This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-06-02T20:31:29+00:00 www.secnews.physaphae.fr Mandiant - Blog Sécu de Mandiant a annoncé le communiqué public de son nouveau cadre d'émulation Windowsnommé speakeasy .Alors que le blog d'introduction s'est concentré sur l'utilisation de Speakeasy comme bac à sable de logiciels malveillants automatisés, cette entrée mettra en évidence une autre utilisation puissante du framework: déballage automatisé de logiciels malveillants.Je vais démontrer, avec des exemples de code, comment Speakeasy peut être utilisé par programme pour: Typens les API Windows non pris en charge pour poursuivre l'émulation et le déballage Enregistrer les adresses virtuelles du code alloué dynamiquement à l'aide de crochets API Exécution directe chirurgicale vers les zones clés du code à l'aide de crochets de code

---

Andrew Davis recently announced the public release of his new Windows emulation framework named Speakeasy. While the introductory blog post focused on using Speakeasy as an automated malware sandbox of sorts, this entry will highlight another powerful use of the framework: automated malware unpacking. I will demonstrate, with code examples, how Speakeasy can be used programmatically to: Bypass unsupported Windows APIs to continue emulation and unpacking Save virtual addresses of dynamically allocated code using API hooks Surgically direct execution to key areas of code using code hooks]]> 2020-12-01T20:30:00+00:00 https://www.mandiant.com/resources/blog/using-speakeasy-emulation-framework-programmatically-to-unpack-malware www.secnews.physaphae.fr/article.php?IdArticle=8377615 False Malware None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant renseignement des menaces observe régulièrementet les organisations technologiques du monde entier.Nous avons également vu des cyberattaques perturbatrices et destructrices et

---

In democratic societies, elections are the mechanism for choosing heads of state and policymakers. There are strong incentives for adversary nations to understand the intentions and preferences of the people and parties that will shape a country\'s future path and to reduce uncertainty about likely winners. Mandiant Threat Intelligence regularly observes cyber espionage operations we believe to be seeking election-related information targeting governments, civil society, media, and technology organizations around the globe. We have also seen disruptive and destructive cyber attacks and]]> 2020-11-22T23:00:00+00:00 https://www.mandiant.com/resources/blog/election-cyber-threats-in-the-asia-pacific-region www.secnews.physaphae.fr/article.php?IdArticle=8377616 False None None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Documé publiquement par Didier Stevens en février 2020 .Nous expliquerons comment VBA Purging fonctionne avec les documents Microsoft Office au format binaire de fichiers composés (CFBF), partagez certaines opportunités de détection et de chasse et introduire un nouvel outil créé par l'équipe rouge de Mandiant \\: officepurge . Format de fichier MS-OVBA Avant de plonger dans la purge VBA, c'est

---

Malicious Office documents remain a favorite technique for every type of threat actor, from red teamers to FIN groups to APTs. In this blog post, we will discuss "VBA Purging", a technique we have increasingly observed in the wild and that was first publicly documented by Didier Stevens in February 2020. We will explain how VBA purging works with Microsoft Office documents in Compound File Binary Format (CFBF), share some detection and hunting opportunities, and introduce a new tool created by Mandiant\'s Red Team: OfficePurge. MS-OVBA File Format Before diving into VBA Purging, it is]]> 2020-11-19T19:00:00+00:00 https://www.mandiant.com/resources/blog/purgalicious-vba-macro-obfuscation-with-vba-purging www.secnews.physaphae.fr/article.php?IdArticle=8377617 False Tool,Threat,Technical None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Microsoft is known for their backwards compatibility. When they rolled out the 64-bit variant of Windows years ago they needed to provide compatibility with existing 32-bit applications. In order to provide seamless execution regardless of application bitness, the WoW (Windows on Windows) system was coined. This layer, which will be referred to as \'WOW64\' from here on out, is responsible for translating all Windows API calls from 32-bit userspace to the 64-bit operating system kernel. This blog post is broken up into two sections. First we start by diving deep into the WOW64 system. To do this]]> 2020-11-09T19:00:00+00:00 https://www.mandiant.com/resources/blog/wow64-subsystem-internals-and-hooking-techniques www.secnews.physaphae.fr/article.php?IdArticle=8377618 False None None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant FireEye Mandiant has been investigating compromised Oracle Solaris machines in customer environments. During our investigations, we discovered an exploit tool on a customer\'s system and analyzed it to see how it was attacking their Solaris environment. The FLARE team\'s Offensive Task Force analyzed the exploit to determine how it worked, reproduced the vulnerability on different versions of Solaris, and then reported it to Oracle. In this blog post we present a description of the vulnerability, offer a quick way to test whether a system may be vulnerable, and suggest mitigations and]]> 2020-11-04T19:00:00+00:00 https://www.mandiant.com/resources/blog/critical-buffer-overflow-vulnerability-in-solaris-can-allow-remote-takeover www.secnews.physaphae.fr/article.php?IdArticle=8377619 False Tool,Vulnerability None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant article de blog pour une description approfondie des groupes «UNC»). UNC1945 Tiré des systèmes d'exploitation Oracle Solaris, utilisé plusieurs outils et utilitaires contre Windows et Systèmes d'exploitation Linux, des machines virtuelles personnalisées chargées et exploitées et utilisé des techniques pour échapper à la détection

---

Through Mandiant investigation of intrusions, the FLARE Advanced Practices team observed a group we track as UNC1945 compromise managed service providers and operate against a tailored set of targets within the financial and professional consulting industries by leveraging access to third-party networks (see this blog post for an in-depth description of “UNC” groups). UNC1945 targeted Oracle Solaris operating systems, utilized several tools and utilities against Windows and Linux operating systems, loaded and operated custom virtual machines, and employed techniques to evade detection]]> 2020-11-02T19:15:00+00:00 https://www.mandiant.com/resources/blog/live-off-the-land-an-overview-of-unc1945 www.secnews.physaphae.fr/article.php?IdArticle=8377620 False Tool None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant l'activité des ransomwares est devenue de plus en plus prolifique, en s'appuyant sur un écosystème d'opérations distinctes mais co-habilitantes pour accéder à des cibles d'intérêt avant de procéder à l'extorsion.Mandiant Threat Intelligence a suivi plusieurs campagnes de chargeur et de porte dérobée qui mènent au déploiement post-compromis de ransomwares, parfois dans 24 heures de compromis initial .Une détection efficace et rapide de ces campagnes est essentielle pour atténuer cette menace. Les familles de logiciels malveillants permettant ces attaques précédemment rapportées par Mandiant aux abonnés de l'intelligence incluent Kegtap / Beerbot

---

Throughout 2020, ransomware activity has become increasingly prolific, relying on an ecosystem of distinct but co-enabling operations to gain access to targets of interest before conducting extortion. Mandiant Threat Intelligence has tracked several loader and backdoor campaigns that lead to the post-compromise deployment of ransomware, sometimes within 24 hours of initial compromise. Effective and fast detection of these campaigns is key to mitigating this threat. The malware families enabling these attacks previously reported by Mandiant to intelligence subscribers include KEGTAP/BEERBOT]]> 2020-10-28T17:00:00+00:00 https://www.mandiant.com/resources/blog/kegtap-and-singlemalt-with-a-ransomware-chaser www.secnews.physaphae.fr/article.php?IdArticle=8377621 False Ransomware,Malware,Threat None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Les adversaires qualifiés peuvent tromper la détection et utiliser souvent de nouvelles mesures dans leur métier.Garder un accent strict sur le cycle de vie et l'évolution des adversaires permet aux analystes de concevoir de nouveaux mécanismes de détection et des processus de réponse.L'accès à l'outillage et aux ressources appropriés est essentiel pour découvrir ces menaces en temps opportun et précis.Par conséquent, nous compilons activement les packages de logiciels les plus essentiels dans une distribution basée sur Windows: VM de menace pour la combinaison . MenkingPursuit Virtual Machine (VM) est une distribution Windows entièrement personnalisable et open source focalisée

---

Skilled adversaries can deceive detection and often employ new measures in their tradecraft. Keeping a stringent focus on the lifecycle and evolution of adversaries allows analysts to devise new detection mechanisms and response processes. Access to the appropriate tooling and resources is critical to discover these threats within a timely and accurate manner. Therefore, we are actively compiling the most essential software packages into a Windows-based distribution: ThreatPursuit VM. ThreatPursuit Virtual Machine (VM) is a fully customizable, open-sourced Windows-based distribution focused]]> 2020-10-28T10:30:00+00:00 https://www.mandiant.com/resources/blog/threatpursuit-vm-threat-intelligence-and-hunting-virtual-machine www.secnews.physaphae.fr/article.php?IdArticle=8377553 False Threat None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Nous tenons à remercier les auteurs du défi individuellement pour leurs grands puzzles et solutions: Fidler & # 8211;pseudoHarbor ( @nickharbour ) Garbage & # 8211;Jon Erickson Mercredi & # 8211;Blaine Stancill ( @malwaremechanch ) Rapport & # 8211;Moritz Raabe ( @m_r_tz ) Tkapp & # 8211;Moritz Raabe ( @m_r_tz ) codeit

---

We are thrilled to announce the conclusion of the seventh annual Flare-On challenge. This year proved to be the most difficult challenge we\'ve produced, with the lowest rate of finishers. This year\'s winners are truly the elite of the elite! Lucky for them, all 260 winners will receive this cyberpunk metal key. We would like to thank the challenge authors individually for their great puzzles and solutions: fidler – Nick Harbour (@nickharbour) garbage – Jon Erickson Wednesday – Blaine Stancill (@MalwareMechanic) report – Moritz Raabe (@m_r_tz) TKApp – Moritz Raabe (@m_r_tz) CodeIt]]> 2020-10-23T07:00:00+00:00 https://www.mandiant.com/resources/blog/flare-7-challenge-solutions www.secnews.physaphae.fr/article.php?IdArticle=8377622 False None None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant mandiant avantage gratuit . À certains égards, Fin11 rappelle APT1;Ils ne sont pas notables non pas pour leur sophistication, mais pour leur volume d'activité.Il existe des lacunes importantes dans les opérations de phishing de Fin11, mais lorsqu'elles sont actives, le groupe mène jusqu'à cinq campagnes à volume élevé par semaine.Tandis que de nombreuses motivations financières

---

Mandiant Threat Intelligence recently promoted a threat cluster to a named FIN (or financially motivated) threat group for the first time since 2017. We have detailed FIN11\'s various tactics, techniques and procedures in a report that is available now by signing up for Mandiant Advantage Free. In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity. There are significant gaps in FIN11\'s phishing operations, but when active, the group conducts up to five high-volume campaigns a week. While many financially motivated]]> 2020-10-14T07:00:00+00:00 https://www.mandiant.com/resources/blog/fin11-email-campaigns-precursor-for-ransomware-data-theft www.secnews.physaphae.fr/article.php?IdArticle=8377623 False Ransomware,Threat None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Mandiant has seen an uptick in incidents involving Microsoft 365 (M365) and Azure Active Directory (Azure AD). Most of these incidents are the result of a phishing email coercing a user to enter their credentials used for accessing M365 into a phishing site. Other incidents have been a result of password spraying, password stuffing, or simple brute force attempts against M365 tenants. In almost all of these incidents, the user or account was not protected by multi-factor authentication (MFA). These opportunistic attacks are certainly the most common form of compromise for M365 and Azure AD]]> 2020-09-30T11:45:00+00:00 https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors www.secnews.physaphae.fr/article.php?IdArticle=8377624 False None None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Update (Dec. 10): This post has been updated to reflect changes in MITRE ATT&CK Matrix for Enterprise, which now includes additional tactics. Understanding the increasingly complex threats faced by industrial and critical infrastructure organizations is not a simple task. As high-skilled threat actors continue to learn about the unique nuances of operational technology (OT) and industrial control systems (ICS), we increasingly observe attackers exploring a diversity of methods to reach their goals. Defenders face the challenge of systematically analyzing information from these incidents]]> 2020-09-29T08:01:01+00:00 https://www.mandiant.com/resources/blog/gestalt-mitre-attack-ics www.secnews.physaphae.fr/article.php?IdArticle=8377523 False Threat,Industrial None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Image parsing and rendering are basic features of any modern operating system (OS). Image parsing is an easily accessible attack surface, and a vulnerability that may lead to remote code execution or information disclosure in such a feature is valuable to attackers. In this multi-part blog series, I am reviewing Windows OS\' built-in image parsers and related file formats: specifically looking at creating a harness, hunting for corpus and fuzzing to find vulnerabilities. In part one of this series I am looking at color profiles-not an image format itself, but something which is regularly]]> 2020-09-24T10:00:00+00:00 https://www.mandiant.com/resources/blog/fuzzing-image-parsing-in-windows-color-profiles www.secnews.physaphae.fr/article.php?IdArticle=8377625 False Vulnerability None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant "If everyone is moving forward together, then success takes care of itself."                                         -Henry Ford Regardless of industry, geography or business model, experience has taught me this is always true. In business, just like with our families and friends, strong relationships help us succeed. With the trust and cooperation of the right partners, even the biggest challenges can be overcome. Mandiant Solutions Joins MISA This is just one of the many reasons why we at Mandiant Solutions are thrilled to accept Microsoft Corp.\'s invitation to join the]]> 2020-09-22T08:00:00+00:00 https://www.mandiant.com/resources/blog/mandiant-solutions-microsoft-working-together-for-better-security-outcomes www.secnews.physaphae.fr/article.php?IdArticle=8377521 False None None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Many organizations operating in e-commerce, hospitality, healthcare, managed services, and other service industries rely on web applications. And buried within the application logs may be the potential discovery of fraudulent use and/or compromise! But, let\'s face it, finding evil in application logs can be difficult and overwhelming for a few reasons, including: The wide variety of web applications with unique functionality The lack of a standard logging format Logging formats that were designed for troubleshooting application issues and not security investigations The need for a]]> 2020-09-14T11:30:00+00:00 https://www.mandiant.com/resources/blog/dfur-ent-perspective-on-threat-modeling-and-application-log-forensic-analysis www.secnews.physaphae.fr/article.php?IdArticle=8377626 False Threat None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Frame d'émulation Speakeasy .Speakeasy vise à faciliter la facilité que possible pour les utilisateurs qui ne sont pas des analystes de logiciels malveillants d'acquérir des rapports de triage de manière automatisée, ainsi que pour permettre aux ingénieurs inversés d'écrire des plugins personnalisés pour triage des familles de logiciels malveillants. Créé à l'origine pour imiter les logiciels malveillants du mode du noyau Windows, SpeakeSy prend désormais également en charge les échantillons de mode utilisateur.L'objectif principal du projet \\ est l'émulation à haute résolution du système d'exploitation Windows pour l'analyse dynamique des logiciels malveillants pour les plates-formes X86 et AMD64

---

In order to enable emulation of malware samples at scale, we have developed the Speakeasy emulation framework. Speakeasy aims to make it as easy as possible for users who are not malware analysts to acquire triage reports in an automated way, as well as enabling reverse engineers to write custom plugins to triage difficult malware families. Originally created to emulate Windows kernel mode malware, Speakeasy now also supports user mode samples. The project\'s main goal is high resolution emulation of the Windows operating system for dynamic malware analysis for the x86 and amd64 platforms]]> 2020-08-26T10:00:00+00:00 https://www.mandiant.com/resources/blog/emulation-of-malicious-shellcode-with-speakeasy www.secnews.physaphae.fr/article.php?IdArticle=8377627 False Malware None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Operational technology (OT) asset owners have historically considered red teaming of OT and industrial control system (ICS) networks to be too risky due to the potential for disruptions or adverse impact to production systems. While this mindset has remained largely unchanged for years, Mandiant\'s experience in the field suggests that these perspectives are changing; we are increasingly delivering value to customers by safely red teaming their OT production networks. This increasing willingness to red team OT is likely driven by a couple of factors, including the growing number and]]> 2020-08-25T04:00:00+00:00 https://www.mandiant.com/resources/blog/hands-on-introduction-to-mandiant-approach-to-ot-red-teaming www.secnews.physaphae.fr/article.php?IdArticle=8377628 False Industrial None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant MandiantDéfense gérée , notre équipe a été chargée d'identifier rapidement des systèmes accessibles par un acteur de menace utilisant des références de domaine légitimes mais compromises.Cette tâche parfois prolongée a été rendue simple parce que le client avait activé le module de tracker de connexion dans leur fireeye Fin Point Security Produit. Logon Tracker est un module d'architecture d'innovation de sécurité finale conçu pour simplifier l'étude du mouvement latéral dans les environnements d'entreprise Windows.Logon Tracker améliore le

---

During a recent investigation at a telecommunications company led by Mandiant Managed Defense, our team was tasked with rapidly identifying systems that had been accessed by a threat actor using legitimate, but compromised domain credentials. This sometimes-challenging task was made simple because the customer had enabled the Logon Tracker module within their FireEye Endpoint Security product. Logon Tracker is an Endpoint Security Innovation Architecture module designed to simplify the investigation of lateral movement within Windows enterprise environments. Logon Tracker improves the]]> 2020-08-11T12:00:00+00:00 https://www.mandiant.com/resources/blog/cookiejar-tracking-adversaries-fireeye-endpoint-securitys-logon-tracker-module www.secnews.physaphae.fr/article.php?IdArticle=8377629 False Threat None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant une publication Discuter de la technique d'obscuscations de Masslogger dans certains

---

The FireEye Front Line Applied Research & Expertise (FLARE) Team attempts to always stay on top of the most current and emerging threats. As a member of the FLARE Reverse Engineer team, I recently received a request to analyze a fairly new credential stealer identified as MassLogger. Despite the lack of novel functionalities and features, this sample employs a sophisticated technique that replaces the Microsoft Intermediate Language (MSIL) at run time to hinder static analysis. At the time of this writing, there is only one publication discussing the MassLogger obfuscation technique in some]]> 2020-08-06T14:15:00+00:00 https://www.mandiant.com/resources/blog/bypassing-masslogger-anti-analysis-man-in-the-middle-approach www.secnews.physaphae.fr/article.php?IdArticle=8377630 False None None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant pour coïncider avec notre Black Hat USA 2020 Briefing , qui détaille comment les réseaux de neurones open source et pré-formés peuvent être exploités pour générer des médias synthétiques pour malveillancefins.Pour résumer notre présentation, nous démontrons d'abord trois preuves successives de concepts sur la façon dont les modèles d'apprentissage automatique peuvent être affinés afin de générer des supports synthétiques personnalisables dans les domaines texte, image et audio.Ensuite, nous illustrons des exemples dans lesquels les médias générés synthétiquement ont été armées pour des informations

---

FireEye\'s Data Science and Information Operations Analysis teams released this blog post to coincide with our Black Hat USA 2020 Briefing, which details how open source, pre-trained neural networks can be leveraged to generate synthetic media for malicious purposes. To summarize our presentation, we first demonstrate three successive proof of concepts for how machine learning models can be fine-tuned in order to generate customizable synthetic media in the text, image, and audio domains. Next, we illustrate examples in which synthetically generated media have been weaponized for information]]> 2020-08-05T13:00:00+00:00 https://www.mandiant.com/resources/blog/repurposing-neural-networks-to-generate-synthetic-media-for-information-operations www.secnews.physaphae.fr/article.php?IdArticle=8377631 False None None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant L'équipe Front Line Applied Research & Expertise (Flare) est honorée d'annoncer que le défi populaire Flare-On reviendra pour une septième année triomphante.Les événements mondiaux en cours ne se sont pas révélés à notre passion pour la création de puzzles stimulants et amusants pour tester et perfectionner les compétences en herbe et en inverse expérimentée. Le concours commencera à 20h00.ET le 11 septembre 2020. Il s'agit d'un défi de style CTF pour tous les ingénieurs inverses actifs et en herbe, les analystes de logiciels malveillants et les professionnels de la sécurité.Le concours se déroule pendant six semaines complet et se termine à 20h00.ET le 23 octobre 2020. th

---

The Front Line Applied Research & Expertise (FLARE) team is honored to announce that the popular Flare-On challenge will return for a triumphant seventh year. Ongoing global events proved no match against our passion for creating challenging and fun puzzles to test and hone the skills of aspiring and experienced reverse engineers. The contest will begin at 8:00 p.m. ET on Sept. 11, 2020. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts and security professionals. The contest runs for six full weeks and ends at 8:00 p.m. ET on Oct. 23, 2020. Th]]> 2020-08-04T10:00:00+00:00 https://www.mandiant.com/resources/blog/announcing-the-seventh-annual-flare-on-challenge www.secnews.physaphae.fr/article.php?IdArticle=8377632 False Malware None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant ne montrant aucun signe de ralentissement Comprendre les violations du bureau 365 (O365) et comment les enquêter correctement.Ce billet de blog est destiné à ceux qui n'ont pas encore plongé les orteils dans les eaux d'un O365 BEC, fournissant un cours intensif sur la suite de productivité cloud de Microsoft et son assortiment de journaux et de sources de données utiles aux enquêteurs.Nous allons également passer en revue les tactiques d'attaquant courantes que nous avons observées en répondant aux BEC et fournissant un aperçu de la façon dont les analystes de défense gérés mandiants abordent ces

---

With Business Email Compromises (BECs) showing no signs of slowing down, it is becoming increasingly important for security analysts to understand Office 365 (O365) breaches and how to properly investigate them. This blog post is for those who have yet to dip their toes into the waters of an O365 BEC, providing a crash course on Microsoft\'s cloud productivity suite and its assortment of logs and data sources useful to investigators. We\'ll also go over common attacker tactics we\'ve observed while responding to BECs and provide insight into how Mandiant Managed Defense analysts approach these]]> 2020-07-30T14:00:00+00:00 https://www.mandiant.com/resources/blog/insights-into-office-365-attacks-and-how-managed-defense-investigates www.secnews.physaphae.fr/article.php?IdArticle=8377633 False Cloud None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Ghostwriter .»

---

Mandiant Threat Intelligence has tied together several information operations that we assess with moderate confidence comprise part of a broader influence campaign-ongoing since at least March 2017-aligned with Russian security interests. The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with narratives critical of the North Atlantic Treaty Organization\'s (NATO) presence in Eastern Europe, occasionally leveraging other themes such as anti-U.S. and COVID-19-related narratives as part of this broader anti-NATO agenda. We have dubbed this campaign “Ghostwriter.”]]> 2020-07-28T09:15:00+00:00 https://www.mandiant.com/resources/blog/ghostwriter-influence-campaign www.secnews.physaphae.fr/article.php?IdArticle=8377634 False Threat None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant capa is the FLARE team\'s newest open-source tool for analyzing malicious programs. Our tool provides a framework for the community to encode, recognize, and share behaviors that we\'ve seen in malware. Regardless of your background, when you use capa, you invoke decades of cumulative reverse engineering experience to figure out what a program does. In this post you will learn how capa works, how to install and use the tool, and why you should integrate it into your triage workflow starting today. Problem Effective analysts can quickly understand and prioritize unknown files in]]> 2020-07-16T14:40:00+00:00 https://www.mandiant.com/resources/blog/capa-automatically-identify-malware-capabilities www.secnews.physaphae.fr/article.php?IdArticle=8377635 False Malware,Tool None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant post-compromise industrielleRansomware Et approche de Fireeye \\ pour la sécurité OT .Bien que la plupart des acteurs derrière cette activité ne se différencient probablement pas entre celui-ci et l'OT ou ont un intérêt particulier pour les actifs OT, ils sont motivés par le but de gagner de l'argent et ont démontré les compétences nécessaires pour fonctionner dans ces réseaux.Par exemple, le changement vers

---

Mandiant Threat Intelligence has researched and written extensively on the increasing financially motivated threat activity directly impacting operational technology (OT) networks. Some of this research is available in our previous blog posts on industrial post-compromise ransomware and FireEye\'s approach to OT security. While most of the actors behind this activity likely do not differentiate between IT and OT or have a particular interest in OT assets, they are driven by the goal of making money and have demonstrated the skills needed to operate in these networks. For example, the shift to]]> 2020-07-15T10:00:00+00:00 https://www.mandiant.com/resources/blog/financially-motivated-actors-are-expanding-access-into-ot www.secnews.physaphae.fr/article.php?IdArticle=8377636 False Malware,Threat,Industrial None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Réponse d'incidence mandiante , Défense gérée , et

---

Real Quick In case you\'re thrown by that fantastic title, our lawyers made us change the name of this project so we wouldn\'t get sued. SCANdalous-a.k.a. Scannah Montana a.k.a. Scanny McScanface a.k.a. “Scan I Kick It? (Yes You Scan)”-had another name before today that, for legal reasons, we\'re keeping to ourselves. A special thanks to our legal team who is always looking out for us, this blog post would be a lot less fun without them. Strap in folks. Introduction Advanced Practices is known for using primary source data obtained through Mandiant Incident Response, Managed Defense, and]]> 2020-07-13T13:30:00+00:00 https://www.mandiant.com/resources/blog/scandalous-external-detection-using-network-scan-data-and-automation www.secnews.physaphae.fr/article.php?IdArticle=8377637 False None None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant We recently encountered a large obfuscated malware sample that offered several interesting analysis challenges. It used virtualization that prevented us from producing a fully-deobfuscated memory dump for static analysis. Statically analyzing a large virtualized sample can take anywhere from several days to several weeks. Bypassing this time-consuming step presented an opportunity for collaboration between the FLARE reverse engineering team and the Mandiant consulting team which ultimately saved many hours of difficult reverse engineering. We suspected the sample to be a lateral movement]]> 2020-07-07T13:00:00+00:00 https://www.mandiant.com/resources/blog/configuring-windows-domain-dynamically-analyze-obfuscated-lateral-movement-tool www.secnews.physaphae.fr/article.php?IdArticle=8377638 False Malware,Tool None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant To understand what a threat actor did on a Windows system, analysts often turn to the tried and true sources of historical endpoint artifacts such as the Master File Table (MFT), registry hives, and Application Compatibility Cache (AppCompat). However, these evidence sources were not designed with detection or incident response in mind; crucial details may be omitted or cleared through anti-forensic methods. By looking at historical evidence alone, an analyst may not see the full story. Real-time events can be thought of as forensic artifacts specifically designed for detection and incident]]> 2020-05-14T10:00:00+00:00 https://www.mandiant.com/resources/blog/using-real-time-events-in-investigations www.secnews.physaphae.fr/article.php?IdArticle=8377639 False Threat None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Fireeye Mandiant Threat Intelligence Team aide à protéger nos clients en suivant les cyberattaquants et les logiciels malveillants qu'ils utilisent.L'équipe Flare aide à augmenter notre intelligence des menaces en insensé des échantillons de logiciels malveillants en ingénierie.Récemment, Flare a travaillé sur une nouvelle variante C # de Dark Crystal Rat (DCRAT) que l'équipe d'Intel de menace nous a transmise.Nous avons examiné l'intelligence open source et les travaux antérieurs, effectué des tests de bac à sable et inversé le rat de cristal noir pour examiner ses capacités et son protocole de communication.En publiant ce billet de blog, nous visons à aider les défenseurs à rechercher des indicateurs de

---

The FireEye Mandiant Threat Intelligence Team helps protect our customers by tracking cyber attackers and the malware they use. The FLARE Team helps augment our threat intelligence by reverse engineering malware samples. Recently, FLARE worked on a new C# variant of Dark Crystal RAT (DCRat) that the threat intel team passed to us. We reviewed open source intelligence and prior work, performed sandbox testing, and reverse engineered the Dark Crystal RAT to review its capabilities and communication protocol. Through publishing this blog post we aim to help defenders look for indicators of]]> 2020-05-12T09:30:00+00:00 https://www.mandiant.com/resources/blog/analyzing-dark-crystal-rat-backdoor www.secnews.physaphae.fr/article.php?IdArticle=8377640 False Malware,Threat None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Mandiant Threat Intelligence a précédemment documenté cette menace dans nos enquêtes sur tendances à travers les incidents de ransomware , Fin6 Activité , Implications pour les réseaux OT et d'autres aspects du déploiement des ransomwares post-compromis.Depuis novembre 2019, nous avons vu le ransomware du labyrinthe utilisé dans les attaques qui combinent l'utilisation des ransomwares ciblés, l'exposition publique des données de victime et un modèle d'affiliation. Les acteurs malveillants ont activement déployé

---

Targeted ransomware incidents have brought a threat of disruptive and destructive attacks to organizations across industries and geographies. FireEye Mandiant Threat Intelligence has previously documented this threat in our investigations of trends across ransomware incidents, FIN6 activity, implications for OT networks, and other aspects of post-compromise ransomware deployment. Since November 2019, we\'ve seen the MAZE ransomware being used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate model. Malicious actors have been actively deploying]]> 2020-05-07T18:00:00+00:00 https://www.mandiant.com/resources/blog/tactics-techniques-procedures-associated-with-maze-ransomware-incidents www.secnews.physaphae.fr/article.php?IdArticle=8377641 False Ransomware,Threat None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant augmentationAnalyse utilisant Microsoft Excel Pour divers ensembles de données pour les enquêtes de réponse aux incidents.Comme nous l'avons décrit, les enquêtes incluent souvent des formats de journaux personnalisés ou propriétaires et divers artefacts médico-légaux non traditionnels.Il existe, bien sûr, une variété de façons de s'attaquer à cette tâche, mais Excel se distingue comme un moyen fiable d'analyser et de transformer la majorité des ensembles de données que nous rencontrons. Dans notre premier article, nous avons discuté de résumer des artefacts verbeux en utilisant la fonction Concat, convertissant des horodatages en utilisant la fonction temporelle et en utilisant le

---

In December 2019, we published a blog post on augmenting analysis using Microsoft Excel for various data sets for incident response investigations. As we described, investigations often include custom or proprietary log formats and miscellaneous, non-traditional forensic artifacts. There are, of course, a variety of ways to tackle this task, but Excel stands out as a reliable way to analyze and transform a majority of data sets we encounter. In our first post, we discussed summarizing verbose artifacts using the CONCAT function, converting timestamps using the TIME function, and using the]]> 2020-04-28T12:30:00+00:00 https://www.mandiant.com/resources/blog/excelerating-analysis-lookup-pivot www.secnews.physaphae.fr/article.php?IdArticle=8377642 False None None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization\'s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations. Organizations often have to make difficult choices when it comes to patch prioritization. Many are faced with securing complex]]> 2020-04-27T07:30:00+00:00 https://www.mandiant.com/resources/blog/putting-model-work-enabling-defenders-vulnerability-intelligence-intelligence-vulnerability-management-part-four www.secnews.physaphae.fr/article.php?IdArticle=8377643 True Vulnerability,Threat None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant activité que nous avons précédemment signalée sur APT32 , cet incidentet d'autres intrusions publiquement signalées font partie d'une augmentation mondiale du cyber

---

From at least January to April 2020, suspected Vietnamese actors APT32 carried out intrusion campaigns against Chinese targets that Mandiant Threat Intelligence believes was designed to collect intelligence on the COVID-19 crisis. Spear phishing messages were sent by the actor to China\'s Ministry of Emergency Management as well as the government of Wuhan province, where COVID-19 was first identified. While targeting of East Asia is consistent with the activity we\'ve previously reported on APT32, this incident, and other publicly reported intrusions, are part of a global increase in cyber]]> 2020-04-22T09:00:00+00:00 https://www.mandiant.com/resources/blog/apt32-targeting-chinese-government-in-covid-19-related-espionage www.secnews.physaphae.fr/article.php?IdArticle=8377644 False Threat APT 32,APT 32 4.0000000000000000 Mandiant - Blog Sécu de Mandiant One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization\'s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations. Every information security practitioner knows that patching vulnerabilities is one of the first steps towards a healthy and well]]> 2020-04-20T07:00:00+00:00 https://www.mandiant.com/resources/blog/separating-signal-noise-how-mandiant-intelligence-rates-vulnerabilities-intelligence www.secnews.physaphae.fr/article.php?IdArticle=8377645 True Vulnerability,Threat None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Fireeye Mandiant Threat Intelligence met en évidence la valeur de CTI pour permettre la gestion de la vulnérabilité, et dévoile et dévoile CTIDe nouvelles recherches sur les dernières menaces, tendances et recommandations.Consultez notre premier article sur vulnérabilités zéro-jour . Les attaquants sont en cours de course constante pour exploiter les vulnérabilités nouvellement découvertes

---

One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization\'s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations. Check out our first post on zero-day vulnerabilities. Attackers are in a constant race to exploit newly discovered vulnerabilities]]> 2020-04-13T07:00:00+00:00 https://www.mandiant.com/resources/blog/time-between-disclosure-patch-release-and-vulnerability-exploitation www.secnews.physaphae.fr/article.php?IdArticle=8377646 True Vulnerability,Threat None 2.0000000000000000 Mandiant - Blog Sécu de Mandiant Though COVID-19 has had enormous effects on our society and economy, its effects on the cyber threat landscape remain limited. For the most part, the same actors we have always tracked are behaving in the same manner they did prior to the crisis. There are some new challenges, but they are perceptible, and we-and our customers-are prepared to continue this fight through this period of unprecedented change. The significant shifts in the threat landscape we are currently tracking include: The sudden major increase in a remote workforce has changed the nature and vulnerability of enterprise]]> 2020-04-08T11:15:00+00:00 https://www.mandiant.com/resources/blog/limited-shifts-cyber-threat-landscape-driven-covid-19 www.secnews.physaphae.fr/article.php?IdArticle=8377647 False Vulnerability,Threat None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Fireeye Mandiant Threat Intelligence met en évidence la valeur de la CTI pour permettre la gestion des vulnérabilité, et les dévoilementsNouvelles recherches sur les dernières menaces, tendances et recommandations. Fireeye Mandiant Threat Intelligence a documenté plus de jours zéro exploités en 2019 que toutes les trois années précédentes.Bien que pas

---

One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization\'s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations. FireEye Mandiant Threat Intelligence documented more zero-days exploited in 2019 than any of the previous three years. While not]]> 2020-04-06T07:00:00+00:00 https://www.mandiant.com/resources/blog/zero-day-exploitation-demonstrates-access-to-money-not-skill www.secnews.physaphae.fr/article.php?IdArticle=8377648 False Vulnerability,Threat None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant As developers of the network simulation tool FakeNet-NG, reverse engineers on the FireEye FLARE team, and malware analysis instructors, we get to see how different analysts use FakeNet-NG and the challenges they face. We have learned that FakeNet-NG provides many useful features and solutions of which our users are often unaware. In this blog post, we will showcase some cheat codes to level up your network analysis with FakeNet-NG. We will introduce custom responses and demonstrate powerful features such as executing commands on connection events and decrypting SSL traffic. Since its first]]> 2020-04-02T10:00:00+00:00 https://www.mandiant.com/resources/blog/improving-dynamic-malware-analysis-with-cheat-codes-for-fakenet-ng www.secnews.physaphae.fr/article.php?IdArticle=8377649 False Malware,Tool None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Fireeye mandiant , nous effectuons de nombreux engagements d'équipe rouge dans les environnements Windows Active Directory.Par conséquent, nous rencontrons fréquemment des systèmes Linux intégrés dans les environnements Active Directory.Le compromis d'un système Linux individuel joiné de domaine peut fournir des données utiles en soi, mais la meilleure valeur consiste à obtenir des données, telles que les billets de Kerberos, qui faciliteront les techniques de mouvement latéral.En passant ces billets Kerberos à partir d'un système Linux, il est possible de se déplacer latéralement d'un système Linux compromis au reste du domaine Active Directory. il y a plusieurs

---

At FireEye Mandiant, we conduct numerous red team engagements within Windows Active Directory environments. Consequently, we frequently encounter Linux systems integrated within Active Directory environments. Compromising an individual domain-joined Linux system can provide useful data on its own, but the best value is obtaining data, such as Kerberos tickets, that will facilitate lateral movement techniques. By passing these Kerberos Tickets from a Linux system, it is possible to move laterally from a compromised Linux system to the rest of the Active Directory domain. There are several]]> 2020-04-01T11:00:00+00:00 https://www.mandiant.com/resources/blog/kerberos-tickets-on-linux-red-teams www.secnews.physaphae.fr/article.php?IdArticle=8377650 False None None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant When we discover new intrusions, we ask ourselves questions that will help us understand the totality of the activity set. How common is this activity? Is there anything unique or special about this malware or campaign? What is new and what is old in terms of TTPs or infrastructure? Is this being seen anywhere else? What information do I have that substantiates the nature of this threat actor? To track a fast-moving adversary over time, we exploit organic intrusion data, pivot to other data sets, and make that knowledge actionable for analysts and incident responders, enabling new]]> 2020-03-31T10:00:00+00:00 https://www.mandiant.com/resources/blog/the-cycle-of-adversary-pursuit www.secnews.physaphae.fr/article.php?IdArticle=8377651 False Malware,Threat None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Given the community interest and media coverage surrounding the economic stimulus bill currently being considered by the United States House of Representatives, we anticipate attackers will increasingly leverage lures tailored to the new stimulus bill and related recovery efforts such as stimulus checks, unemployment compensation and small business loans. Although campaigns employing themes relevant to these matters are only beginning to be adopted by threat actors, we expect future campaigns-primarily those perpetrated by financially motivated threat actors-to incorporate these themes in]]> 2020-03-27T14:00:00+00:00 https://www.mandiant.com/resources/blog/social-engineering-based-stimulus-bill-and-covid-19-financial-compensation-schemes-expected-grow-coming-weeks www.secnews.physaphae.fr/article.php?IdArticle=8377652 False Threat None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant chinoisL'acteur APT41 Effectuer l'une des campagnes les plus larges d'un acteur de cyber-espionnage chinois que nous avons observé ces dernières années.Entre le 20 janvier et le 11 mars, Fireeye a observé apt41 Exploiter les vulnérabilités dans Citrix NetScaler / ADC , les routeurs Cisco, et Zoho ManageEngine Desktop Central dans plus de 75 clients Fireeye.Les pays que nous avons vus ciblés comprennent l'Australie, le Canada, le Danemark, la Finlande, la France, l'Inde, l'Italie, le Japon, la Malaisie, le Mexique, les Philippines, la Pologne, le Qatar, l'Arabie saoudite, Singapour, la Suède, la Suisse, les Émirats arabes unis, le Royaume-Uni et les États-Unis.Le suivant

---

Beginning this year, FireEye observed Chinese actor APT41 carry out one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years. Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers. Countries we\'ve seen targeted include Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA. The following]]> 2020-03-25T07:00:00+00:00 https://www.mandiant.com/resources/blog/apt41-initiates-global-intrusion-campaign-using-multiple-exploits www.secnews.physaphae.fr/article.php?IdArticle=8377653 False Vulnerability APT 41,APT 41,APT-C-17 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Mandiant Threat Intelligence produit une gamme de rapports pour abonnement Les clients qui se concentrent sur différents indicateurs pour prédire les menaces futures

---

There has only been a small number of broadly documented cyber attacks targeting operational technologies (OT) / industrial control systems (ICS) over the last decade. While fewer attacks is clearly a good thing, the lack of an adequate sample size to determine risk thresholds can make it difficult for defenders to understand the threat environment, prioritize security efforts, and justify resource allocation. To address this problem, FireEye Mandiant Threat Intelligence produces a range of reports for subscription customers that focus on different indicators to predict future threats]]> 2020-03-23T07:00:00+00:00 https://www.mandiant.com/resources/blog/monitoring-ics-cyber-operation-tools-and-software-exploit-modules www.secnews.physaphae.fr/article.php?IdArticle=8377654 False Tool,Threat,Industrial,Prediction None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Overcoming address space layout randomization (ASLR) is a precondition of virtually all modern memory corruption vulnerabilities. Breaking ASLR is an area of active research and can get incredibly complicated. This blog post presents some basic facts about ASLR, focusing on the Windows implementation. In addition to covering what ASLR accomplishes to improve security posture, we aim to give defenders advice on how to improve the security of their software, and to give researchers more insight into how ASLR works and ideas for investigating its limitations. Memory corruption vulnerabilities]]> 2020-03-17T12:00:00+00:00 https://www.mandiant.com/resources/blog/six-facts-about-address-space-layout-randomization-on-windows www.secnews.physaphae.fr/article.php?IdArticle=8377655 False None None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Technologie spatiale Firms, aux Woolindustrie , à ]]> 2020-03-16T10:30:00+00:00 https://www.mandiant.com/resources/blog/they-come-in-the-night-ransomware-deployment-trends www.secnews.physaphae.fr/article.php?IdArticle=8377656 False Ransomware,Threat,Industrial None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant monitor.app en 2017 qui a permis la collecte d'informations sur macOS à un niveau supérieur;à un ensemble de données simplifié par rapport à quelque chose comme dtrace .J'ai créé de nombreuses versions de Monitor.App au fil des ans et j'ai reçu des commentaires très positifs des utilisateurs.Récemment, les utilisateurs ont remarqué que cela ne fonctionne pas sur MacOS Catalina (10.15) ... À l'origine, une extension du noyau était nécessaire pour fournir l'inspection

---

Prior to 2017, researchers couldn\'t easily monitor actions performed by a process on macOS and had to resort to coding scripts that produced low level system call data. FireEye released Monitor.app in 2017 that enabled collection of information on macOS at a higher level; at a simplified data set versus something like Dtrace. I created many versions of Monitor.app over the years and have received very positive feedback from users. Recently though, users have noticed it doesn\'t work on macOS Catalina (10.15)... Originally, a kernel extension was required to provide the inspection]]> 2020-03-09T11:00:00+00:00 https://www.mandiant.com/resources/blog/crescendo-real-time-event-viewer-for-macos www.secnews.physaphae.fr/article.php?IdArticle=8377657 False None None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant In the world of comics and related fiction, superheroes come in all forms, shapes and sizes, and from different backgrounds and universes. DC Comics introduced the first superhero as we know them today, Superman, in Action Comics #1 in 1938. The following year DC Comics introduced us to Batman in Detective Comics #27. With the enormous success of these debuts, creating another male superhero would have been a no-brainer for DC Comics. Instead, they gave us Wonder Woman in All-Star Comics #8 in 1941. Wonder Woman arrived on the scene armed with intelligence, strength and her Lasso of]]> 2020-03-06T17:00:00+00:00 https://www.mandiant.com/resources/blog/elevating-women-cyber-security-superhero-status www.secnews.physaphae.fr/article.php?IdArticle=8377477 False None None 1.00000000000000000000 Mandiant - Blog Sécu de Mandiant Since at least 2017, there has been a significant increase in public disclosures of ransomware incidents impacting industrial production and critical infrastructure organizations. Well-known ransomware families like WannaCry, LockerGoga, MegaCortex, Ryuk, Maze, and now SNAKEHOSE (a.k.a. Snake / Ekans), have cost victims across a variety of industry verticals many millions of dollars in ransom and collateral costs. These incidents have also resulted in significant disruptions and delays to the physical processes that enable organizations to produce and deliver goods and services. While lots]]> 2020-02-24T23:30:00+00:00 https://www.mandiant.com/resources/blog/ransomware-against-machine-learning-to-disrupt-industrial-production www.secnews.physaphae.fr/article.php?IdArticle=8377658 False Ransomware,Industrial Wannacry 3.0000000000000000 Mandiant - Blog Sécu de Mandiant M-Trends 2020 , l'édition 11 th de notre populaire rapport annuel Fireeye Mandiant.Cette dernière M-Trends contient toutes les statistiques, les tendances, les études de cas et les recommandations de durcissement auxquelles les lecteurs s'attendent au cours des années et plus. L'un des plats les plus excitants du rapport de cette année: le temps de résidence médiane mondiale est maintenant de 56 jours.Cela signifie que l'attaquant moyen ne fait pas partie d'un réseau pendant moins de deux mois-an M-Trends en premier.Il s'agit d'une statistique très prometteuse qui démontre jusqu'où nous venons depuis 2011, lorsque le temps de résidence médian mondiale était de 416

---

Today we release M-Trends 2020, the 11th edition of our popular annual FireEye Mandiant report. This latest M-Trends contains all of the statistics, trends, case studies and hardening recommendations that readers have come to expect through the years-and more. One of the most exciting takeaways from this year\'s report: the global median dwell time is now 56 days. That means the average attacker is going undetected on a network for under two months-an M-Trends first. This is a very promising statistic that demonstrates how far we\'ve come since 2011 when the global median dwell time was 416]]> 2020-02-20T13:00:00+00:00 https://www.mandiant.com/resources/blog/mtrends-2020-insights-from-the-front-lines www.secnews.physaphae.fr/article.php?IdArticle=8377659 False Studies None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Forensic investigators use LNK shortcut files to recover metadata about recently accessed files, including files deleted after the time of access. In a recent investigation, FireEye Mandiant encountered LNK files that indicated an attacker accessed files included in Windows Explorer search results. In our experience, this was a new combination of forensic artifacts. We\'re excited to share our findings because they help to paint a more complete picture of an attacker\'s actions and objectives on targeted systems. Further, these findings can also be leveraged for insider threat cases to determine]]> 2020-02-19T18:30:00+00:00 https://www.mandiant.com/resources/blog/the-missing-lnk-correlating-user-search-lnk-files www.secnews.physaphae.fr/article.php?IdArticle=8377660 False Threat None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant In May 2019, FireEye Threat Intelligence published a blog post exposing a network of English-language social media accounts that engaged in inauthentic behavior and misrepresentation that we assessed with low confidence was organized in support of Iranian political interests. Personas in that network impersonated candidates for U.S. House of Representatives seats in 2018 and leveraged fabricated journalist personas to solicit various individuals, including real journalists and politicians, for interviews intended to bolster desired political narratives. Since the release of that blog post, we]]> 2020-02-12T12:30:00+00:00 https://www.mandiant.com/resources/blog/information-operations-fabricated-personas-to-promote-iranian-interests www.secnews.physaphae.fr/article.php?IdArticle=8377661 False Threat None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Défense gérée pour présenter l'outillage d'investigation etProcessus d'analyse de nos analystes. t

---

When it comes to cyber security (managed services or otherwise), you\'re ultimately reliant on analyst expertise to keep your environment safe. Products and intelligence are necessary pieces of the security puzzle to generate detection signal and whittle down the alert chaff, but in the end, an analyst\'s trained eyes and investigative process are the deciding factors in effectively going from alerts to answers in your organization. This blog post highlights the events of a recent investigation by Managed Defense to showcase the investigative tooling and analysis process of our analysts. T]]> 2020-02-11T17:00:00+00:00 https://www.mandiant.com/resources/blog/managed-defense-analytical-mindset www.secnews.physaphae.fr/article.php?IdArticle=8377662 False None None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Throughout January 2020, FireEye has continued to observe multiple targeted phishing campaigns designed to download and deploy a backdoor we track as MINEBRIDGE. The campaigns primarily targeted financial services organizations in the United States, though targeting is likely more widespread than those we\'ve initially observed in our FireEye product telemetry. At least one campaign targeted South Korean organizations, including a marketing agency. In these campaigns, the phishing documents appeared to be carefully crafted and leveraged some publicly-documented - but in our experience]]> 2020-02-05T14:15:00+00:00 https://www.mandiant.com/resources/blog/stomp-2-dis-brilliance-in-the-visual-basics www.secnews.physaphae.fr/article.php?IdArticle=8377663 False None None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Side-Choting se produit lorsque Windows Side-Aide (WinsXSS) se manifester programme.En termes de laïc \\, DLL LEAD-LADODING peut permettre à un attaquant de tromper un programme pour charger une DLL malveillante.Si vous êtes intéressé à en savoir plus sur la façon dont DLL à chargement latéral Fonctionne et comment nous voyons les attaquants en utilisant cette technique, lisez notre rapport. dll hijacking Se produit lorsqu'un attaquant est en mesure de profiter de l'ordre de recherche et de chargement Windows, permettant l'exécution d'une DLL malveillante

---

DLL Abuse Techniques Overview Dynamic-link library (DLL) side-loading occurs when Windows Side-by-Side (WinSxS) manifests are not explicit about the characteristics of DLLs being loaded by a program. In layman\'s terms, DLL side-loading can allow an attacker to trick a program into loading a malicious DLL. If you are interested in learning more about how DLL side-loading works and how we see attackers using this technique, read through our report. DLL hijacking occurs when an attacker is able to take advantage of the Windows search and load order, allowing the execution of a malicious DLL]]> 2020-01-31T16:45:00+00:00 https://www.mandiant.com/resources/blog/abusing-dll-misconfigurations www.secnews.physaphae.fr/article.php?IdArticle=8377664 False Threat None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Instances qui sont non corrigées ou n'ont pas Mitigations appliquées .Nous avons précédemment rendu compte des attaquants \\ 'Swift Tuts d'exploiter cette vulnérabilité et le déploiement post-compromis de l'invisible Notrobin Makware Family par un acteur de menace.FireEye continue de suivre activement plusieurs grappes d'activité associées à l'exploitation de cette vulnérabilité, principalement basée sur la façon dont les attaquants interagissent avec vulnérable

---

An Ever-Evolving Threat Since January 10, 2020, FireEye has tracked extensive global exploitation of CVE-2019-19781, which continues to impact Citrix ADC and Gateway instances that are unpatched or do not have mitigations applied. We previously reported on attackers\' swift attempts to exploit this vulnerability and the post-compromise deployment of the previously unseen NOTROBIN malware family by one threat actor. FireEye continues to actively track multiple clusters of activity associated with exploitation of this vulnerability, primarily based on how attackers interact with vulnerable]]> 2020-01-24T17:00:00+00:00 https://www.mandiant.com/resources/blog/nice-try-501-ransomware-not-implemented www.secnews.physaphae.fr/article.php?IdArticle=8377665 False Malware,Vulnerability,Threat None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Patch rust: je le promets que ce sera 200 ok , notre Fireeye mandiant L'équipe de réponse aux incidents a étéLe travail dur en répondant aux intrusions résultant de l'exploitation du CVE-2019-19781.Après avoir analysé des dizaines de tentatives d'exploitation réussies contre Citrix ADC qui n'avaient pas le Étapes d'atténuation Citrix Implémentées, nous avons reconnu plusieurs groupes d'activités post-exploitation.Dans ces derniers, quelque chose a attiré notre attention: un acteur de menace particulier qui a déployé une charge utile auparavant unie pour laquelle nous avons créé la famille de code Notrobin. en ayant accès à un

---

As noted in Rough Patch: I Promise It\'ll Be 200 OK, our FireEye Mandiant Incident Response team has been hard at work responding to intrusions stemming from the exploitation of CVE-2019-19781. After analyzing dozens of successful exploitation attempts against Citrix ADCs that did not have the Citrix mitigation steps implemented, we\'ve recognized multiple groups of post-exploitation activity. Within these, something caught our eye: one particular threat actor that\'s been deploying a previously-unseen payload for which we\'ve created the code family NOTROBIN. Upon gaining access to a]]> 2020-01-15T15:00:00+00:00 https://www.mandiant.com/resources/blog/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor www.secnews.physaphae.fr/article.php?IdArticle=8377666 False Vulnerability,Threat None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant CTX267027 , qui a identifié une vulnérabilité dans le contrôleur de livraison d'application Citrix (CTX (CONTRALLADC) et Citrix Gateway.Cette vulnérabilité, attribuée à CVE-2019-19781 , pourrait permettre un attaquant non authentifié pour effectuer un code à distance arbitraire à distance arbitraireExécution via la traversée du répertoire.Cette vulnérabilité a reçu un score de 9,8 et a été jugée critique.Le 8 janvier 2020, Tripwire a fourni une explication très détaillée du CVE que nous recommandons de lire. Sur la base de ce contexte, de nombreux professionnels de la sécurité offensive ont décrit leur capacité à armer CVE-2019

---

On Dec. 17, 2019, Citrix released security bulletin CTX267027, which identified a vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway. This vulnerability, assigned CVE-2019-19781, could allow an unauthenticated attacker to perform arbitrary remote code execution via directory traversal. This vulnerability received a score of 9.8 and was deemed Critical. On Jan. 8, 2020, Tripwire provided a very detailed explanation of the CVE that we recommend reading. Based on this background, many offensive security professionals described their ability to weaponize CVE-2019]]> 2020-01-14T11:10:33+00:00 https://www.mandiant.com/resources/blog/rough-patch-promise-it-will-be-200-ok www.secnews.physaphae.fr/article.php?IdArticle=8377554 False Vulnerability None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Ursnif (aka Gozi/Gozi-ISFB) is one of the oldest banking malware families still in active distribution. While the first major version of Ursnif was identified in 2006, several subsequent versions have been released in large part due source code leaks. FireEye reported on a previously unidentified variant of the Ursnif malware family to our threat intelligence subscribers in September 2019 after identification of a server that hosted a collection of tools, which included multiple point-of-sale malware families. This malware self-identified as "SaiGon version 3.50 rev 132," and our analysis]]> 2020-01-09T17:30:00+00:00 https://www.mandiant.com/resources/blog/saigon-mysterious-ursnif-fork www.secnews.physaphae.fr/article.php?IdArticle=8377667 False Malware,Threat None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant This post explains the Mandiant philosophy and broader approach to operational technology (OT) security. In summary, we find that combined visibility into both the IT and OT environments is critical for detecting malicious activity at any stage of an OT intrusion. The Mandiant approach to OT security is to:  Detect threats early using full situational awareness of IT and OT networks. The surface area for most intrusions transcends architectural layers because at almost every level along the way, there are computers (servers and workstations) and networks using the same or similar]]> 2019-12-11T13:00:00+00:00 https://www.mandiant.com/resources/blog/Mandiant-approach-to-operational-technology-security www.secnews.physaphae.fr/article.php?IdArticle=8377668 False Industrial None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant CVE-2017-11774 Fonctionnalité de patch. malgré multiple avertissements de Fireeye et U.S.Cyber Command , nous avons continué à observer une augmentation de l'exploitation réussie du CVE-2017-11774, une attaque d'Outlook côté client qui implique

---

Attackers have a dirty little secret that is being used to conduct big intrusions. We\'ll explain how they\'re "unpatching" an exploit and then provide new Outlook hardening guidance that is not available elsewhere. Specifically, this blog post covers field-tested automated registry processing for registry keys to protect against attacker attempts to reverse Microsoft\'s CVE-2017-11774 patch functionality. Despite multiple warnings from FireEye and U.S. Cyber Command, we have continued to observe an uptick in successful exploitation of CVE-2017-11774, a client-side Outlook attack that involves]]> 2019-12-04T10:00:00+00:00 https://www.mandiant.com/resources/blog/breaking-the-rules-tough-outlook-for-home-page-attacks www.secnews.physaphae.fr/article.php?IdArticle=8377669 False None None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Incident response investigations don\'t always involve standard host-based artifacts with fully developed parsing and analysis tools. At FireEye Mandiant, we frequently encounter incidents that involve a number of systems and solutions that utilize custom logging or artifact data. Determining what happened in an incident involves taking a dive into whatever type of data we are presented with, learning about it, and developing an efficient way to analyze the important evidence. One of the most effective tools to perform this type of analysis is one that is in almost everyone\'s toolkit]]> 2019-12-03T16:00:00+00:00 https://www.mandiant.com/resources/blog/tips-and-tricks-to-analyze-data-with-microsoft-excel www.secnews.physaphae.fr/article.php?IdArticle=8377670 False Tool None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Fla

---

IDA Pro and the Hex Rays decompiler are a core part of any toolkit for reverse engineering and vulnerability research. In a previous blog post we discussed how the Hex-Rays API can be used to solve small, well-defined problems commonly seen as part of malware analysis. Having access to a higher-level representation of binary code makes the Hex-Rays decompiler a powerful tool for reverse engineering. However, interacting with the HexRays API and its underlying data sources can be daunting, making the creation of generic analysis scripts difficult or tedious. This blog post introduces the FLA]]> 2019-11-25T20:00:00+00:00 https://www.mandiant.com/resources/blog/fidl-flares-ida-decompiler-library www.secnews.physaphae.fr/article.php?IdArticle=8377671 False Malware,Tool,Vulnerability None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Information operations have flourished on social media in part because they can be conducted cheaply, are relatively low risk, have immediate global reach, and can exploit the type of viral amplification incentivized by platforms. Using networks of coordinated accounts, social media-driven information operations disseminate and amplify content designed to promote specific political narratives, manipulate public opinion, foment discord, or achieve strategic ideological or geopolitical objectives. FireEye\'s recent public reporting illustrates the continually evolving use of social media as a]]> 2019-11-14T17:00:00+00:00 https://www.mandiant.com/resources/blog/attention-all-they-need-combatting-social-media-information-operations-neural-language-models www.secnews.physaphae.fr/article.php?IdArticle=8377672 False None None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Août 2019 Blog Post ou ]]> 2019-10-31T08:00:00+00:00 https://www.mandiant.com/resources/blog/messagetap-who-is-reading-your-text-messages www.secnews.physaphae.fr/article.php?IdArticle=8377673 False Malware,Tool APT 41 3.0000000000000000 Mandiant - Blog Sécu de Mandiant One of the most popular exploit frameworks in the world is Metasploit. Its vast library of pocket exploits, pluggable payload environment, and simplicity of execution makes it the de facto base platform. Metasploit is used by pentesters, security enthusiasts, script kiddies, and even malicious actors. It is so prevalent that its user base even includes APT threat actors, as we will demonstrate later in the blog post. Despite Metasploit\'s over 15 year existence, there are still core techniques that go undetected, allowing malicious actors to evade detection. One of these core techniques is]]> 2019-10-21T12:00:00+00:00 https://www.mandiant.com/resources/blog/shikata-ga-nai-encoder-still-going-strong www.secnews.physaphae.fr/article.php?IdArticle=8377674 False Threat None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Première partie de cette série de blogs , Steve Miller a décrit quels sont les chemins PDB, comment ils apparaissent dans les logiciels malveillants, comment nous les utilisons pour détecter des fichiers malveillants, et comment nous les utilisons parfois pour faire des associations sur les groupes et les acteurs. Alors que Steve a poursuivi ses recherches sur les chemins PDB, nous nous sommes intéressés à appliquer une analyse statistique plus générale.Le chemin PDB en tant qu'artefact pose un cas d'utilisation intrigant pour plusieurs raisons. & timide; Premièrement, l'artefact PDB n'est pas directement lié à la fonctionnalité du binaire.En tant que sous-produit du processus de compilation, il contient des informations sur le développement

---

In Part One of this blog series, Steve Miller outlined what PDB paths are, how they appear in malware, how we use them to detect malicious files, and how we sometimes use them to make associations about groups and actors. As Steve continued his research into PDB paths, we became interested in applying more general statistical analysis. The PDB path as an artifact poses an intriguing use case for a couple of reasons. ­First, the PDB artifact is not directly tied to the functionality of the binary. As a byproduct of the compilation process, it contains information about the development]]> 2019-10-17T10:30:00+00:00 https://www.mandiant.com/resources/blog/definitive-dossier-devilish-debug-details-part-deux-didactic-deep-dive-data-driven-deductions www.secnews.physaphae.fr/article.php?IdArticle=8377675 False None None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Double Dragon » Rapport sur notre nouveau groupe de menaces gradué: APT41.Un groupe à double espionnage en Chine-Nexus et un groupe financièrement axé sur les financières, APT41 cible des industries telles que les jeux, les soins de santé, la haute technologie, l'enseignement supérieur, les télécommunications et les services de voyage. Ce billet de blog concerne la porte dérobée passive sophistiquée que nous suivons en tant que Lowkey, mentionnée dans le rapport APT41 et récemment dévoilée au Fireeye Cyber Defense Summit .Nous avons observé le dispositif de ciel utilisé dans des attaques très ciblées, en utilisant des charges utiles qui fonctionnent uniquement sur des systèmes spécifiques.Famille de logiciels malveillants supplémentaires

---

In August 2019, FireEye released the “Double Dragon” report on our newest graduated threat group: APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services. This blog post is about the sophisticated passive backdoor we track as LOWKEY, mentioned in the APT41 report and recently unveiled at the FireEye Cyber Defense Summit. We observed LOWKEY being used in highly targeted attacks, utilizing payloads that run only on specific systems. Additional malware family]]> 2019-10-15T09:15:00+00:00 https://www.mandiant.com/resources/blog/lowkey-hunting-missing-volume-serial-id www.secnews.physaphae.fr/article.php?IdArticle=8377676 False Malware,Threat APT 41,APT-C-17 4.0000000000000000 Mandiant - Blog Sécu de Mandiant FireEye Mandiant Red Team Crafonge les charges utiles pour contourner les contourProduits EDR modernes et obtenez la commande et le contrôle complet (C2) sur leurs victimes \\ 'Systems. L'injection de shellcode ou son exécution est notre méthode préférée pour lancer notre charge utile C2 sur un

---

True red team assessments require a secondary objective of avoiding detection. Part of the glory of a successful red team assessment is not getting detected by anything or anyone on the system. As modern Endpoint Detection and Response (EDR) products have matured over the years, the red teams must follow suit. This blog post will provide some insights into how the FireEye Mandiant Red Team crafts payloads to bypass modern EDR products and get full command and control (C2) on their victims\' systems. Shellcode injection or its execution is our favorite method for launching our C2 payload on a]]> 2019-10-10T13:00:00+00:00 https://www.mandiant.com/resources/blog/staying-hidden-on-the-endpoint-evading-detection-with-shellcode www.secnews.physaphae.fr/article.php?IdArticle=8377677 False None None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Les opérateurs criminels mondiaux tentent de nouvelles techniques d'évasion.Dans ce blog, nous révélons deux des nouveaux outils de Fin7 \\ que nous avons appelés boostwrite et rdfsniffer. Le premier des nouveaux outils de Fin7 \\ est Boostwrite & # 8211;Un compte-gouttes uniquement en mémoire qui décrypte les charges utiles intégrées à l'aide d'une clé de chiffrement récupérée à partir d'un serveur distant lors de l'exécution.FIN7 a été observé apporter de petits changements à cette famille de logiciels malveillants en utilisant plusieurs méthodes pour éviter l'antivirus traditionnel

---

During several recent incident response engagements, FireEye Mandiant investigators uncovered new tools in FIN7\'s malware arsenal and kept pace as the global criminal operators attempted new evasion techniques. In this blog, we reveal two of FIN7\'s new tools that we have called BOOSTWRITE and RDFSNIFFER. The first of FIN7\'s new tools is BOOSTWRITE – an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus]]> 2019-10-10T07:00:00+00:00 https://www.mandiant.com/resources/blog/mahalo-fin7-responding-to-new-tools-and-techniques www.secnews.physaphae.fr/article.php?IdArticle=8377678 False Malware,Tool None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Attackers often make their lives easier by relying on pre-existing operating system and third party applications in an enterprise environment. Leveraging these applications assists them with blending in with normal network activity and removes the need to develop or bring their own malware. This tactic is often referred to as Living Off The Land. But what about when that land is an Apple orchard? In recent enterprise macOS investigations, FireEye Mandiant identified the Apple Remote Desktop application as a lateral movement vector and as a source for valuable forensic artifacts. Apple]]> 2019-10-09T09:00:00+00:00 https://www.mandiant.com/resources/blog/leveraging-apple-remote-desktop-for-good-and-evil www.secnews.physaphae.fr/article.php?IdArticle=8377409 False None None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant avril 2018 . Entre mai et septembre 2019, Fireeye a répondu à

---

Within the past several months, FireEye has observed financially-motivated threat actors employ tactics that focus on disrupting business processes by deploying ransomware in mass throughout a victim\'s environment. Understanding that normal business processes are critical to organizational success, these ransomware campaigns have been accompanied with multi-million dollar ransom amounts. In this post, we\'ll provide a technical examination of one recent campaign that stems back to a technique that we initially reported on in April 2018. Between May and September 2019, FireEye responded to]]> 2019-10-01T05:00:00+00:00 https://www.mandiant.com/resources/blog/head-fake-tackling-disruptive-ransomware-attacks www.secnews.physaphae.fr/article.php?IdArticle=8377679 False Ransomware,Threat None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Menaces to Operational Technology (OT) ont considérablement augmenté depuis la découverte de Stuxnet & # 8211;Poussé par des facteurs tels que la convergence croissante avec les réseaux de technologies de l'information (TI) et la disponibilité croissante des informations sur les informations, la technologie, les logiciels et les documents de référence & # 8211;Nous n'avons observé qu'un petit nombre d'attaques axées sur le monde réel.La taille limitée de l'échantillon des attaques OT bien documentées et le manque d'analyse du point de vue du niveau macro représente un défi pour

---

The FireEye Operational Technology Cyber Security Incident Ontology (OT-CSIO) While the number of threats to operational technology (OT) have significantly increased since the discovery of Stuxnet – driven by factors such as the growing convergence with information technology (IT) networks and the increasing availability of OT information, technology, software, and reference materials – we have observed only a small number of real-world OT-focused attacks. The limited sample size of well-documented OT attacks and lack of analysis from a macro level perspective represents a challenge for]]> 2019-09-30T12:00:00+00:00 https://www.mandiant.com/resources/blog/ontology-understand-assess-operational-technology-cyber-incidents www.secnews.physaphae.fr/article.php?IdArticle=8377680 False Industrial None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Nous aimerions

---

We are pleased to announce the conclusion of the sixth annual Flare-On Challenge. The popularity of this event continues to grow and this year we saw a record number of players as well as finishers. We will break down the numbers later in the post, but right now let\'s look at the fun stuff: the prize! Each of the 308 dedicated and amazing players that finished our marathon of reverse engineering this year will receive a medal. These hard-earned awards will be shipping soon. Incidentally, the number of finishers smashed our estimates, so we have had to order more prizes.   We would like]]> 2019-09-27T07:00:00+00:00 https://www.mandiant.com/resources/blog/2019-flare-on-challenge-solutions www.secnews.physaphae.fr/article.php?IdArticle=8377681 False None None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Strings Pendant l'analyse statiqueAfin d'inspecter les caractères imprimables d'un binaire.Cependant, l'identification des chaînes pertinentes à la main prend du temps et sujette à l'erreur humaine.Des binaires plus grands produisent plus de milliers de chaînes qui peuvent rapidement évoquer la fatigue des analystes, les chaînes pertinentes se produisent moins souvent que celles qui ne sont pas pertinentes, et la définition de «pertinente» peut varier considérablement selon les analystes.Les erreurs peuvent entraîner des indices manqués qui auraient réduit le temps global passé à effectuer une analyse de logiciels malveillants, ou pire encore, une enquête incomplète ou incorrecte

---

Malware analysts routinely use the Strings program during static analysis in order to inspect a binary\'s printable characters. However, identifying relevant strings by hand is time consuming and prone to human error. Larger binaries produce upwards of thousands of strings that can quickly evoke analyst fatigue, relevant strings occur less often than irrelevant ones, and the definition of "relevant" can vary significantly among analysts. Mistakes can lead to missed clues that would have reduced overall time spent performing malware analysis, or even worse, incomplete or incorrect investigatory]]> 2019-09-07T12:00:00+00:00 https://www.mandiant.com/resources/blog/open-sourcing-stringsifter www.secnews.physaphae.fr/article.php?IdArticle=8377682 False Malware None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant UPDATE (Oct. 30, 2020): We have updated the report to include additional protection and containment strategies based on front-line visibility and response efforts in combating ransomware. While the full scope of recommendations included within the initial report remain unchanged, the following strategies have been added into the report: Windows Firewall rule configurations to block specific binaries from establishing outbound connections from endpoints Domain Controller isolation and recovery planning steps Proactive GPO permissions review and monitoring guidance Ransomware is a global]]> 2019-09-05T04:00:00+00:00 https://www.mandiant.com/resources/blog/ransomware-protection-and-containment-strategies www.secnews.physaphae.fr/article.php?IdArticle=8377683 False Ransomware None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant ceinture de sécurité , sharpup et sharpview ont été libérés pour aider aux tâches dans diverses phases du cycle de vie d'attaque

---

Background PowerShell has been used by the offensive community for several years now but recent advances in the defensive security industry are causing offensive toolkits to migrate from PowerShell to reflective C# to evade modern security products. Some of these advancements include Script Block Logging, Antimalware Scripting Interface (AMSI), and the development of signatures for malicious PowerShell activity by third-party security vendors. Several public C# toolkits such as Seatbelt, SharpUp and SharpView have been released to assist with tasks in various phases of the attack lifecycle]]> 2019-09-03T11:30:00+00:00 https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit www.secnews.physaphae.fr/article.php?IdArticle=8377684 False None None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Have you ever wondered what goes through the mind of a malware author? How they build their tools? How they organize their development projects? What kind of computers and software they use? We took a stab and answering some of those questions by exploring malware debug information. We find that malware developers give descriptive names to their folders and code projects, often describing the capabilities of the malware in development. These descriptive names thus show up in a PDB path when a malware project is compiled with symbol debugging information. Everyone loves an origin story, and]]> 2019-08-29T17:00:00+00:00 https://www.mandiant.com/resources/blog/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware www.secnews.physaphae.fr/article.php?IdArticle=8377685 False Malware None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant a publié le rapport "Double Dragon" Sur notre nouveau groupe de menaces diplômées, APT41.Espionage à double espionnage China-Nexus et groupe financièrement axé sur les financières, APT41 cible des industries telles que les jeux, les soins de santé, la haute technologie, l'enseignement supérieur, les télécommunications et les services de voyage.APT41 est connu pour s'adapter rapidement aux changements et aux détections dans les environnements de victimes, recompilant souvent les logiciels malveillants dans les heures suivant l'activité des répondeurs.Dans plusieurs situations, nous avons également identifié APT41 en utilisant des vulnérabilités récemment divulguées, souvent en armement et en exploitant en quelques jours.

---

In August 2019, FireEye released the “Double Dragon” report on our newest graduated threat group, APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services. APT41 is known to adapt quickly to changes and detections within victim environments, often recompiling malware within hours of incident responder activity. In multiple situations, we also identified APT41 utilizing recently-disclosed vulnerabilities, often weaponzing and exploiting within a matter of days.]]> 2019-08-19T12:30:00+00:00 https://www.mandiant.com/resources/blog/game-over-detecting-and-stopping-an-apt41-operation www.secnews.physaphae.fr/article.php?IdArticle=8377689 False Malware,Threat APT 41,APT 41 4.0000000000000000 Mandiant - Blog Sécu de Mandiant 86 pour cent des vulnérabilités menant à une violation de données ont été réparables , bien qu'il y ait S o m FIX-IOS-9-3-INSTALLATION-ÉSUES-FOR-ENVER-DIVICES / "> E Risque de dommages par inadvertance lors de l'application de correctifs logiciels.Lorsque de nouvelles vulnérabilités sont identifiées, ils sont publiés dans le dictionnaire commun des vulnérabilités et des expositions (CVE) par bases de données de vulnérabilité , comme la base de données nationale de vulnérabilité (NVD). Le système de notation des vulnérabilités communes (CVSS) fournit une métrique pour

---

Introduction If a software vulnerability can be detected and remedied, then a potential intrusion is prevented. While not all software vulnerabilities are known, 86 percent of vulnerabilities leading to a data breach were patchable, though there is some risk of inadvertent damage when applying software patches. When new vulnerabilities are identified they are published in the Common Vulnerabilities and Exposures (CVE) dictionary by vulnerability databases, such as the National Vulnerability Database (NVD). The Common Vulnerabilities Scoring System (CVSS) provides a metric for]]> 2019-08-13T11:45:00+00:00 https://www.mandiant.com/resources/blog/automated-prioritization-of-software-vulnerabilities www.secnews.physaphae.fr/article.php?IdArticle=8377690 False Data Breach,Vulnerability None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant commando VM ») a balayé le Testing de la pénétration Communauté By Storm lors de son début début 2019 à Black Hat Asia Arsenal.Notre 1.0 Libération Fait de progrès avec plus de 140 outils.Eh bien maintenant, nous sommes de retour pour une autre version spectaculaire, cette fois chez Black Hat USA Arsenal 2019!Dans cette version 2.0, nous avons écouté la communauté et mis en œuvre de nouvelles fonctionnalités incontournables: Kali Linux, Docker Contaters et Package Personnalisation. À propos de Commando VM Les testeurs de pénétration utilisent généralement leurs propres variantes de machines Windows lors de l'évaluation

---

The Complete Mandiant Offensive Virtual Machine (“Commando VM”) swept the penetration testing community by storm when it debuted in early 2019 at Black Hat Asia Arsenal. Our 1.0 release made headway featuring more than 140 tools. Well now we are back again for another spectacular release, this time at Black Hat USA Arsenal 2019! In this 2.0 release we\'ve listened to the community and implemented some new must have features: Kali Linux, Docker containers, and package customization. About Commando VM Penetration testers commonly use their own variants of Windows machines when assessing]]> 2019-08-07T14:15:00+00:00 https://www.mandiant.com/resources/blog/commando-vm-customization-containers-kali www.secnews.physaphae.fr/article.php?IdArticle=8377691 False None None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Today, FireEye Intelligence is releasing a comprehensive report detailing APT41, a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain. Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations]]> 2019-08-07T07:00:00+00:00 https://www.mandiant.com/resources/blog/apt41-dual-espionage-and-cyber-crime-operation www.secnews.physaphae.fr/article.php?IdArticle=8377686 False Threat APT 41,APT 41 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Le concours de cette année \\ comportera un total de 12 défis couvrant une variété d'architectures de x86 sur Windows, .Net, Linux et Android.Aussi, pour le

---

The FireEye Labs Advanced Reverse Engineering (FLARE) team is thrilled to announce that the popular Flare-On reverse engineering challenge will return for the sixth straight year. The contest will begin at 8:00 p.m. ET on Aug. 16, 2019. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security professionals. The contest runs for six full weeks and ends at 8:00 p.m. ET on Sept. 27, 2019. This year\'s contest will feature a total of 12 challenges covering a variety of architectures from x86 on Windows, .NET, Linux, and Android. Also, for the]]> 2019-07-30T11:15:00+00:00 https://www.mandiant.com/resources/blog/announcing-sixth-annual-flare-challenge www.secnews.physaphae.fr/article.php?IdArticle=8377687 False Malware None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Paging all digital forensicators, incident responders, and memory manager enthusiasts! Have you ever found yourself at a client site working around the clock to extract evil from a Windows 10 image? Have you hit the wall at step zero, running into difficulties viewing a process tree, or enumerating kernel modules? Or even worse, had to face the C-Suite and let them know you couldn\'t find any evil? Well fear no more – FLARE has you covered. We\'ve analyzed Windows 10 and integrated our research into Volatility and Rekall tools for your immediate consumption! Until August 2013, as a skilled]]> 2019-07-25T14:15:00+00:00 https://www.mandiant.com/resources/blog/finding-evil-in-windows-ten-compressed-memory-part-one www.secnews.physaphae.fr/article.php?IdArticle=8377688 False Tool None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Background With increasing geopolitical tensions in the Middle East, we expect Iran to significantly increase the volume and scope of its cyber espionage campaigns. Iran has a critical need for strategic intelligence and is likely to fill this gap by conducting espionage against decision makers and key organizations that may have information that furthers Iran\'s economic and national security goals. The identification of new malware and the creation of additional infrastructure to enable such campaigns highlights the increased tempo of these operations in support of Iranian interests. Fi]]> 2019-07-18T10:00:00+00:00 https://www.mandiant.com/resources/blog/hard-pass-declining-apt34-invite-to-join-their-professional-network www.secnews.physaphae.fr/article.php?IdArticle=8377692 False Malware APT 34,APT 34 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Part dans cette série de blogs sur comHunting d'objets , ce post parlera de prendre plus profondément la méthodologie de chasse aux objets en regardant des méthodes d'objets com intéressantes exposées dans les propriétés et les sous-propriétés des objets com. Qu'est-ce qu'un objet com? Selon Microsoft , «L'objet composant MicrosoftLe modèle (COM) est un système indépendant de la plate-forme, distribué et orienté objet pour la création de composants logiciels binaires qui peuvent interagir.Com est la technologie de base pour l'Ole de Microsoft \\ (documents composés), ActiveX (composants compatibles Internet), ainsi que

---

Background As a follow up to Part One in this blog series on COM object hunting, this post will talk about taking the COM object hunting methodology deeper by looking at interesting COM object methods exposed in properties and sub-properties of COM objects. What is a COM Object? According to Microsoft, “The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft\'s OLE (compound documents), ActiveX (Internet-enabled components), as well]]> 2019-06-11T10:15:00+00:00 https://www.mandiant.com/resources/blog/hunting-com-objects-part-two www.secnews.physaphae.fr/article.php?IdArticle=8377693 False None None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Blog Board à ce sujet en 2017. Certains de ces objets com étaient également ajouté au projet Empire .Pour améliorer la pratique de l'équipe rouge, FireEye a effectué des recherches sur les objets COM disponibles sur les systèmes d'exploitation Windows 7 et 10.Plusieurs objets COM intéressants ont été découverts qui permettent la planification des tâches, le téléchargement et l'exécution sans fil ainsi que l'exécution de commandes

---

COM objects have recently been used by penetration testers, Red Teams, and malicious actors to perform lateral movement. COM objects were studied by several other researchers in the past, including Matt Nelson (enigma0x3), who published a blog post about it in 2017. Some of these COM objects were also added to the Empire project. To improve the Red Team practice, FireEye performed research into the available COM objects on Windows 7 and 10 operating systems. Several interesting COM objects were discovered that allow task scheduling, fileless download & execute as well as command execution]]> 2019-06-04T09:45:00+00:00 https://www.mandiant.com/resources/blog/hunting-com-objects www.secnews.physaphae.fr/article.php?IdArticle=8377694 False None None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant This year, Canada, multiple European nations, and others will host high profile elections. The topic of cyber-enabled threats disrupting and targeting elections has become an increasing area of awareness for governments and citizens globally. To develop solutions and security programs to counter cyber threats to elections, it is important to begin with properly categorizing the threat. In this post, we\'ll explore the various threats to elections FireEye has observed and provide a framework for organizations to sort these activities. The Election Ecosystem: Targets Historically, FireEye]]> 2019-05-30T10:00:00+00:00 https://www.mandiant.com/resources/blog/framing-problem-cyber-threats-and-elections www.secnews.physaphae.fr/article.php?IdArticle=8377695 False None None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Strings .Un binaire contiendra souvent des chaînes si elle effectue des opérations comme l'impression d'un message d'erreur, la connexion à une URL, la création d'une clé de registre ou la copie

---

Reverse engineers, forensic investigators, and incident responders have an arsenal of tools at their disposal to dissect malicious software binaries. When performing malware analysis, they successively apply these tools in order to gradually gather clues about a binary\'s function, design detection methods, and ascertain how to contain its damage. One of the most useful initial steps is to inspect its printable characters via the Strings program. A binary will often contain strings if it performs operations like printing an error message, connecting to a URL, creating a registry key, or copying]]> 2019-05-29T09:30:00+00:00 https://www.mandiant.com/resources/blog/learning-rank-strings-output-speedier-malware-analysis www.secnews.physaphae.fr/article.php?IdArticle=8377696 False Malware,Tool None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant The goal of communicating cyber security topics with senior executives and boards is to help them understand the top cyber security concerns, the impacts to the business and possible mitigation approaches so they can establish priorities and allocate required resources. With such a critical outcome, why is it that most who present fail to achieve this goal? It\'s About Them, Not You Most cyber security presentations to senior management and board members continue to focus on technology and poorly relatable data points that are of relevance only to IT security operations personnel and no]]> 2019-05-06T11:00:00+00:00 https://www.mandiant.com/resources/blog/biggest-mistakes-when-presenting-cyber-security-to-board-and-how-to-fix www.secnews.physaphae.fr/article.php?IdArticle=8377476 False None None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant La première partie , la deuxième partie et la troisième partie de la semaine de Carbanak sont derrière nous.Dans ce dernier article de blog, nous plongeons dans l'un des outils les plus intéressants qui fait partie de l'ensemble d'outils Carbanak.Les auteurs de Carbanak ont écrit leur propre joueur vidéo et nous avons rencontré une capture vidéo intéressante de Carbanak d'un opérateur de réseau préparant un engagement offensant.Pouvons-nous le rejouer? sur le lecteur vidéo La porte dérobée de Carbanak est capable d'enregistrer la vidéo du bureau de la victime.Les attaquants auraient Viches de bureau enregistrées du flux de travail opérationnel de

---

Part One, Part Two and Part Three of CARBANAK Week are behind us. In this final blog post, we dive into one of the more interesting tools that is part of the CARBANAK toolset. The CARBANAK authors wrote their own video player and we happened to come across an interesting video capture from CARBANAK of a network operator preparing for an offensive engagement. Can we replay it? About the Video Player The CARBANAK backdoor is capable of recording video of the victim\'s desktop. Attackers reportedly viewed recorded desktop videos to gain an understanding of the operational workflow of]]> 2019-04-25T08:01:01+00:00 https://www.mandiant.com/resources/blog/carbanak-week-part-four-desktop-video-player www.secnews.physaphae.fr/article.php?IdArticle=8377555 False Tool None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Nous avons couvert beaucoup de terrain dans Partie 1 et la deuxième partie de notre série de blogs de la semaine Carbanak.Maintenant, laissez \\ revoir une partie de notre analyse précédente et voyez comment elle tient. En juin 2017, nous avons publié un article de blog partageant romanInformations sur la porte dérobée de Carbanak , y compris les détails techniques, l'analyse Intel et quelques déductions intéressantes sur ses opérations que nous avons formées à partir des résultats de l'analyse automatisée de centaines d'échantillons de carbanak.Certaines de ces déductions étaient des revendications sur l'ensemble d'outils et les pratiques de construction de Carbanak.Maintenant que nous avons un instantané du code source et du jeu d'outils

---

We covered a lot of ground in Part One and Part Two of our CARBANAK Week blog series. Now let\'s take a look back at some of our previous analysis and see how it holds up. In June 2017, we published a blog post sharing novel information about the CARBANAK backdoor, including technical details, intel analysis, and some interesting deductions about its operations we formed from the results of automating analysis of hundreds of CARBANAK samples. Some of these deductions were claims about the toolset and build practices for CARBANAK. Now that we have a snapshot of the source code and toolset]]> 2019-04-24T08:01:01+00:00 https://www.mandiant.com/resources/blog/carbanak-week-part-three-behind-the-backdoor www.secnews.physaphae.fr/article.php?IdArticle=8377556 False None None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Mise à jour (30 avril): Après la sortie de notre série de blogs Carbanak Week en quatre parties, de nombreux lecteurs ont trouvé des endroits pour rendre les données partagées dans ces messages exploitables.Nous avons mis à jour ce message pour inclure certaines de ces informations. dans le Tenue précédente , nous avons écrit sur la façon dont le hachage des cordes a été utilisé dans Carbanak pour gérer la résolution de l'API Windows tout au long de la base de code.Mais les auteurs ont également utilisé ce même algorithme de hachage de chaîne pour une autre tâche.Dans cet épisode, nous reprendrons là où nous nous sommes arrêtés et écrivons sur la détection antivirus (AV) de Carbanak, l'évasion AV, la paternité

---

Update (April 30): Following the release of our four-part CARBANAK Week blog series, many readers have found places to make the data shared in these posts actionable. We have updated this post to include some of this information. In the previous installment, we wrote about how string hashing was used in CARBANAK to manage Windows API resolution throughout the entire codebase. But the authors used this same string hashing algorithm for another task as well. In this installment, we\'ll pick up where we left off and write about CARBANAK\'s antivirus (AV) detection, AV evasion, authorship]]> 2019-04-23T12:45:00+00:00 https://www.mandiant.com/resources/blog/carbanak-week-part-two-continuing-carbanak-source-code-analysis www.secnews.physaphae.fr/article.php?IdArticle=8377697 False None None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Il est très inhabituel pour Flare d'analyser une porte dérobée en privé prolifique et développée pour que le code source et les outils d'opérateur tombent dans nos tours.Pourtant, c'est la circonstance extraordinaire qui ouvre la voie à Carbanak Week, une série de blogs en quatre parties qui commence par ce post. Carbanak est l'une des délais les plus complets du monde.Il a été utilisé pour perpétrer des millions de dollars de délits financiers, en grande partie par le groupe que nous suivons comme ]]> 2019-04-22T12:00:00+00:00 https://www.mandiant.com/resources/blog/carbanak-week-part-one-a-rare-occurrence www.secnews.physaphae.fr/article.php?IdArticle=8377698 False Tool None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant In early 2019, FireEye Threat Intelligence identified a spear phishing email targeting government entities in Ukraine. The spear phishing email included a malicious LNK file with PowerShell script to download the second-stage payload from the command and control (C&C) server. The email was received by military departments in Ukraine and included lure content related to the sale of demining machines.  This latest activity is a continuation of spear phishing that targeted the Ukrainian Government as early as 2014. The email is linked to activity that previously targeted the Ukrainian]]> 2019-04-16T02:00:00+00:00 https://www.mandiant.com/resources/blog/spear-phishing-campaign-targets-ukraine-government-and-military-infrastructure-reveals-potential-link-so-called-luhansk-peoples-republic www.secnews.physaphae.fr/article.php?IdArticle=8377699 False Threat None 4.0000000000000000 Mandiant - Blog Sécu de Mandiant recherche Nous avons examiné comment les attaquants peuvent avoir eu accès à des composants critiques nécessairesPour construire le cadre d'attaque de Triton

---

Overview FireEye can now confirm that we have uncovered and are responding to an additional intrusion by the attacker behind TRITON at a different critical infrastructure facility. In December 2017, FireEye publicly released our first analysis on the TRITON attack where malicious actors used the TRITON custom attack framework to manipulate industrial safety systems at a critical infrastructure facility and inadvertently caused a process shutdown. In subsequent research we examined how the attackers may have gained access to critical components needed to build the TRITON attack framework]]> 2019-04-09T23:00:00+00:00 https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections www.secnews.physaphae.fr/article.php?IdArticle=8377700 False Industrial None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Antivirus , Détection de PowerShell malveillante , et Corrélant le comportement des acteurs de la menace .Alors que de nombreuses personnes pensent que le travail d'un data scientifique est terminé lorsqu'un modèle est construit, la vérité est que les cyber-menaces changent constamment et nos modèles doivent également nos modèles.La formation initiale n'est que le début du processus et la maintenance du modèle ML crée une grande dette technique.Google fournit une introduction utile à ce sujet dans leur article "Machin

---

Introduction Machine learning (ML) is playing an increasingly important role in cyber security. Here at FireEye, we employ ML for a variety of tasks such as: antivirus, malicious PowerShell detection, and correlating threat actor behavior. While many people think that a data scientist\'s job is finished when a model is built, the truth is that cyber threats constantly change and so must our models. The initial training is only the start of the process and ML model maintenance creates a large amount of technical debt. Google provides a helpful introduction to this topic in their paper “Machin]]> 2019-04-09T12:00:00+00:00 https://www.mandiant.com/resources/blog/churning-out-machine-learning-models-handling-changes-in-model-predictions www.secnews.physaphae.fr/article.php?IdArticle=8377701 False Threat None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant M-Trends 2019 . Consultants de FireEye Mandiant Red Team effectuent des évaluations basées sur des objectifs qui imitent les cyberattaques réelles par des attaquants avancés et nationaux de l'État tout au long du cycle de vie des attaques en se fondant dans des environnements et en observant comment les employés interagissent avec leurs postes de travail et leurs applications.Des évaluations comme celle-ci aident les organisations à identifier les faiblesses de leurs procédures de détection et de réponse actuelles afin qu'elles puissent mettre à jour leurs programmes de sécurité existants pour mieux faire face aux menaces modernes. Une entreprise de services financiers a engagé un

---

This blog post originally appeared as an article in M-Trends 2019. FireEye Mandiant red team consultants perform objectives-based assessments that emulate real cyber attacks by advanced and nation state attackers across the entire attack lifecycle by blending into environments and observing how employees interact with their workstations and applications. Assessments like this help organizations identify weaknesses in their current detection and response procedures so they can update their existing security programs to better deal with modern threats. A financial services firm engaged a]]> 2019-04-08T11:30:00+00:00 https://www.mandiant.com/resources/blog/finding-weaknesses-attackers-do www.secnews.physaphae.fr/article.php?IdArticle=8377702 False None None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant Summary Recently, FireEye Managed Defense detected and responded to a FIN6 intrusion at a customer within the engineering industry, which seemed out of character due to FIN6\'s historical targeting of payment card data. The intent of the intrusion was initially unclear because the customer did not have or process payment card data. Fortunately, every investigation conducted by Managed Defense or Mandiant includes analysts from our FireEye Advanced Practices team who help correlate activity observed in our hundreds of investigations and voluminous threat intelligence holdings. Our team]]> 2019-04-05T12:00:00+00:00 https://www.mandiant.com/resources/blog/pick-six-intercepting-a-fin6-intrusion www.secnews.physaphae.fr/article.php?IdArticle=8377703 False Ransomware,Threat None 3.0000000000000000 Mandiant - Blog Sécu de Mandiant M-Trends 2019 Le rapport montre queLes entreprises de presque toutes les industries ou du marché ont connu une violation l'année dernière. Avant qu'un GC puisse se concentrer sur le développement d'un plan de réponse aux incidents (IR) approprié, ils doivent pleinement

---

General Counsel (GC) address myriad legal and business challenges, but none may be as harrowing as dealing with a cyber attack. Even before dealing with an incident, there is the stress of simply not knowing when a successful attack may occur – especially since there is no guaranteed method of preventing it and any organization can be in the crosshairs. Data from our most recent M-Trends 2019 report shows that businesses in nearly every industry or market experienced a breach last year. Before a GC can focus on developing an appropriate incident response (IR) plan, they must fully]]> 2019-03-28T11:00:00+00:00 https://www.mandiant.com/resources/blog/what-general-counsel-needs-to-prepare-for-cyber-breach www.secnews.physaphae.fr/article.php?IdArticle=8377475 False None None 2.0000000000000000 Mandiant - Blog Sécu de Mandiant Pour les testeurs de pénétration à la recherche d'une plate-forme de test Linux stable et prise en charge, l'industrie convient que Kali est la plate-forme incontournable.Cependant, si vous préférez utiliser Windows comme système d'exploitation, vous avez peut-être remarqué qu'une plate-forme digne n'existait pas.En tant que chercheurs en sécurité, chacun de nous a probablement passé des heures à personnaliser un environnement Windows au moins une fois et nous utilisons tous les mêmes outils, services publics et techniques pendant les engagements des clients.Par conséquent, le maintien d'un environnement personnalisé tout en conservant tous nos ensembles d'outils à jour peut être une corvée monotone pour tous

---

  For penetration testers looking for a stable and supported Linux testing platform, the industry agrees that Kali is the go-to platform. However, if you\'d prefer to use Windows as an operating system, you may have noticed that a worthy platform didn\'t exist. As security researchers, every one of us has probably spent hours customizing a Windows working environment at least once and we all use the same tools, utilities, and techniques during customer engagements. Therefore, maintaining a custom environment while keeping all our tool sets up-to-date can be a monotonous chore for all]]> 2019-03-28T08:00:00+00:00 https://www.mandiant.com/resources/blog/commando-vm-windows-offensive-distribution www.secnews.physaphae.fr/article.php?IdArticle=8377704 False Tool None 3.0000000000000000