Wednesday, December 9, 2020

Snort rule update for Dec. 9, 2020 — FireEye breach detection guidance

Cyber security firm FireEye recently disclosed an incident that was reported to have resulted in the inadvertent disclosure of various internally developed offensive security tools (OSTs) that were used across FireEye red-team engagements.

Some of these tools appear to be based on well-known offensive frameworks like Cobalt Strike. This is even evident in the naming convention used in the coverage designated by FireEye. 

FireEye provided a list of CVEs in their blog to allow customers to assess their vulnerability to the tools. Here is the existing coverage for those CVEs:

Additionally, we've released several new rules that protect against these vulnerabilities, specifically defending against the use of Cobalt Strike. For more, check our full rule advisory here.