M-unition -

A Look Back at 2012: The Lab

By on December 20, 2012

December is a time for giving and with the holidays around the corner, we wanted to recognize the favorites on M-Unition from our readers. One of our most popular categories is The Lab. This is the place that readers go for the latest on Mandiant incident response tools, tips and in-depth research. In case you’ve missed any of these posts in 2012, here is a recap of our five most popular.

The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1) 
Authored by Ryan Kazanciyan and Christopher Glyer, this post overviews an interesting sample of malware that was uncovered by Mandiant analysts and discusses some of its distinctive characteristics, particularly the clever mechanisms it uses to load on a compromised system.

The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2)
Christopher Glyer and Ryan Kazanciyan continue their analysis into this piece of malware and in this second part take a look at some of the counter-forensic techniques that it utilizes to stay hidden in a compromised environment, provide an Indicator of Compromise (IOC) used to find host-based evidence of the malware, and discuss how attackers took advantage of its functionality.

Creating an IOC to Spot the Duqu Family 
M-Unition blogger, Carrie Jung, takes a deeper look at Duqu, which received a lot of media attention at the beginning of the year. Duqu is a computer worm that the CrySyS Lab (http://www.crysys.hu/) discovered during September, 2011. In this post, Carrie examines the OpenIOC language and demonstrates how to use this powerful, flexible tool to spot the entire Duqu family.

Incident Response with NTFS INDX Buffers – Part 1: Extracting an INDX Attribute
William Ballenthin and Jeff Hamm kicked-off this series after holding a webinar on how to use INDX buffers to assist in an incident response investigation. This series looks at extracting an INDX attribute, the internal structure of the file name attribute, a step-by-step guide to parsing INDX records and the internal structure of an INDX structure. You can view the entire series here, here and here.

An In-Depth Look Into Data Stacking 
During MIRcon™ in October, Mandiant’s Nick Bennett and Jake Valletta discussed data stacking. If you were unable to attend the talk, this blog post discusses the data analysis technique in-depth.

Did we miss any of your favorite posts from The Lab section of M-Unition? Let us know which posts you liked the best by dropping a comment below.

Category: The Suite Spot

Comments

    Leave a Comment

Get M-Unition in Your Inbox:

Follow @mandiant

Follow @mandiant on twitter.

Career Opps @ Mandiant

We’re growing fast, but we’re as demanding as ever. Our clients come to us in their hours of need, so we need the best. That means more than just the right education and the right experience in information security.

As Mandiant continues to grow, we are able to offer certain positions in multiple locations. For details on the location(s) of each opening, please refer to the position descriptions.

Click here to view available positions.