Standard stuff
After you've played the security incident game for a while what you quickly come to realise is that the methods used are broadly the same, the only thing that makes the defence job hard is to spot the unique IOC for that particular time.
The tools judging by the names of the detections in the published Yara rules are just more of the same old same old.
It is also unlikely that Mandiant themselves have written these with static hashes, because that wouldn't be how the real heavy hitters roll. A decent attack toolset is configurable to create different hashes, different hooks, different C2 mechanisms etc.
If not, then Mandiant's tooling is not as good as Cobalt Strike.
PS I expect Mandiant to now offer to come and look for their tools on your network. For a fee of course. Wouldn't be the first dirty sales campaign from them.
Biting the hand that feeds IT
