content:\"Accept-Encoding: gzip, deflate|0d 0a|\"; content:\"Cookie:\"; content:\"display-culture=en\;check=true\;lbcs=0\;sess-id=\"; distance:0; content:\"\;SIDCC=AN0-TY21iJHH32j2m\;FHBv3=B\"; pcre:\"/^GET\s(:\/api2\/json\/access\/ticket|\/api2\/json\/cluster\/resources|\/api2\/json\/cluster\/tasks|\/en-us\/p\/onerf\/MeSilentPassport|\/en-us\/p\/book-2\/8MCPZJJCC98C|\/en-us\/store\/api\/checkproductinwishlist|\/gp\/cerberus\/gv|\/gp\/aj\/private\/reviewsGallery\/get-application-resources|\/gp\/aj\/private\/reviewsGallery\/get-image-gallery-assets|\/v1\/buckets\/default\/ext-5dkJ19tFufpMZjVJbsWCiqDcclDw\/records|\/v3\/links\/ping-centre|\/v4\/links\/activity-stream|\/wp-content\/themes\/am43-6\/dist\/records|\/wp-content\/themes\/am43-6\/dist\/records|\/wp-includes\/js\/script\/indigo-migrate)/\";"

create Backdoor.HTTP.BEACON.CSBundle_MSOffice_Server2 description "Backdoor.HTTP.BEACON.[CSBundle MSOffice Server]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125888 direction to-client sig "content:\"{\"meta\":{},\"status\":\"OK\",\"saved\":\"1\",\"starttime\":17656184060,\"id\":\"\",\"vims\":{\"dtc\":\"\";"

create Backdoor.HTTP.BEACON.CSBundle_NYTIMES_Server description "Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125884 direction to-client sig "content:\"{\"meta\":{},\"status\":\"OK\",\"saved\":\"1\",\"starttime\":17656184060,\"id\":\"\",\"vims\":{\"dtc\":\"\";"

create Backdoor.DNS.BEACON.CSBundle_DNS2 description "Backdoor.DNS.BEACON.[CSBundle DNS]" protocol { udp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service dns id 125866 direction to-client sig " content:\"|00 01 00 01|\"; offset:4; depth:4; content:\"|03|\"; within:15; content:\"|0a|_domainkey\"; distance:3; within:11; content:\"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 02 01 00 ff|v=DKIM1\; p=\";"

create Backdoor.HTTP.BEACON.CSBundle_NYTIMES_Server2 description "Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125882 direction to-client sig "content:\"HTTP/1.\"; depth:7; content:\"Accept-Ranges: bytes\"; content:\"Age: 5806\"; content:\"Cache-Control: public,max-age=31536000\"; content:\"Content-Encoding: gzip\"; content:\"Content-Length: 256398\"; content:\"Content-Type: application/javascript\"; content:\"Server: UploadServer\"; content:\"Vary: Accept-Encoding, Fastly-SSL\"; content:\"x-api-version: F-X\"; content:\"x-cache: HIT\"; content:\"x-Firefox-Spdy: h2\"; content:\"x-nyt-route: vi-assets\"; content:\"x-served-by: cache-mdw17344-MDW\"; content:\"x-timer: S1580937960.346550,VS0,VE0\";"

create Backdoor.HTTP.BEACON.CSBundle_Original_Server_3 description "Backdoor.HTTP.BEACON.[CSBundle Original Server 3]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125876 direction to-client sig "content:\"{\"alias\":\"apx\",\"prefix\":\"\",\"suffix\":null,\"suggestions\":[],\"responseId\":\"15QE9JX9CKE2P\",\"addon\": \"\"; content:\"\",\"shuffled\":false}\";"

create Backdoor.HTTP.GORAT.POST description "Backdoor.HTTP.GORAT.[POST]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125849 direction to-server sig "content:\"POST / HTTP/1.1\"; depth:15; content:\"Connection: upgrade\"; content:\"|0d 0a|Upgrade: tcp/1|0d 0a|\"; content:!\"|0d 0a|Referer:\"; content:!\"|0d 0a|Accept\"; content:!\"|0d 0a|Cookie:\";"

create HackTool.TCP.Rubeus.User32LogonProcesss description "HackTool.TCP.Rubeus.[User32LogonProcesss]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service other id 1100001 sig "content:\"User32LogonProcesss\";"

create Backdoor.HTTP.GORAT.Build_ID description "Backdoor.HTTP.GORAT.[Build ID]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service http id 125850 sig "content:\"aqlKZ7wjzg0iKM00E1WB/jq9_RA46w91EKl9A02Dv/nbNdZiLsB1ci8Ph0fb64/9Ks1YxAE86iz9A0dUiDl\";"

#Snort rule uses destination port 88 which is not available in AFM PI syntax. May generate false-positives due to lack of port specificity
create HackTool.TCP.Rubeus.nonce description "HackTool.TCP.Rubeus.[nonce]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service other id 125899 direction to-server sig "content:\"|05|\"; depth:30; content:\"|0a|\"; distance:4; within:1; content:\"Z\"; content:\"|6C 69 6C 00|\"; within:25;"

#Snort rule uses destination port 88 which is not available in AFM PI syntax. May generate false-positives due to lack of port specificity
create HackTool.UDP.Rubeus.nonce_2 description "HackTool.UDP.Rubeus.[nonce 2]" protocol { udp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service other id 125902 direction to-server sig "content:\"|a7 06 02 04 6C 69 6C 00|\";"

#Snort rule uses destination port 88 which is not available in AFM PI syntax. May generate false-positives due to lack of port specificity
create HackTool.TCP.Rubeus.nonce_2 description "HackTool.TCP.Rubeus.[nonce 2]" protocol { tcp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service other direction to-server id 125900 sig "content:\"|a7 06 02 04 6C 69 6C 00|\";"

#Snort rule uses destination port 88 which is not available in AFM PI syntax. May generate false-positives due to lack of port specificity
create HackTool.UDP.Rubeus.nonce description "HackTool.UDP.Rubeus.[nonce]" protocol { udp } references "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" reference-links "https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html" service other id 125901 direction to-server sig "content:\"|05|\"; depth:30; content:\"|0a|\"; distance:4; within:1; content:\"Z\"; content:\"|6C 69 6C 00|\"; within:25;"

Copyright 2020 by FireEye, Inc.

The 2-Clause BSD License

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Published Dec 11, 2020
Version 1.0
AFM
ASM Advanced WAF
F5 SIRT
security

Was this article helpful?

No CommentsBe the first to comment