Home Contact

M-unition

The Ammunition You Need to Find Evil and Solve Crime

About Us

Welcome to M-unition, the MANDIANT blog. Here we share our insights about the tools we create and use to find evil and solve crime.

Flex your Memory Forensic skills at CEIC!!!

Written by Peter Silberman

MANDIANT will be at this year’s Computer Enterprise Investigation Conference (CEIC). I will be there as well running a contest for incident responders. The contest is designed to test your ability to identify malware in memory. We have all heard of the Advanced Persistent Threat, we know the acronym APT.  If you’re not familiar with APT or want to become more familiar check out https://cc.readytalk.com/cc/schedule/display.do?udc=1s8rbdxuuzuf7.

But how many of us have seen these cute cuddly creatures on live systems or in dead memory? This is your opportunity to come see if you can find the malware of an actual APT incident as well as some other incident of my own creation.

The contest will run two days and kick off Monday, May 18 at 9:45 a.m.  The contest will work as follows:  you will be given access to a virtual machine (VM). This VM will be pre-loaded with Audit Viewer and Memoryze. Audit Viewer will already have the audits needed to solve the incident loaded, which will cut down on the time needed at the station. You will have 10 minutes to go through the results of the audit and answer a set of four to five questions. At minutes 4, 6, and 8 you can ask for hints. If you answer three more of the questions on the first day you are eligible to compete on the second day. The second day will work the same. One of these two days will contain actual APT malware taken from an incident we responded too. The contest is designed to simulate what we see on a daily basis and to help attendees learn more about finding malware in memory. The prize will be an iLive IP908B 9″ Portable DVD Player With iPod® Dock And Swivel Screen.

If you are wondering how to prepare for the contest, we recommend you read the Audit Viewer user guide included in Audit Viewer. You should understand the data displayed by Audit Viewer and how to navigate/search Audit Viewer results. You will not have to run Memoryze as all the data you need to solve the case will be preloaded into Audit Viewer. We will have an Audit Viewer training slide deck running at the contest so you can if you’d like cram prior to the competition but as one of my college professors might have said “cramming is not recommended.”

You may say, “well I don’t have much memory analysis experience.” That does not matter! Stop by the booth, I will be there to walk through how to do memory forensics on 15 or so unique memory images. Each memory image is a different type of malware or scenario. All our demonstrations will utilize MemScript, which is a FREE EnCase script written by Kelcey Tietjen that integrates memory analysis into EnCase. This is a great chance to come and learn something new. And, as always, if you have questions about previous talks we’ve given or upcoming research you’ve read about, I’ll be more than happy to chat about those as well. So stop by, watch others compete, come and see the big red box, talk memory, APT, fluffy bunnies and more.

Hope to see you there!

Tags: , , ,

. 11 May 09 | General | Comments (0)

MindSniffer, Updated Audit Viewer released

Written by Peter Silberman

I’m currently writing this blog post from my hotel room at Blackhat Federal. Jamie and I wrapped up our “Advanced Memory Forensics in Incident Response” class on Tuesday. It went very well and we are both looking forward to teaching it again in Las Vegas. I just finished giving my talk “Snort my Memory.” I detailed the talk in a previous blog post. This post now includes links to available software. MindSniffer is available here. If you have any questions comments suggestions please feel free to contact me peter.silberman@mandiant.com.
Following the release of MindSniffer I am thrilled to announce a NEW version of Audit Viewer. This version includes the following features:

  • Process are marked in red if they have injected dlls
  • View imports/exports of PE files in memory. This can be done by right clicking on memory sections
  • Signature Manager built into Audit Viewer to support py files generated by MindSniffer
  • Added sections and semaphore handle types
  • Memoryze Launcher – this a GUI wrapping Memoryze and allowing you to configure Memoryze all from a user interface. No more batch scripts or xml files. To utilize Memoryze Launcher, click “Launch Memoryze.” You can configure multiple jobs to run at once once they will all run, then the results are auto loaded into Audit Viewer for easier integration. This is a huge feature and I’m very excited to get feed back on it.
  • Numerous bug fixes
  • Updated documentation

Grab the new audit viewer at its new location Audit Viewer
Please feel free to e-mail comments suggestions ideas and anything else you think I should know regarding Audit Viewer.
Enjoy,
Peter

Tags: , , , , ,

. 19 Feb 09 | General | Comment (1)

Snort My Memory – Blackhat DC 09

Written by Peter Silberman

For those of you who have not checked the speaker lineup for Blackhat DC, I will be there giving a presentation entitled “Snort My Memory.” This talk will address some research that has been going on internally here at MANDIANT for the past couple of months. The research is focused on how to identify common malware samples in memory using Memoryze and the Audit Viewer. The specific idea behind this presentation is to take existing Snort signatures and apply them to strings in memory. The theory being that Snort uses strings to identify malware going over the network. These malware samples create network traffic using “strings” these “strings” must be in memory prior to going out over the wire. So why not just use Snort on the network? Well, when searching an entire enterprise for malware, you need to know every host that is infected and not just the ones that are communicating. Also, the attacker’s communications may be encrypted using SSL or other techniques, which makes network detection harder. With a little luck, the protocol strings such as commands for the botnet are hanging around statically unencrypted in memory, and we can detect them.

 

This research led me to write two new components. The first component is MindSniffer. This tool takes a Snort rule file and generates either Xpath filters for Memoryze to use or plugins for the Audit Viewer.

 

python mindsniffer.py
 Written by Peter Silberman (peter.silberman@mandiant.com)
 USAGE: mindsnort.py

    <-r|–rules RULE FILE>  snort rule file to parse

   <-x|–xpath>            generate xpath signatures

    <-p|–py>                 generate py files for use in AuditViewer

    [-o|--output]           specify output directory

 

 The second component written is a plugin framework/manager for the Audit Viewer. This new component allows users to apply Snort “signatures” to Audit Viewer results (strings must be turned on during the process audit).

 

The presentation will cover the above research, what was learned, and how Memoryze accesses/parses physical memory and associates strings to processes. As always there will be live demonstrations of Snort signatures working in memory. You can see the official abstract https://www.blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Silberman

 

I hope to see you guys there in February. Feel free to e-mail me if you have questions or want to see the demo from Hack In The Box Malaysia ‘08 (http://conference.hitb.org/hitbsecconf2008kl/).

 

As final note and shameless plug, stay tuned for some major updates to the Audit Viewer in the coming month or so. 

Tags: , , , , ,

. 09 Jan 09 | Conferences, General, Products | Comments (0)

Integrate EnCase, Memoryze, and Audit Viewer with MemScript

Written by Kelcey Tietjen

Memoryze is a great tool for memory analysis, but what makes it even stronger is that it can be integrated with other tools to help with incident response.  These other tools can be leveraged to bring Memoryze’s capabilities to remote hosts. If your organization has not deployed or piloted MANDIANT Intelligent Response (MIR), you can use Encase Enterprise Edition (EEE) to gain access to remote memory. Just like with MIR, using EEE you are able to collect volatile data with “snapshots” and also have the ability to access memory on a remote system.  Once you have access to the remote memory object is when Memoryze comes in handy. The ability to access this remote memory object with EEE is how the “MemScript” was born.  The MemScript is an EnScript that integrates a couple of programs to automate memory analysis with EnCase.  First, MemScript is integrated with Memoryze.  MemScript accesses the memory entry and uses Memoryze to do the analysis.  Secondly, MemScript then takes the results from Memoryze’s analysis and launches MANDIANT’s Audit Viewer. Using MemScript is easy and even easier to setup.  The first step in using MemScript is having the tools it integrates. You will need the following tools.

  • EnCase
  • Memoryze
  • Audit Viewer

    Note: Please make sure you have updated to Memoryze 1.2.18.0 and Audit Viewer 1.0.0.7 released this week.

Audit Viewer does require Python and a Python GUI library so getting these installed  is also required to use MemScript. These requirements can be found at the following links:

Once all the tools are on the system, you can begin the analysis by adding the memory entry to a case.  To add the memory object to a case go to “Add Device”.  In this window, check the box for Physical Memory.  At this point, you should have a window, which is illustrated in Figure 1.

Figure 1: Enabling the memory object.


If your windows are similar to the ones above, double click on the Local Drives in the right hand table (it would be a remote machine with EEE).  The next window will show whether you have access to the systems memory.  If you do have access, the window in Figure 2 should appear.

Figure 2: Adding the RAM device.


At this window, double click on the RAM. This will give you a new window with just the RAM.  Once here, click the finish button. The memory object is now added to your case and analysis can begin.  Before we start the MemScript, we need to blue check the “PhysicalMemory” entry.  When this is finished, you should have a window that looks similar to the one in Figure 3.

Figure 3: Blue checked PhysicalMemory entry.


With the PhysicalMemory entry blue checked start the MemScript EnScript.  Figure 4 is the window that appears when the MemScript is started.

Figure 4: MemScript start page.


The first tab that appears is the Process Audit Tab.  This tab will run process audits on the memory.  The options available are for the ports, sections, handles and strings. These options are detailed in the Memoryze documentation and a synopses of these are in the help button.  You are also able to specify either a specific process name or a specific PID.  By default, the process audit is always ran when using MemScript.  One tip: while running this audit is  the strings option is very taxing on the size of the results.  To get around this problem, it is easier to look at strings for a specific process name or PID rather than across the whole memory image. The other audits available with MemScript are Driver Audits, Driver Signature Audits, and Rootkit Audits.  All of these audits are detailed in the Memoryze documentation as well.  These audits can be ran along with a process audit and multiple audits can be ran and the same time.  Running these audits is done by checking whether they should be performed or not. An example of selecting the Rootkit Audit to run is shown in Figure 5.

Figure 5: Example of running the Rootkit Audit.


All of the audits are stored in the case’s export folder.  These audits can then be viewed with Internet Explorer or Audit Viewer.  If Audit Viewer is already installed on the machine, you can set up MemScript to automatically launch the Audit Viewer when the analysis is done.  Setting up to launch Audit Viewer automatically is done in the Options tab.  The options tab is shown  in Figure 6 with MemScript configured to launch Audit Viewer when the memory analysis is finished.


Figure 6: Setting the options to launch Audit Viewer.


The other option in MemScript is to change the install directory of Memoryze. By default MemScript looks for Memoryze in “C:\Program Files\Mandiant\Memoryze” but it can be changed by selecting this option. Figure 7 shows the install directory being changed for MemScript.

Figure 7: Changing the install directory for Memoryze.


Now that all of the options and audits have been walked through, you can start the analysis by pressing the OK button.

During the analysis a couple of command line boxes will pop up depending on the options you set.  If you set the option to launch the Audit Viewer, you will have two command boxes pop up, but only one command box pops up if Audit Viewer is not set to launch.  The first command box to pop up is Memoryze running its analysis.  Please leave this command box open, it should close when Memoryze’s analysis is done.  Since the Audit Viewer is also launched from a command shell, the next box to open will also need to be kept open until you are done looking at the results with Audit Viewer.

When the analysis is done the results will be populated in the Audit Viewer.  Figure 8 below shows the result of running a Process Audit and Driver Signature Audit.

Figure 8: Results of MemScript in Audit Viewer.


The results of the Process Audit are shown in the ProcessAuditMemory tab.  The Driver Signature Audit results will be displayed in the DriverAuditSignature tab.  Another nice feature of using MemScript is that when the Audit Viewer is launched you can acquire processes from the memory image you are analyzing.  The memory image file is exported to your case’s export folder and populated in the Audit Viewer.  To get started using MemScript get all the required tools plus the EnScript below:

MemScript

Tags: , , , , ,

. 18 Dec 08 | General | Comments (0)

Article on how to use Memoryze and Audit Viewer for malware analysis

Written by Peter Silberman

I know not everyone reads OpenRCE, but it has been a favorite haunt of mine since Pedram launched it. Over the holiday, I posted an article there about how to use Memoryze and Audit Viewer to do malware analysis since that has always been one of my hobbies.

See Memoryze Memory Forensics Tool at OpenRCE.

NOTE: John O. pointed out that having spaces in your path where Memoryze was installed may prevent Audit Viewer from launching Memoryze because of how batch scripts’ input is interpreted. If you install Memoryze in a path with no spaces you should be fine.

Thanks to Pedram for helping with the post to OpenRCE and to Danny Quist at Offensive Computing for his blog entry.

Tags: , , , ,

. 01 Dec 08 | General | Comments (0)
Next Posts »