McAfee coverage for stolen FireEye Red Team tools

Technical Articles ID: KB93830
Last Modified: 12/28/2020

Environment

McAfee Endpoint Security (ENS) Threat Prevention 10.x
McAfee Host Intrusion Prevention (Host IPS) 8.0
McAfee Network Security Platform (NSP) 10.x, 9.x

Summary

Recent changes to this article

Date	Update
December 29, 2020	Added Expert Rules for CVE-2019-8394 and CVE-2020-0688/CVE-2019-0604.
December 17, 2020	Removed a duplicate instance of GenericRXLR-FP.
December 16, 2020	Updated NSP Signature Set details. Updated DAT content details. Removed Extra.DAT attachment. Added Expert Rule for CVE-2020-10189.
December 14, 2020	Added link to KB93851 - REGISTERED - NSP Emergency UDS Release Notes for User-Defined Signature.
December 9, 2020	Extra.ZIP attachment updated. Detection names added. MVISION Campaign name added.

McAfee is aware of a FireEye white paper that describes stolen Red Team tools from FireEye and the notice to the public of those tools being potentially used maliciously.

McAfee assessment of this issue is ongoing.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Solution

NSP
NSP coverage is confirmed for all 16 CVEs.

CVE	Attack ID
CVE-2014-1812	0x43c0ef00
CVE-2019-0708	0x47900c00
CVE-2017-11774	0x45266f00
CVE-2018-15961	0x4527df00
CVE-2019-19781	0x45272800
CVE-2019-3398	0x4527e000
CVE-2019-11580	0x45285100
CVE-2018-13379	0x45274900
CVE-2020-0688	0x45279200
CVE-2019-11510	0x40200c00
CVE-2019-0604	0x45261c00
CVE-2020-10189	0x45282e00
CVE-2019-8394	0x4527de00
CVE-2016-0167	0x451a2400
CVE-2020-1472	0x47607900
CVE-2018-8581	0x4525a000

The December 15, 2020, NSP Signature Set contains the UDSs for Attack ID 0x43c0ef00 formerly linked above. For reference, they were:

The referenced article is available only to registered ServicePortal users.

To view registered articles:

Log on to the ServicePortal at http://support.mcafee.com.
Type the article ID in the search field on the home page.
Click Search or press Enter.

Solution

McAfee DAT / Antivirus Scanner Content
Coverage for known binaries in this threat campaign is included in production DATs. More generic coverage that was formerly provided by Extra.DAT is contained in production AMCore 4289 (ENS) and DAT 9837 (VSE) and later, both released on December 16, 2020.

Global Threat Intelligence (GTI) Cloud also provides detection capability.

Detection names are subject to change. But at the time of publication, they include the following:

GenericRXGM-ZG
GenericRXIJ-FB
GenericRXKK-BW
GenericRXLJ-WX
GenericRXLK-DW
GenericRXLM-TO
GenericRXLR-FP
GenericRXLS-FV
GenericRXLS-VC
GenericRXMC-ZM
GenericRXMF-TL
GenericRXMG-VD
GenericRXMI-FN
GenericRXMI-UU
GenericRXMN-CC
GenericRXMO-QY
GenericRXMO-SZ
GenericRXMQ-PM
GenericRXMU-MO
HTA/Cobalstrike.a
HackTool-FEY
HackTool-Leak.a
HackTool-Leak.c
PUP-XGW-FN
PUP-XME-SY
RDN/Generic BackDoor
RDN/Generic Downloader.x
RDN/Generic.dx
RDN/Generic.grp
Trojan-Cobalt
Trojan-FPWJ
Trojan-FQND
Trojan-FRQF
Trojan-FSXF
Trojan-FTEH
W97M/Downloader.st
ZeroLogon

Solution

Exploit Prevention / Host IPS
Coverage for ENS Threat Prevention Exploit Prevention and Host IPS is under evaluation. The following CVEs have been confirmed.

CVE-2019-0708	RCE of Windows Remote Desktop Services (RDS)	Covered by existing Network Intrusion Prevention System (NIPS) signature 6137
CVE-2016-0167	Local privilege escalation on older versions of Microsoft Windows	Expected coverage by Generic Privilege Escalation Prevention (GPEP)
CVE-2020-1472	Microsoft Active Directory escalation of privileges	Covered by 6182
CVE-2020-10189	RCE for ZoHo ManageEngine Desktop Central	Expert Rule below
CVE-2019-8394	Zoho ManageEngine ServiceDesk Plus (SDP) Arbitrary File Upload	Expert Rule below
CVE-2020-0688 CVE-2019-0604	IIS Enveloping Signature	Expert Rule below

Expert Rule for CVE-2020-10189 - RCE for ZoHo ManageEngine Desktop Central:

Rule name	Block ZoHo ManageEngine Desktop Central RCE
Severity	High
Action	Block, Report
Rule type	Processes
Rule content	Rule { Process { Include OBJECT_NAME { -v "\\DesktopCentral_Server\\jre\\bin\\java.exe" } Include PROCESS_CMD_LINE { -v "DCStarter" } } Target { Match PROCESS { Include OBJECT_NAME { -v "cmd.exe" } Include OBJECT_NAME { -v "powershell.exe" } Include OBJECT_NAME { -v "cscript.exe" } Include OBJECT_NAME { -v "wscript.exe" } Exclude PROCESS_CMD_LINE { -v ".bat**" } Include -access "CREATE" } } }
Notes (Optional)	CVE-2020-10189

Expert Rule for CVE-2019-8394 - Zoho ManageEngine ServiceDesk Plus (SDP) Arbitrary File Upload:

Rule name	Block Zoho ManageEngine ServiceDesk Plus (SDP) Arbitrary File Upload
Severity	High
Action	Block, Report
Rule type	Files
Rule content	Rule { Process { Include OBJECT_NAME { -v "\\ManageEngine\\ServiceDesk\\jre\\bin\\java.exe" } } Target { Match FILE { Include OBJECT_NAME { -v "\\ManageEngine\\ServiceDesk\\custom\\login\\*.jsp" } Include -access "WRITE" } } }
Notes (Optional)	CVE-2019-8394

Expert Rule for CVE-2020-0688 and CVE-2019-060. This rule is an enveloping signature that prevents attacks on the IIS process using deserialization type vulnerabilities:

Rule name	IIS Enveloping Signature
Severity	High
Action	Block, Report
Rule type	Processes
Rule content	Rule { Process { Include OBJECT_NAME { -v "w3wp.exe" } } Target { Match PROCESS { Include OBJECT_NAME { -v "cmd.exe" } Include OBJECT_NAME { -v "powershell.exe" } Include OBJECT_NAME { -v "cscript.exe" } Include OBJECT_NAME { -v "wscript.exe" } Include OBJECT_NAME { -v "mshta.exe" } Include -access "CREATE" } } }
Notes (Optional)	CVE-2020-0688 CVE-2019-0604

Related Information

McAfee MVISION Insights
Customers using McAfee MVISION Insights can track this campaign by searching for "FireEye Red Team Tools Stolen in Cyber Attack" in the Campaign field.

FireEye Blog Post
https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html

Affected Products

Endpoint Security Threat Prevention 10.7.x
Endpoint Security Threat Prevention 10.6.x
Host Intrusion Prevention 8.0
Network Security Signature Set - All Versions
Threat Prevention and Removal

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

McAfee coverage for stolen FireEye Red Team tools

Environment

Summary

Solution

Solution

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

McAfee coverage for stolen FireEye Red Team tools

Environment

Summary

Solution

Solution

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title