The TRITON origin story is a still mystery with lots of missing pieces. Evan Reese and I did some poking and found some overlaps with legit Triconex DLLs. Nothing mind blowing, but still cool: fireeye.com/blog/threat-re… #tristation #triton #tubular

Get ready for the 5th Annual FLARE On Challenge!!! #flareon5 fireeye.com/blog/threat-re…

Stymied by my own #flareon5 challenge, so I developed idawasm: An IDA Pro loader and processor for WebAssembly. details: fireeye.com/blog/threat-re…

In our new @FireEye blog post we analyze some of the most frequent ICS security risks observed in the field during Mandiant (part of Google Cloud) ICS Healthcheck assessments. It is good to have some on-the-ground data to test commonly cited areas of ICS risk. fireeye.com/blog/threat-re…

HOT OFF THE PRESS: Read our (not) FireEye_Intel #TRITON attribution blogpost tying TRITON actors to CNIIHM, a Russian Government-Owned research institute. fireeye.com/blog/threat-re…

New post is up! We pick apart the latest probable #APT29 phishing campaign and the nuance involved in dealing with, and attributing to, deceptive attackers. Written with Follow @anthomsec instead., @itsreallynick, Michael 🆘, @jonleathery. Credit to @barryv for the title. fireeye.com/blog/threat-re…

Well covered that Ryuk ❌ NK in blogs by Kryptos Logic McAfee Labs Malwarebytes CrowdStrike. Here we share an example of an initial infection vector, more details on how Ryuk has been deployed, and some info on the observed TrickBot gtags fireeye.com/blog/threat-re…

SilkETW is now available ✍️🧐💡! Check out my short introduction post here => fireeye.com/blog/threat-re…, you can find the code on the @FireEye GitHub => github.com/fireeye/SilkETW

🚨📝 New #FIN7 threat research blog, "Power Hour", published today by Mandiant (part of Google Cloud). Please enjoy 🌶🌶 mandiant.com/resources/evol… Blog includes: - FIN7 archaeology & evolution ⛏ - #POWERPLANT deep dive - BIRDWATCH (~#JssLoader) - Supply chain (😱) neat stuff in thread 🧵⤵️

Excited to share the (now patched) AKS Privilege Escalation we found! cloud.google.com/blog/topics/th…

CVS employee stole data on nearly 55,000 Molina Healthcare members scmagazine.com/cvs-employee-s…

IBM's Sabine Schilg talks about the paradigm shift in crime at NYIT Cybersecurity Conference

Cisco's Monique Morrow on threat landscape evolution at NYIT Cybersecurity Conference

Finally made it on the #FireEye blog! Check out my technical analysis of the recently patched CVE-2016-2060! fireeye.com/blog/threat-re…

I wrote up the #APT29 TOR/meek domain fronting backdoor that we first discussed during our #noeasybreach talk. fireeye.com/blog/threat-re…

Cyber espionage is alive and well! My blog post is live: APT32 (Vietnam) targeting and TTPs: fireeye.com/blog/threat-re… #DFIR Mandiant (part of Google Cloud)

Breaking: Mandiant (part of Google Cloud) releases details on malware targeting critical infrastructure fireeye.com/blog/threat-re… TLDR: -Unknown nation state threat actor -Attacker caused shutdown of operations -First (public) incident targeting safety systems (that prevent further physical damage)

After 9 months Invoke-DOSfuscation is finally released!! There is a lot of information for detection in the white paper, and the Invoke-DosTestHarness function is exactly what I used for detection dev & tuning. Code: github.com/danielbohannon… White paper: fireeye.com/blog/threat-re…

#Blockchain domains as malicious infrastructure. fireeye.com/blog/threat-re…

Check out my blog post and tool release on OAuth Abuse! OAuth abuse is a social engineering technique that's managed to stay relatively under the radar until now. fireeye.com/blog/threat-re…