...and right out of the gate the threat actor steals your EDR agent installer 😮 #SignsThisProbablyIsntAScriptKiddie
#FireEyeSummit
![](https://pbs.twimg.com/media/DomfH1RXsAA6Bwv.jpg)
#FireEyeSummit
![](https://pbs.twimg.com/media/DomhQ2wUcAAN_xZ.jpg)
Actor monitored email for list of accounts & stored encrypted copy on disk
My favorite part is you can get remote command execution by emailing a specific account w/ a command
#FireEyeSummit
![](https://pbs.twimg.com/media/Domkw-jXkAAz5Lt.jpg)
ACI Shim persistence
WMI persistence (back in 2010)
Port knocking
AMT Serial Over LAN for C2
Bootkits
Exchange transport agent
Undetected for 9 years
Actor learned @Mandiant was engaged & stopped ops 2 days prior to investigation
#FireEyeSummit
![](https://pbs.twimg.com/media/Domm1pgUwAAWAuL.jpg)