{
	"id": "b8a72c44-8d85-43df-9fdd-5e59093ff093",
	"created_at": "2026-04-06T00:17:43.102903Z",
	"updated_at": "2026-04-10T13:11:56.215766Z",
	"deleted_at": null,
	"sha1_hash": "666ad841289df491fa97669f237bc6b29b3ce7df",
	"title": "Threat Brief: FireEye Red Team Tool Breach",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56784,
	"plain_text": "Threat Brief: FireEye Red Team Tool Breach\r\nBy Unit 42\r\nPublished: 2020-12-11 · Archived: 2026-04-05 14:51:55 UTC\r\nExecutive Summary\r\nOn Dec. 8, 2020, one of the leading cybersecurity companies in the industry, FireEye, reported a breach and data\r\nexfiltration unlike any that we have seen previously. What makes this attack unique is not only the target, FireEye\r\nbeing a well-known cybersecurity company, but that the stolen data contains the internal, custom-crafted red-team\r\nand penetration testing tools used by the company to imitate different threat actors during customer security\r\nconsultations. FireEye’s blog provided a wealth of information for defenders to implement security controls and\r\nmitigations for defense against the stolen tools. This data is being used by Palo Alto Networks to help ensure our\r\ncustomers are protected if the attackers choose to utilize the tools for malicious purposes.\r\nIt is important to note that these custom tools were not released into the wild, they were stolen by a sophisticated\r\nthreat actor and we likely will not see a sudden widespread use of them. That being said, FireEye went beyond\r\nwhat was required – and what companies have done in the past – in releasing detection techniques. Providing\r\ndefenders access to the Yara rules, indicators of compromise (IOCs), Snort signatures and other threat data is a\r\nclass act and very much appreciated by defenders and researchers at Palo Alto Networks – and surely across the\r\nindustry as a whole.\r\nProtecting Our Customers\r\nPalo Alto Networks has been working diligently to ensure the protections released by FireEye are implemented in\r\na timely manner. The Github repository shared by FireEye contains a list of rules and 16 vulnerability CVE\r\nidentifiers. The vulnerabilities appear to have been included because sufficient protections against these can help\r\nlimit the effectiveness of the red-team tools.\r\nPalo Alto Networks has ensured the protections within our products are either already in place or are being\r\nprioritized for the provided vulnerabilities and their exploitation. These vulnerabilities range from a wide variety\r\nof products, and as always, we highly recommend our customers stay current with their updates and patch all\r\nvulnerable software.\r\nThe Github repository that provided the protections also contains rules for direct product implementation as well\r\nas hunting. Palo Alto Networks is analyzing the efficacy of and applying all stable rules to our respective products.\r\nGap analysis and threat hunting leveraging the FireEye-provided Yara and Snort signatures have enabled Palo Alto\r\nNetworks researchers to identify potential malware samples that we are now tagging, analyzing, tracking and\r\nbuilding protections around within WildFire. Continual verdict efficacy checks of identified malware samples is\r\nongoing within Palo Alto Networks products. Customers leveraging the Palo Alto Networks AutoFocus tool can\r\ntrack initially identified samples and tools under the Fireye_RedTeam_Tools, Rubeus, AndrewSpecial, KeeFarce,\r\nSafetyKatz, InveighZero, GadgetToJScript, SeatBelt, RuralBishop, SharpView, and SharpZeroLogon tags. Our\r\nhttps://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/\r\nPage 1 of 3\n\nCortex XDR Managed Threat Hunting Team (MTH) has proactively searched all Cortex XDR Pro customer logs\r\nto identify potentially impacted organizations and provide them an assessment of their risk.\r\nCortex XDR customers are protected using the product’s WildFire integration as well as through Local Analysis,\r\nthe Password theft prevention module, and the behavioral threat protection (BTP) engine. In addition, multiple\r\nBehavioural Indicators of Compromise (BIOCs) are available in XDR Server to detect malicious techniques\r\nexhibited by the stolen tools.\r\nThreat Prevention provides protection against command and control beacons and exploitation of network\r\nvulnerabilities used by the stolen tools. The following table provides an overview of the mapping between Palo\r\nAlto Networks Universal Threat IDs (UTIDs) and the provided FireEye SIDs.\r\nSnort Rule PANW UTID FireEye SID\r\nBackdoor.HTTP.BEACON.[CSBundle Original Stager] 86215 25879\r\nBackdoor.HTTP.BEACON.[CSBundle MSOffice POST] 86216 25889\r\nBackdoor.HTTP.BEACON.[CSBundle USAToday GET] 86217 25892\r\nBackdoor.HTTP.BEACON.[CSBundle MSOffice Server] 86219 25888\r\nBackdoor.HTTP.BEACON.[CSBundle Original GET] 86220 25877\r\nBackdoor.HTTP.GORAT.[Build ID] 86221 25850\r\nBackdoor.HTTP.BEACON.[CSBundle Original POST] 86222 25878\r\nBackdoor.HTTP.GORAT.[SID1] 86223 25848\r\nBackdoor.HTTP.BEACON.[CSBundle Original Server] 86225 25874\r\nBackdoor.HTTP.BEACON.[CSBundle Original Server 3] 86227 25876\r\nTable 1. PANW UTIDs to FYE Signature Mapping\r\nCVE PANW UTID\r\nCVE-2019-0708 55815\r\nCVE-2017-11774 56002\r\nCVE-2018-15961 38319\r\nCVE-2019-19781 57570, 57497 and 57625\r\nCVE-2019-3398 55567\r\nCVE-2019-11580 56036\r\nhttps://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/\r\nPage 2 of 3\n\nCVE-2018-13379 56365\r\nCVE-2020-0688 57947 and 57766\r\nCVE-2019-11510 56280\r\nCVE-2019-0604 55411, 57462 and 56363\r\nCVE-2020-10189 57801\r\nCVE-2019-8394 59061\r\nCVE-2020-1472 59336\r\nCVE-2018-8581 55152\r\nCVE-2016-0167 392102205\r\nCVE-2014-1812 90128\r\nTable 2: CVE to UTID Mapping\r\nConclusion\r\nThe protections in place for our customers are continually being updated for this breach and for all threats that are\r\nidentified in the wild. Palo Alto Networks appreciates the information disclosure from FireEye, but we also want\r\nto emphasize that at the time this report is published, the tools, hashes of the tools and associated samples have not\r\nbeen disclosed to the public. From the perspective of Palo Alto Networks security researchers, the biggest threat\r\nfrom this breach is the actor and the techniques they were able to utilize in order to infiltrate the FireEye\r\ninfrastructure. Currently, there has not been any information released on the breach or the threat actor’s tactics,\r\ntechniques, and procedures (TTPs). Customers should know that Palo Alto Networks researchers are working\r\ndiligently to ensure protections are in place for our entire product ecosystem.\r\nSource: https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/\r\nhttps://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/"
	],
	"report_names": [
		"fireeye-red-team-tool-breach"
	],
	"threat_actors": [],
	"ts_created_at": 1775434663,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/666ad841289df491fa97669f237bc6b29b3ce7df.pdf",
		"text": "https://archive.orkl.eu/666ad841289df491fa97669f237bc6b29b3ce7df.txt",
		"img": "https://archive.orkl.eu/666ad841289df491fa97669f237bc6b29b3ce7df.jpg"
	}
}