HomeDownloadsMembers ListLinksNewsfeedsHTCIA InfoCalendarContact Us

Newsfeeds
M-unition
  • DLL Search Order Hijacking Revisited
    Since my last blog post on the topic of DLL Search Order Hijacking there has been a lot of community activity in this area.  The purpose of this article is to differentiate the specific hijack technique I was describing from the one that is currently being discussed in the media as well as propose my [...]

  • Find Evil and Solve Crime, Part 1: Focus
    This is part one of a series of posts I plan to make on what Mandiant does to “Find Evil and Solve Crime“. These posts should help to make your organization better, faster and stronger at performing effective computer security incident investigations. And hopefully they will spark some good discussion about improving incident response. The [...]

  • Reversing Malware Command and Control: From Sockets to COM
    On a Windows host there is more than one way for a program to communicate across the internet.  When reverse engineering a piece of malware it is of critical importance to understand what API is being used and how it works so that you may gain an understanding of the data sent and received as [...]

  • The Challenges to Remediating from the APT
    MANDIANT has been involved in numerous widespread remediation efforts following intrusions at large organizations.  We have seen nearly identical recurring challenges emerge at these large organizations, and we believe conveying these challenges may be important to developing your overall approach to remediation should you be compromised by advanced and persistent threats:

    Remedial efforts usually take more [...]

  • Stuxnet Memory Analysis and IOC creation
    The stuxnet malware has been making the press recently for two reasons.  First it contains two drivers signed with a legitimate (at the time) cert. Second  is it’s targeting SCADA systems. The malware is cool for a host of other geeky reasons. Nick Harbour, Stephen Davis, and I started looking at the malware Sunday afternoon. [...]

  • Malware Persistence without the Windows Registry
    For an attacker to maintain a foothold inside your network they will typically install a piece of backdoor malware on at least one of your systems.  The malware needs to be installed persistently, meaning that it will remain active in the event of a reboot.  Most persistence techniques on a Microsoft Windows platform involve the use [...]

  • State of the Hack: M-Trends: State of Remediation
    This Thursday, July 15th at 1PM EDT, Christopher Glyer and I will be presenting MANDIANT’s State of the Hack webinar titled “M-Trends – State of Remediation.”
    Many of you probably already know Christopher.  He’s delivered two separate webinars, including a previous State of the Hack titled “Silent But Deadly” and “Fresh Prints: Choose Your Own Adventure.”  [...]

  • Memory acquisition and the pagefile(s)
    In the past, I have discussed how in reality there may be as many as 16 pagefiles on a single host. The next question is, “How much data could be contained in all these pagefiles”? Why does this matter? Well, the more data in the pagefiles, the longer they will take to acquire.
     
    The size of [...]

  • Web Historian: Reloaded
    We’ve been busy here on team agent at MANDIANT.  In the spirit of our long-standing support of free software in the Incident Response community, we are happy to announce the release of Web Historian 2.0.  This release is a complete rewrite and revamp of our very popular web history extraction tool.  This version of Web [...]

  • It’s a MANDIANT FIRST; grab your stick
    We’re taking our State of the Hack webinar series on the road — to the 22nd Annual FIRST conference in Miami, FL!
    Kris Harms and I will present the next State of the Hack webinar in front of a live audience at the MANDIANT booth (#5), on Wednesday, June 16, from 12:30-1:30PM EDT. And for this [...]

  • New Memoryze, Audit Viewer, and Training
    For those who are not on our mailing list for Memoryze or Audit Viewer, we released a new version a little over a week ago. The new version of the software includes all of the memory analysis features that are available in the newly released MANDIANT Intelligent Response (MIR) 1.4. 
    So what is included in Memoryze [...]

  • MANDIANT AT CEIC 2010
    Got the time?
    As part of the Digital Analysis Lab track at CEIC, MANDIANT Director Rob Lee will be teaching Super Timeline Analysis. You will learn how to establish a single framework from which you can analyze multiple examinations of time based data in this hands-on practical.
    Move over Iron Man – MIR 1.4 is coming!
    We wanted [...]

  • SANS EU Malware in Memory
    Next Monday, April 18th, I’ll be presenting at SANS EU Forensic Summit. I’m really impressed with the line up of this SANS EU conference. It has a very eclectic mix of people talking. Ero Carrera will be dicussing malware analysis. While Ero isn’t a forenscitar, his insight into malware is pretty expansive, and his exposure [...]

  • Fresh Prints of Mal-Ware: Choose Your Own Adventure!
    Kyle Dempsey and I have been busy putting together content for the upcoming Fresh Prints webinar, “Choose Your Own Adventure,” being held this Thursday, April 15th at 2PM EDT. If you thought of the Choose Your Own Adventure® book series when you saw the title, you understand where we’re going with this.
     
    This webinar’s [...]

  • Blackhat Europe, State Of Malware: Family Ties
    Ero and I will be in Barcelona presenting at Blackhat Europe 2010. Our talk is called State of
    Malware: Family Ties. This talk focuses on malware families.  We thought about interesting research we could do in the same vein as our last talk, State of Malware: Explosion of the Axis of Evil. We decided to look [...]

  • Honeynet Project: Challenge 3 of the Forensic Challenge 2010
    The Honeynet Project has posted a forensic challenge centered around analyzing a memory image. The image represents the physical memory acquired from a host at a fictitious bank, which was the victim of an intruder. The Honeynet Project has come up with a series of questions that you must answer in order to solve the [...]

  • Memory Analysis on Windows 2003 64-bit and What’s Next

    Peter and I have been busy planning for CanSecWest in a week. The course, Advanced Memory Forensics in Incident Response, is constantly evolving. It has been about a year and a half since Memoryze was released, and just over a year for Audit Viewer. Honestly, it seems a lot longer, but that is not a [...]

  • State of the Hack Webinar – Thursday March 11th
    Michael J. Graven and I will be presenting MANDIANT’s State of the Hack webinar titled “Silent But Deadly” this Thursday, March 11th at 2PM EST.
    I’ve had the opportunity to lead a number of MANDIANT’s APT investigations recently, and am looking forward to sharing some of my experiences with our audience. One common thread in many [...]

  • Malware Behaving Badly: Preview
    Hope everyone on the northern east coast is staying warm during snowpaclypse. Since I can’t go anywhere I figured now is the right time to write about an upcoming webinar I am giving with Michael Graven.
    The webinar entitled Malware Behaving Badly is on Thursday, February 18, at 2:00 p.m. EST. The webinar title is a [...]

  • Audit Viewer: Malware Rating Index Undocumented Features and Caveats
    Hopefully everyone has had a few weeks to recover from the M-Trends kickoff party in St. Louis and everyone has also had a chance to read the M-Trends report! I hope everyone enjoyed the talk I gave at DOD Cyber Crime Conference. I certainly had fun giving it, sorry to those that got hit with [...]

| Date published: Wed, 01 Sep 2010 00:46:01 +0000
Back to newsfeed list