The hypothesis is that adversaries are exploiting unpatched CVEs associated with FireEye Red Team tools to maintain persistence and evade detection, as seen in Nobelium activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and remediate vulnerable systems before they are leveraged in targeted attacks.
KQL Query
let FireEyeCVE= dynamic(
[
"CVE-2019-11510", //pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 10.0
"CVE-2020-1472", //Microsoft Active Directory escalation of privileges - CVSS 10.0
"CVE-2018-13379", //pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN - CVSS 9.8 //no find CVE
"CVE-2018-15961", //RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) - CVSS 9.8
"CVE-2019-0604", //RCE for Microsoft Sharepoint - CVSS 9.8
"CVE-2019-0708", //RCE of Windows Remote Desktop Services (RDS) - CVSS 9.8
"CVE-2019-11580", //Atlassian Crowd Remote Code Execution - CVSS 9.8
"CVE-2019-19781", //RCE of Citrix Application Delivery Controller and Citrix Gateway - CVSS 9.8 //no find CVE
"CVE-2020-10189", //RCE for ZoHo ManageEngine Desktop Central - CVSS 9.8
"CVE-2014-1812", //Windows Local Privilege Escalation - CVSS 9.0
"CVE-2019-3398", //Confluence Authenticated Remote Code Execution - CVSS 8.8
"CVE-2020-0688", //Remote Command Execution in Microsoft Exchange - CVSS 8.8
"CVE-2016-0167", //local privilege escalation on older versions of Microsoft Windows - CVSS 7.8
"CVE-2017-11774", //RCE in Microsoft Outlook via crafted document execution (phishing) - CVSS 7.8
"CVE-2018-8581", //Microsoft Exchange Server escalation of privileges - CVSS 7.4
"CVE-2019-8394" //arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus - CVSS 6.5
]
);
DeviceTvmSoftwareVulnerabilitiesKB
| where CveId in(FireEyeCVE)
| join DeviceTvmSoftwareVulnerabilities on CveId
| project-away CveId1, VulnerabilitySeverityLevel1, AffectedSoftware
id: c4c6a792-2309-4218-bd2c-13f3cbe0600f
name: fireeye-red-team-tools-CVEs [Nobelium]
description: |
Search for the CVEs that should be prioritized and resolved to reduce the success of the FireEye Red Team tools compromised by the Nobelium activity group.
See red_team_tool_countermeasures on the official FireEye repo.
References:
https://github.com/fireeye/red_team_tool_countermeasures/blob/master/CVEs_red_team_tools.md
https://github.com/fireeye
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceTvmSoftwareVulnerabilitiesKB
- DeviceTvmSoftwareVulnerabilities
tactics:
- Privilege escalation
- Vulnerability
tags:
- Nobelium
query: |
let FireEyeCVE= dynamic(
[
"CVE-2019-11510", //pre-auth arbitrary file reading from Pulse Secure SSL VPNs - CVSS 10.0
"CVE-2020-1472", //Microsoft Active Directory escalation of privileges - CVSS 10.0
"CVE-2018-13379", //pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN - CVSS 9.8 //no find CVE
"CVE-2018-15961", //RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) - CVSS 9.8
"CVE-2019-0604", //RCE for Microsoft Sharepoint - CVSS 9.8
"CVE-2019-0708", //RCE of Windows Remote Desktop Services (RDS) - CVSS 9.8
"CVE-2019-11580", //Atlassian Crowd Remote Code Execution - CVSS 9.8
"CVE-2019-19781", //RCE of Citrix Application Delivery Controller and Citrix Gateway - CVSS 9.8 //no find CVE
"CVE-2020-10189", //RCE for ZoHo ManageEngine Desktop Central - CVSS 9.8
"CVE-2014-1812", //Windows Local Privilege Escalation - CVSS 9.0
"CVE-2019-3398", //Confluence Authenticated Remote Code Execution - CVSS 8.8
"CVE-2020-0688", //Remote Command Execution in Microsoft Exchange - CVSS 8.8
"CVE-2016-0167", //local privilege escalation on older versions of Microsoft Windows - CVSS 7.8
"CVE-2017-11774", //RCE in Microsoft Outlook via crafted document execution (phishing) - CVSS 7.8
"CVE-2018-8581", //Microsoft Exchange Server escalation of privileges - CVSS 7.4
"CVE-2019-8394" //arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus - CVSS 6.5
]
);
DeviceTvmSoftwareVulnerabilitiesKB
| where CveId in(FireEyeCVE)
| join DeviceTvmSoftwareVulnerabilities on CveId
| project-away CveId1, VulnerabilitySeverityLevel1, AffectedSoftware
Scenario: Scheduled System Maintenance Task Using netsh
Description: A legitimate scheduled task runs netsh to configure network settings, which may trigger the rule due to its association with network manipulation.
Filter/Exclusion: process.name != "netsh" or process.parent.name != "schtasks.exe"
Scenario: Admin Task Using PowerShell to Update Firewall Rules
Description: An administrator uses PowerShell to update firewall rules, which may be flagged due to its potential for network configuration changes.
Filter/Exclusion: process.name != "powershell.exe" or process.args not contains "Set-NetFirewallRule"
Scenario: Legitimate Use of certutil for Certificate Management
Description: A system administrator uses certutil to manage or renew SSL/TLS certificates, which could be mistaken for malicious activity.
Filter/Exclusion: process.name != "certutil.exe" or process.args contains " -addstore"
Scenario: Automated Backup Job Using robocopy
Description: A backup job runs robocopy to copy files to a network share, which may be flagged due to its network interaction.
Filter/Exclusion: process.name != "robocopy.exe" or process.args contains "/Z /R:3 /W:30"
Scenario: Patch Management Tool Using msiexec
Description: A patch management tool uses msiexec to install updates, which may be flagged due to its execution of installers.
Filter/Exclusion: process.name != "msiexec.exe" or process.args contains "/i" and "patch" in process.args