FireEye uncovered and is responding to an additional intrusion by the attacker behind TRITON.

We kick off CARBANAK Week with the first post in our four-part blog series.

Over time people have had an on-again, off-again interest in  Event Tracing for Windows  (ETW). ETW, first introduced in Windows 2000, is a lightweight Kernel level tracing facility that was originally intended for debugging, diagnostics and performance. Gradually, however, defenders realized that ETW provided metrics and data content that was not otherwise available without custom development efforts. Even so, aside from a number of big players in the industry, people have been slow to adopt ETW as a data source for detection and research. The two primary problems with ETW are: the complexities involved in event collection, and the volume of data that is generated. The task of looking through a haystack to find the proverbial needle is not necessarily appealing from an engineering perspective (How do you store the data? How do you process the data? Is the data really valuable? What were we looking for again?).

An algorithmic method to assist in analyzing information at scale.

We provide details on APT40, a state-sponsored Chinese cyber espionage operation.

APT39 is an Iranian cyber espionage group responsible for widespread theft of personal information.

An analysis of FireEye’s deep learning-based malware classifier.

FireEye assesses APT33 may be behind a series of intrusions and attempted intrusions within the engineering industry.

This blog post presents a machine learning approach to detecting obfuscated Windows command line invocations on endpoints.

FireEye detected new targeted phishing activity at more than 20 of our clients across multiple industries.