Home Contact

M-unition

The Ammunition You Need to Find Evil and Solve Crime

About Us

Welcome to M-unition, the MANDIANT blog. Here we share our insights about the tools we create and use to find evil and solve crime.

State of the Hack: M-Trends: State of Remediation

Written by David Damato

This Thursday, July 15th at 1PM EDT, Christopher Glyer and I will be presenting MANDIANT’s State of the Hack webinar titled “M-Trends – State of Remediation.”

Many of you probably already know Christopher.  He’s delivered two separate webinars, including a previous State of the Hack titled “Silent But Deadly” and “Fresh Prints: Choose Your Own Adventure.”  These webinars gave you more information about the Advanced Persistent Threat (APT) and provided a detailed look into the malware used by this attacker.  However, one area that we haven’t discussed is how to remediate the APT once detected.

As a result, we have assembled a team of incident responders to create a list of the most common and generally applicable remediation strategies we’ve developed over the past year.  These remediation strategies build on our previous webinars and M-Trends report to provide guidance on how to protect against phishing attacks, limit lateral movement, disrupt C2 communications and facilitate investigation of future attacks.  If you haven’t had the opportunity to listen to our previous webinars and read the M-Trends report, I’d encourage you to do so as it will provide some additional background to Thursday’s webinar.  You can find the listing of previous webinars on our website under the News & Events section. To request a copy of M-Trends, simply click here.

Together, Christopher and I will draw on our experience as consultants over the last 10 years to discuss common problems we consistently see at client sites. We will offer remediation solutions, define associated implementation challenges, and discuss a few case studies where we’ve witnessed clients successfully execute our recommendations.  Although we’ll only be providing a subset of the hundreds of recommendations we’ve made, Christopher and I will be more than happy to field specific questions related to your environment.

I hope you can join us for the webinar this Thursday.  There will be plenty of good recommendations, excellent discussion, and a picture of me in jail.

For more information, and to register, click here.

. 13 Jul 10 | General | Comments (0)

Memory acquisition and the pagefile(s)

Written by Jamie Butler

In the past, I have discussed how in reality there may be as many as 16 pagefiles on a single host. The next question is, “How much data could be contained in all these pagefiles”? Why does this matter? Well, the more data in the pagefiles, the longer they will take to acquire.
 
The size of the pagefiles usually depends on the amount of RAM in the host. If you allow Windows to automatically configure the pagefile(s), it will typically recommend that the total size of the pagefiles should be 1.5 times the size of RAM. Here is an example of the recommended settings on a host with 3.5 GB of memory.

The recommended total pagefile size is 5,371 MB or approximately 1.5 times 3.5 GB. However, you can configure the pagefiles manually. Some Web sites suggest making the size of the pagefile(s) as much as 3 times the size of RAM. This is what Microsoft has suggested as the maximum size for better performance on Windows XP.
 
As pagefiles get bigger, they will take longer to acquire. Let’s look at how large they could be in x64 / EM64T, which is generically referred to as 64bit. On 64bit Windows hosts, 32bits or 2^32 are used to represent the offset in the pagefile where the page was stored. Each page in the pagefile is 4096 bytes or 2^12. We know there can be as many as 16 pagefiles or 2^4. Putting it all together:
 
(Pagefile Offset) * (Page Size) * (Number of Pagefiles) = Total Size of Paging Data
 
(2^32) * (2^12) * (2^4) = Total Size of Paging Data
 
2^48 = Total Size of Paging Data
 
281,474,976,710,656 = Total Size of Paging Data
 
256 TB = Total Size of Paging Data

Now, I know 256 TB is not going to be typical, but acquiring even 4 GB to 12 GB of paging files can take a long time. The pagefiles are in use and locked by the operating system. To gain access, tools typically parse the filesystem for access to the sectors that represent the pagefiles. This prolongs the time required to acquire the files.
 
Next time in this series, we will discuss more about time and its implication on the paging files. If this series is boring you, the memory forensics class at Black Hat contains more hands-on applications and use cases. This year, Aaron LeMasters, author of Web Historian 2.0, will be helping with the class. I hope to see you there.

Tags: , , ,

. 07 Jul 10 | General | Comments (3)

Web Historian: Reloaded

Written by Aaron LeMasters

We’ve been busy here on team agent at MANDIANT.  In the spirit of our long-standing support of free software in the Incident Response community, we are happy to announce the release of Web Historian 2.0.  This release is a complete rewrite and revamp of our very popular web history extraction tool.  This version of Web Historian comes packed with features and supports Firefox 2/3+, Chrome 3+, and Internet Explorer versions 5 through 8.  Here is a quick run-down of some of the new features:

  • Collects web history, cookie history, file download history, and form history into data sets
  • Simple/powerful UI based on tabbed organization of datasets
  • Perform a live artifact scan of the local system
  • Perform an artifact scan of one or more arbitrary history files from all supported browsers
  • Import results from existing XML scan documents
  • Data displayed in gridview style with full search, sort, and filter capabilities
  • Custom filters can be created and applied to one or more data sets
  • Export data sets to XML, HTML or CSV
  • Extract and export history files used in live artifact scan
  • Quick copy/paste selected gridview rows to clipboard
  • Customizable scan settings can tweak the scan to target specific browsers and data sets
  • Right-click context menu for narrowing gridview data instantly
  • Select which columns to display in each dataset
  • View page thumbnails and indexed content
  • Export sanitized version of history results to distribute to others
  • Website Analyzer provides visualization of datasets using bar graphs, pie charts and timelines
  • Website Profiler shows a quick “report card” of artifacts for various websites

The custom filters mentioned above are extremely useful for narrowing the scope of your web history investigation. Web Historian ships with several pre-defined filters that allow you to quickly cull through large web history data sets.  For example, you can instantly filter the web history data by visit type to only show hidden page views caused by ads; or, filter the file download history data to only show downloaded media (movies, images, etc.), PDF’s, or plain text files.  You can easily create your own filters using the filter editor and configure Web Historian to automatically save any of your searches as filters.  Finally, more filters are accessible with a simple right-click on any web history item.

Also new in Web Historian 2.0 are the Website Analyzer and Website Profiler features.  The Website Analyzer allows you to visualize web history data (rather than scrolling through pages of records) and generate useful bar graphs, pie charts and timeline plots that can be used in an external report.  The Website Profiler generates a quick “report card” summary of any domain in your web history data, showing all artifacts created on your system when it was visited (page titles, cookies, cached files, form data, etc).  This feature allows you to get a quick impression of how a site behaves.  The screenshot below shows the profile of CNN.com:

We hope you enjoy the new features in this release of Web Historian.  As usual, if you have any questions, comments or feedback, please head on over to the user forum.

Stay tuned for even more exciting features coming soon!  If you would like a demo or talk to me about features, I will be at Blackhat USA in Las Vegas this summer and hope to be accepted to demo Web Historian 2.0 at Blackhat Arsenal.  And finally, don’t miss out on our memory forensics training at Blackhat:  Advanced Memory Forensics in Incident Response.

Download Web Historian 2.0

Tags: , , , ,

. 16 Jun 10 | Conferences, General, Products | Comments (0)

It’s a MANDIANT FIRST; grab your stick

Written by Michael J. Graven

We’re taking our State of the Hack webinar series on the road — to the 22nd Annual FIRST conference in Miami, FL!

Kris Harms and I will present the next State of the Hack webinar in front of a live audience at the MANDIANT booth (#5), on Wednesday, June 16, from 12:30-1:30PM EDT. And for this webinar only, we’ll be taking live questions from the floor. Of course, you can also ask questions on the webinar chat channel if you’re not in Miami with us.

As usual, we’ll also cover a few case studies. We’re going to focus on cases that started out as one thing, but turned out to be something completely different. In the words of VP Steve, “It’s like we went to see a fight, and a hockey game broke out.”

There will be more time than usual for Q&A, by webinar chat and live from the exhibitor hall. If you plan to attend the conference, stop by our booth before and during the broadcast. We’ll try to take your questions live on the air – about the case studies, or about other interesting topics. Can’t make the conference? Don’t worry, you can still register and ask questions beforehand using the registration form.

Learn more and register here.

. 08 Jun 10 | Conferences, General | Comments (0)

New Memoryze, Audit Viewer, and Training

Written by Jamie Butler

For those who are not on our mailing list for Memoryze or Audit Viewer, we released a new version a little over a week ago. The new version of the software includes all of the memory analysis features that are available in the newly released MANDIANT Intelligent Response (MIR) 1.4.
 

So what is included in Memoryze and Audit Viewer 1.4? Well, here is the short of it.
 

Memoryze:

  • Support for Windows 2003 x64 SP2
  • Improved support of Vista SP1 and SP2 including port enumeration and a better installer
  • Enumeration of digital signatures for all loaded modules in a processes’ address space, hooked and hooking drivers, and all drivers found by driver signature scans
  • Enumeration of MD5/SHA1/SHA256 hash on disk for all loaded modules in a process’ address space and all drivers found by driver signature scans
  • Updated documentation
  • Single installer for 64-bit and 32-bit versions

 
Audit Viewer:

  • Improvements to the Malware Rating Index (MRI)
  •      Report visualization of MRI results
  •      MRI rule editors that will allow users to graphically edit the MRI rule file
  •      Handle Trust view to help identify suspicious handles
  • Ability to search results within a specific process
  • Multi-select with copy
  • Multi-select and export to a CSV file

 
Those who attended the CanSecWest Training in March have already been enjoying many of these features in beta form for months, and we are committed to ensuring that those who attend the Advanced Memory Forensics in Incident Response class at Black Hat will get early access to the next version of Memorzye, which will support Windows 7 64-bit.
 
As for the Black Hat training, there is a lot of new and updated content for 2010.

  • Coverage of 64-bit operating systems
  • New section on malware covering different malware techniques and how they stand out in memory
  • Four new case studies ranging from real Advanced Persistent Threat (APT) incidents, to spear phishing attacks, and everything in between
  • Student receive early access Memoryze and Audit Viewer for Windows 7 64-bit
  • Students receive the only free tool to analyze Windows Vista
  • Students receive the only free tool to analyze Windows 2003 64-bit
  • Better data collection to help identify processes and drivers as malicious or not
  • Added the Malware Rating Index (MRI), which helps automatically identify many malware behaviors discussed in the class. Through a simple user interface, students learn how to write rules to identify malware in their own work environments. MRI then uses those rules to score processes as suspicious or not.

 
I would like to thank James Long who pointed out an issue with the batch scripts* and Peter Villadsen who worked so hard to improve the build process and installation for Memoryze. Peter and I would also like to thank all our loyal users. We appreciate all your feedback, and we hope to see you in Las Vegas.

 
* When specifying an output directory from the command line with the batch scripts in Memoryze, the directory must already exist.

Tags: , , , , , ,

. 06 Jun 10 | Conferences, General, Products | Comments (0)

MANDIANT AT CEIC 2010

Written by Brian Gwinner

Got the time?

As part of the Digital Analysis Lab track at CEIC, MANDIANT Director Rob Lee will be teaching Super Timeline Analysis. You will learn how to establish a single framework from which you can analyze multiple examinations of time based data in this hands-on practical.

Move over Iron Man – MIR 1.4 is coming!

We wanted to let the dust settle from the other release of superior red metal before we announced ours!

MANDIANT is releasing the next version of MANDIANT Intelligent Response at CEIC 2010.

Here are just some of the features MIR 1.4 includes:

  • Support for the OpenIOC open indicator format – a free-to-use, open XML schema for describing indicators of compromise.
  • Agent support for Windows 7, 64-bit systems for non-memory forensic audits.
  • Agent support for Windows Vista 32-bit systems.
  • Agent support for 64-bit memory forensic audits for Windows 2k3 systems.
  • Optional Agent installation into “self-hiding” mode.

So what else has changed since MIR 1.3?

Come visit us at CEIC booth 706 and find out!

Tags: , ,

. 25 May 10 | General | Comments (0)
« Previous Posts
Next Posts »