{ "id": "be03c83d-b704-4938-88e7-1dc207c9a2fe", "created_at": "2026-04-06T01:30:16.833815Z", "updated_at": "2026-04-10T13:12:52.65433Z", "deleted_at": null, "sha1_hash": "9b6802229fe7827c202fadeb748cf1bab15472b8", "title": "No Easy Breach DerbyCon 2016", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 65413, "plain_text": "No Easy Breach DerbyCon 2016\r\nArchived: 2026-04-06 00:17:55 UTC\r\n1.\r\nCopyright © FireEye,Inc. All rights reserved.1 NO EASY BREACH DERBYCON 2016\r\n#NOEASYBREACH Matt Dunwoody @matthewdunwoody Nick Carr @itsreallynick\r\n2.\r\nCopyright © FireEye,Inc. All rights reserved.2 How It All Started • 1 average spearphishing email • 1\r\nfailed client remediation • 1 very determined nation state • Attacker’s mission not impacted by ongoing\r\nremediation measures • 2 attacker objectives: • Steal email of targeted VIPs • Monitor security team,\r\nresponse \u0026 detection efforts FUN FACT: This was APT29\r\n3.\r\nCopyright © FireEye,Inc. All rights reserved.3 Several Months Later… • The Aftermath • Four person\r\nMandiant team • Over 1,039 compromised systems • Over 1,000 unique malware samples • Over 1,000\r\ndifferent unique C2 domains / IPs • Over 50,000 email communications stolen • Including scripts \u0026 tools:\r\n7,000+ attacker files • How did they pull it off? • Fast-paced intrusion • Very stealthy • Rapidly changing\r\ntactics • Employed advanced attack techniques\r\n4.\r\nCopyright © FireEye,Inc. All rights reserved.4 Challenge 1: Fast-Paced Attacker • Attacker infected 10\r\nsystems per day with primary backdoor family • Especially when provoked (maintained baseline foothold)\r\n• Accessed hundreds of systems for recon and credential theft • Removed tools and forensic artifacts to\r\nhide activity • Deployed additional backdoor families • Continued to steal data every week\r\n5.\r\nCopyright © FireEye,Inc. All rights reserved.5 Our Response: Triaged Where Possible • Moved from\r\ntypical Live Response analysis to abbreviated triage • Brief analysis leveraging known attacker TTPs •\r\nDeveloped indicators to assist triage • Partially automated the analysis process • Some activity not unique\r\nenough to sig • Focused on: • Lateral movement • Walking back up the chain • Pivoting, recon, new tools\r\nor backdoors • Signs of data theft • Deviation from typical attacker activity FAST-PACED ATTACKER\r\n6.\r\nCopyright © FireEye,Inc. All rights reserved.6 Our Response: Streamlined Documentation • Typical LR\r\nreports and timelines took too much time • Still needed to document findings • Compressed notes from\r\nsystems into brief, standardized text blocks • Malware and attacker tools on the system • Persistence\r\nhttps://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908\r\nPage 1 of 7\n\nmechanisms • Periods of attacker activity and significant timestamps • Source of activity • Documented\r\nsignificant findings • New TTPs • Data theft FAST-PACED ATTACKER\r\n7.\r\nCopyright © FireEye,Inc. All rights reserved.7 Lesson Learned: Be Fast and Flexible • Be willing to\r\nchange normal practices and disregard official methodologies when they’re not working • Make the most\r\nof outside help - accept the limitations of your circumstances and do what you can to maximize your\r\nchances of success FAST-PACED ATTACKER\r\n8.\r\nCopyright © FireEye,Inc. All rights reserved.8 Challenge 2: Stealthy Attacker • Attacker using counter\r\nforensic techniques to hide endpoint and network activity • Endpoint: secure deletion, impressive OPSEC\r\n(pack up and move), 90% doctrine • Network: compromised third party websites \u0026 social media C2,\r\naltered communication scheme + strong crypto, embraced SSL • The odds were stacked against us • Unable\r\nto use Mandiant network sensors and signatures • Existing devices inconsistently-deployed and coverage\r\nspotty • “Rolling remediation” actions showed our hand so attacker knew which evasion tactics were\r\nworking\r\n9.\r\nCopyright © FireEye,Inc. All rights reserved.9 • Attacker considered every detail • Mass activity to obscure\r\nthe real target • More evident in recent campaigns • Widespread phishing with a prioritized target list •\r\nThey might even want the first system to be caught • Data theft using only legitimate US-based services,\r\ncomplicating any law enforcement response • Gmail, Google Drive using APIs • OneDrive • Monitored Us\r\n• Targeted the IR operations throughout the compromise • Were we onto them and how much time did they\r\nhave left? BONUS SLIDE: Even More OPSEC he looks cozy\r\n10.\r\nCopyright © FireEye,Inc. All rights reserved.10 Our Response: Found Clues in the Ruble • Maximized the\r\nutility of trace forensic artifacts • Some attacker behavior recovered from sdelete • File path regex for\r\nartifacts • Everything from AAA.AAA to ZZZ.ZZZ • Entry Modified timestamp typically indicated when\r\nsdelete occurred • EULA Accept registry key for each Sysinternals tool • Searched for new sdelete usage •\r\nPrefetch entries for some operations (e.g., RAR) included deleted items in Accessed Files\r\nSTEALTHYATTACKER FUN FACT: Now it’s built-in!\r\n11.\r\nCopyright © FireEye,Inc. All rights reserved.11 Our Response: Made the Best of What We Had • Learned\r\nand leveraged client’s network tools • Embraced the varying technology across business units • Took time\r\nand patience to filter out the network noise • Searched for every new system by timeframe • Searched\r\nactivity between sets of infected hosts • Automated where possible • Developed dashboards\r\nSTEALTHYATTACKER\r\nhttps://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908\r\nPage 2 of 7\n\n12.\r\nCopyright © FireEye,Inc. All rights reserved.12 Our Response: Made the Best of What We Had • Found\r\nthe helpful but forgotten alerts • SMB transfer of UPX-packed files • Extracted fields we wanted •\r\nSignature combinations solved mysteries • Schtasks.exe usage by UUID • SMB writes to System32 •\r\nNetwork time preserved when other timestamps could not be trusted STEALTHYATTACKER\r\nsignature=MSRPC_SuspiciousEncryption event_info=\"UUID=86d35949-83c9-4044-b424-\r\ndb363231fd0c*” src_ip=\"10.*\" dest_ip=\"10.*” ( dest_port=49154 OR dest_port=49155 ) FUN FACT: This\r\nwas our initial discovery of HAMMERTOSS\r\n13.\r\nCopyright © FireEye,Inc. All rights reserved.13 Our Response: Made New Shiny Things • Deployed\r\nadditional budget-friendly open source tech • Found ways to apply our methodology • Connected to our\r\nincident tracker • Sparklines for time + volume of activity • Prioritized host analysis based on traffic •\r\nSmashed and grabbed before the wipe! STEALTHYATTACKER host_10 host_9 host_8 host_7 host_6\r\nhost_5 host_4 host_3 host_2 host_1\r\n14.\r\nCopyright © FireEye,Inc. All rights reserved.14 Lesson Learned: Improve Visibility and Don’t Stop\r\nLooking • Map attacker activity to potential data sources and use everything available to minimize blind\r\nspots • Give your team access to existing tools outside of their normal process • Consider deploying\r\nadditional technology • Network time provides reliable chronology despite host-based timestomping •\r\nCombat IR fatigue by automating high-confidence (and boring stuff) • Once an attacker is found, fight to\r\nmaintain line-of- sight STEALTHYATTACKER\r\n15.\r\nCopyright © FireEye,Inc. All rights reserved.15 Challenge 3: Rapidly-Evolving Tactics • New and updated\r\nbackdoors • 7 distinct backdoor families • SEADADDY went through 3 version updates • Seven unique\r\npersistence mechanisms • Registry run key, .LNK files, services, WMI, named scheduled tasks, hijacking\r\nscheduled tasks, over-writing legitimate files • Cycled persistence techniques regularly • Minimal re-use of\r\nmetadata commonly tracked and shared as indicators • Malware MD5, file name, file size, and C2 unique\r\nto each system • Attacker didn’t need to re-use compromised accounts FUN FACT: On current case,\r\nAPT29 used unique UAC bypass \u0026 persistence that was first posted online days before\r\n16.\r\nCopyright © FireEye,Inc. All rights reserved.16 Our Response: Maintained Eye Contact • Fought to keep\r\nnetwork visibility on all malware families • Backdoor version 1: could see it, sig it, and decode it\r\nPHPSESSID = base64( zlib( aes( BACKDOOR C2 ) ) ) • Backdoor version 2: lost ability to decode it\r\nCookie{2,7} = customb64( zlib( rc4( aes( BACKDOOR C2 ) ) ) ) • Backdoor version 3: lost ability to sig it\r\nrandom_split( Cookie{2,7} = customb64( zlib( rc4( aes( BACKDOOR C2 ) ) ) ) • Wrapped in SSL: lost\r\nability to see it … at first RAPIDLY-EVOLVING TACTICS FUN FACT: This was SEADADDY\r\ncertificate email SSL cipher start stop root@domain1.com TLS_DHE_RSA_WITH_AES_256_CBC_SHA\r\nhttps://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908\r\nPage 3 of 7\n\n10/14/15 14:13:00 10/15/15 00:14:37 support@vendor.com TLS_RSA_WITH_3DES_EDE_CBC_SHA\r\n10/14/15 16:13:29 10/14/15 16:13:29 root@domain2.com\r\nTLS_DHE_RSA_WITH_AES_256_GCM_SHA384 10/13/15 13:30:17 10/14/15 03:14:04\r\nadmin@example.com TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 10/11/15 13:02:21 10/12/15\r\n10:58:59 Finding attacker SSL usage using Bro’s ssl.log\r\n17.\r\nCopyright © FireEye,Inc. All rights reserved.17 Our Response: Prioritized the Unknown • Spent time\r\nanalyzing systems with unknown activity • The most interesting systems were the ones accessed but we\r\ndidn’t know what they did • Limited analysis on systems with known and consistent attacker tactics •\r\nWhile not useful as standalone indicators, tracked breach data to prioritize discovered systems • Identified\r\ncommon forensic artifacts between systems with shared C2 RAPIDLY-EVOLVING TACTICS\r\n18.\r\nCopyright © FireEye,Inc. All rights reserved.18 Our Response: Continually Improved Indicators • Created\r\nindicators for every stage of attack lifecycle • All seven persistence mechanisms, recon, lateral movement,\r\nand data theft • Methodology IOCs helped identify systems without known malware • Reverse engineered\r\nevery backdoor revision \u0026 updated indicators • Maintained a list of high-confidence indicators to focus\r\nnew IOC development • Developed flexible \u0026 resilient indicators • Provided high-fidelity matches across\r\nversions, regardless of morphing • Used imports and exports, size ranges, section names, compile times,\r\nand other consistent attributes RAPIDLY-EVOLVING TACTICS\r\n19.\r\nCopyright © FireEye,Inc. All rights reserved.19 Our Response: Continually Improved Indicators\r\nRAPIDLY-EVOLVING TACTICS • Automated analysis of backdoor for comparison and configuration\r\nextraction; enterprise-wide search of process memory • Indicators based on packaging and delivery •\r\nImport hashes, size, section names, artifacts of wrapper execution everywhere possible • Adapted file\r\nsystem IOC+regex to process handles, prefetch, and event logs • Identified malware staged for SMB\r\ntransfer obfuscated- backdoor.py PyInstaller / Py2Exe UPX-packed ...transferred laterally\r\n20.\r\nCopyright © FireEye,Inc. All rights reserved.20 Lesson Learned: Find It, Refine It, Re-Find It • Enhance\r\nand test your best indicators even when they’re working • Track what the attacker can change before you\r\nlose visibility of their activity • Don’t let technical data fall through the cracks, even when visibility is good\r\nand the details have marginal value as indicators RAPIDLY-EVOLVING TACTICS\r\n21.\r\nCopyright © FireEye,Inc. All rights reserved.21 Challenge 4: Advanced Attack Techniques • Windows\r\nManagement Instrumentation (WMI) • Attacker used WMI to persist backdoors • Embedded backdoor files\r\nand PowerShell scripts in WMI repo • Used WMI to steal credentials from remote systems • Configured\r\nWMI to extract and execute backdoors months in the future, to evade remediation • Attacker leveraged\r\nhttps://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908\r\nPage 4 of 7\n\nPowerShell • Stealthy backdoors • PowerShell scripts like Invoke-Mimikatz evaded A/V detection •\r\nExcellent WMI integration • Kerberos • Attacker used Kerberos ticket attacks, which made tracking lateral\r\nmovement difficult\r\n22.\r\nCopyright © FireEye,Inc. All rights reserved.22 Our Response: Tackled Attacker WMI Usage • Searched\r\nfor WMI persistence • Manually parsed from objects.data strings on endpoints • Ran script across the\r\nenvironment to identify persistence • Colleagues developed custom MIR audit to allow for sweeping •\r\nIdentified evidence of attacker code in WMI repo • Attacker embedded PowerShell code in WMI class\r\nproperties to execute on remote system • Identified class and property names and code in objects.data\r\nstrings • Searched contents of CIM repo at scale • Parsed out embedded scripts and malware • The repo\r\nwas a poorly documented, complex structure, so parsing was difficult and manual • Willi Ballenthin, Matt\r\nGraeber and Claudiu Teodorescu made repo parsers (after the investigation was completed) ADVANCED\r\nATTACK TECHNIQUES\r\n23.\r\nCopyright © FireEye,Inc. All rights reserved.23 Our Response: Tackled Attacker WMI Usage\r\nADVANCED ATTACK TECHNIQUES\r\n24.\r\nCopyright © FireEye,Inc. All rights reserved.24 Our Response: Increased PowerShell Visibility • Upgraded\r\nthe environment to PowerShell 3.0 and enabled logging • Logging captured input/output, variable\r\ninitialization, etc. • Captured entire functions of PS scripts, attacker commands, script output, etc. • Wrote\r\nindicators based on observed attacker activity • Identified lateral movement, unique backdoors, credential\r\ntheft, data theft, recon, persistence creation, etc. • Turned attacker PowerShell usage from a threat to a\r\nbenefit • Logging and IOCs made finding and analyzing attacker activity much easier ADVANCED\r\nATTACK TECHNIQUES FUN FACT: There’s now a blog post and my script block logging parser on\r\nGitHub\r\n25.\r\nCopyright © FireEye,Inc. All rights reserved.25 Our Response: Increased PowerShell Visibility\r\nADVANCED ATTACK TECHNIQUES\r\n26.\r\nCopyright © FireEye,Inc. All rights reserved.26 Our Response: Addressed Ticket Attacks • Worked around\r\nKerberos attacks • Swept for Invoke-Mimikatz PTT usage in PS logs to identify pivot systems • Swept for\r\nother indicators of lateral movement to identify destination systems • Looked for remote Kerberos logons\r\naround the time of attacker activity • Developed indicators • Based on research by Sean Metcalf at\r\nadsecurity.org • Developed late in the investigation • Extremely high-fidelity ADVANCED ATTACK\r\nTECHNIQUES\r\nhttps://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908\r\nPage 5 of 7\n\n27.\r\nCopyright © FireEye,Inc. All rights reserved.27 Our Response: Addressed Ticket Attacks ADVANCED\r\nATTACK TECHNIQUES Event ID 4624 Event ID 4672 Event ID 4634\r\n28.\r\n29.\r\nCopyright © FireEye,Inc. All rights reserved.29 BONUS SLIDE: Even More WMI + PS FUN FACT: We\r\nsaw the attacker test this backdoor before deployment\r\n30.\r\nCopyright © FireEye,Inc. All rights reserved.30 Lesson Learned: Turn Weakness Into Strength RAPIDLY-EVOLVING TACTICS • Use attackers’ strengths against them • Unique attacks make for high-fidelity\r\nindicators • Identify the activity • Develop indicators • Increase visibility at scale • Automate detection •\r\nCreate an alerting system, if possible\r\n31.\r\nCopyright © FireEye,Inc. All rights reserved.31 • Backdoor used TOR hidden services to provide secure,\r\ndiscrete remote access • Used Meek plugin to hide traffic • Forwarded TOR traffic to ports: • 3389 –\r\nRemote Desktop • 139 – Netbios • 445 – SMB • Modified registry to enable RDP • “Sticky-keys” to\r\nprovide unauthenticated, privileged console access BONUS SLIDE: TOR backdoor (just because it’s cool)\r\nFUN FACT: This was first deployed 3 hours before remediation\r\n32.\r\nCopyright © FireEye,Inc. All rights reserved.32 BONUS SLIDE: TOR backdoor (just because it’s cool)\r\n33.\r\nCopyright © FireEye,Inc. All rights reserved.33 BONUS SLIDE: TOR backdoor (just because it’s cool)\r\nClient Endpoint APT29 (actual image) TOR network Meekreflector .appspot.com Mail.google.com Google\r\nCloud SSL HTTP TOR TOR\r\n34.\r\nCopyright © FireEye,Inc. All rights reserved.34 If You’ve Learned Nothing Else Today… SUPER\r\nIMPRESSIVE CONCLUSION SLIDE • You must match or exceed the attacker’s pace • You must match\r\nor exceed the attacker’s visibility • You must match or exceed the attacker’s development • You must match\r\nor exceed the attacker’s advanced techniques • You must match or exceed the attacker’s intensity.\r\n35.\r\nCopyright © FireEye,Inc. All rights reserved.35 “True happiness incident response is a life of continual\r\nself-improvement. The greater the struggle, the more enriching the experience is for your life.”\r\nhttps://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908\r\nPage 6 of 7\n\n36.\r\nCopyright © FireEye,Inc. All rights reserved.36 THANK YOU QUESTIONS? DERBYCON 2016\r\n#NOEASYBREACH Matt Dunwoody @matthewdunwoody Nick Carr @itsreallynick\r\nSource: https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908\r\nhttps://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" ], "report_names": [ "66447908" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439016, "ts_updated_at": 1775826772, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9b6802229fe7827c202fadeb748cf1bab15472b8.pdf", "text": "https://archive.orkl.eu/9b6802229fe7827c202fadeb748cf1bab15472b8.txt", "img": "https://archive.orkl.eu/9b6802229fe7827c202fadeb748cf1bab15472b8.jpg" } }