You are viewing 'memory analysis'
Memory Forensics Comes into the Light
Recently, fileless malware has shown up in numerous LinkedIn articles, blog posts and research papers. It’s being discussed as the “new” threat to watch out for. I agree that this is an important topic, but I do not agree that it is a new threat. Rather, it has been a threat long ignored and is now being rapidly exploited by attackers.
To give some information about the threat, fileless malware is found only in memory, not in a file on disk. This attack is actually using Meterpreter code inside the physical memory of a domain controller. Along with the presence of Meterpreter, analysts discovered the use of PowerShell scripts within the Windows Registry. For those who are unaware, Meterpreter is a tool from the Metasploit framework, a free hacking tool commonly used by both penetration testers and criminal hackers. Once the attackers have successfully installed Meterpreter, they use various scripts to install a malicious service on the targeted host. After... read more >
Not All Is Lost When You Lose Your Memory
Some time ago I wrote a blog, Memory: It’s What’s for Dinner, about the importance of capturing volatile data and memory analysis. I also provided an intro for memory analysis in Hunting Malware with Memory Analysis and More Memory Fun. What happens if you are not able to grab memory? Obviously, a full memory capture of the suspect system will give you the best chance at recovering volatile information from the system but if you can’t, not all is lost.
Hibernation and page files contain data that can help put the pieces of the puzzle back together. The hibernation... read more >
Go Blue Team, Go Blue Team, Go!
Reading through the latest cybersecurity industry threads, I find a lot of the written information focuses on “How to Hack with (insert cool name here)”. This is great information when wanting to understand how to perform different hacking techniques or to assist someone who wants to sharpen their hacking skills. For those who want to learn more about how a breach got started, what the common lateral movements are and what the ultimate goal of the event was, you need to dig a little deeper.
Many of these articles are missing a very useful segment of the information security family — the Blue Team. If you are not familiar with the term “Blue Team” let me elaborate. The Blue Team is the incident response team. During a cybersecurity incident, the Blue Team is the group that finds the “evil” in your network environment. By evil, I am referring to the attacker and the tools the attacker used to compromise the... read more >
Using memory analysis to pull Dyre Trojan config
A couple of years ago, I published a blog on Hunting Malware with Memory Analysis. Well, it is past time to dive back in to some memory analysis fun. This time, however, we will use memory analysis techniques to retrieve the Dyre Trojan configuration.
Dyre is a well-known banking Trojan that harvests credentials, primarily targeting online banking. It does this by using man-in-the-browser functionality and dynamic web injects to manipulate content on a financial institution's website and intercept credentials and sensitive information of the victim. This is where the configuration file comes in. The configuration file contains the proxy server(s) controlled by the attackers and the target bank URLs that trigger the man-in-the-browser to redirect the connection to the designated proxy server. Dyre’s configuration file looks like the following:
... read more >
May 09, 2013 - Posted by Jeremy Scott to
Memory is the new vogue and rightfully so. My Solutionary teammate, Susan Carter, recently posted a related blog. Ironically, we were both crafting our posts about the same time but I want to drive home the importance of capturing volatile data and performing memory analysis.
In the past, forensics examinations involving computer systems were always performed by immediately disconnecting any compromised or infected hosts from the network. This is done with a “hard shutdown” or what has become known as “pulling the plug” and immediately acquiring a forensics image acquisition of the hard drive. The rationale for doing this as the first step is to preserve the state of the hard disk.
Now, the first step in any incident response scenario should be capturing the volatile data at the onset. This has become critical to identifying the extent of the compromise or infection. In... read more >