DNIF’s approach for FireEye’s Stolen Red Team Tools

2 min readJan 20, 2021

On December 8, 2020 FireEye announced that they had been compromised by a highly sophisticated state-sponsored adversary and their red team tools were stolen. FireEye has cleared that “The red team tools stolen by the attacker did not contain zero-day exploits. The tools apply well-known and documented methods”. This hack is now considered as one of the biggest thefts of cybersecurity tools.

How does this theft affect your organization?

Offensive cyber tools in an adversary’s hand is always a cause of worry. It could bring serious implications to the overall security posture of a company. The stolen tools have capabilities to steal your credentials, SMB enumeration, MITM attacks and a lot more.

In a crisis like this, DNIF HyperScale SIEM platform could be of great help ensuring your company’s safety.

FireEye has published a list of countermeasures to help the security community and protect them against similar threats. Their github repository provides hxioc(Indicators of Compromise), such as file hashes, processes, registry changes, that help you find instances of red team tools in your environment.

To be able to detect these indicators in DNIF, logs should be sent from various security devices to DNIF, which gets ingested, parsed and analysed to construct meaningful data out of it. We have extracted IoCs from FireEye’s repository, created SIEM use cases based on indicators for red team scripts and tools. If adversaries attempt an attack on the organization with FireEye offensive tools such as ADPassHunter, Beacon, G2JS etc., DNIF’s FireEye package will raise appropriate alerts for your SOC team to investigate. DNIF’s FireEye Red team stolen tool package is regularly synchronised and kept current with the FireEye repository.

The revelation of the FireEye breach has come as staggering news to everyday security practitioners. It has further stiffened the notion that no company is safe from threat actors. However, the DNIF team strives to protect our clients from the repercussions of this breach.

Here’s a glimpse at the FireEye IOC package containing entities for payload detections.

Catch this sneak peek into the DNIF created workbooks for FireEye IOCs for the compromised red team tools.

Blog by: Harshita Chawla




The “Open” Big Data Analytics platform that offers solutions to the world’s most challenging cyber security problems with real-time data analytics.