Threat Research Blog

Best of the Best in 2013: The Lab

There is no denying it. Mandiant recruits the best and the brightest talent to be part of our technical teams. This group is one of the most passionate in the industry. Each individual lives and breathes researching, investigating, creating new tools and techniques.

In the past year, some of our most read blog posts come from The Lab channel. In case you've missed them, here are some of our most popular posts:

Responding to Attacks on Apache Struts2

In mid-July of 2013, CVE - a dictionary of publicly known information security vulnerabilities and exposures - identified three potential exploits against the Apache Struts2 web framework. HTTP requests are evaluated by the Apache Struts2 framework. A bug in the Apache Struts2 code allowed attackers to execute arbitrary commands on a web server.

In the wake of this public disclosure, Mandiant has been actively investigating a series of these of attacks. This post highlights steps an organization can take to determine if they have been attacked from this vector.

Malware Persistence without the Windows Registry

For an attacker to maintain a foothold inside your network they will typically install a piece of backdoor malware on at least one of your systems. The malware needs to be installed persistently, meaning that it will remain active in the event of a reboot. Most persistence techniques on a Microsoft Windows platform involve the use of the Registry.

Examining malware persistence locations in the Windows Registry and startup locations is a common technique employed by forensic investigators to identify malware on a host. Each persistence technique commonly seen today leaves a forensic footprint which can be easily collected using most forensic software on the market. The persistence technique described in this post is special in that it doesn't leave an easy forensic trail behind.

Carving Station - RAR Files

This post will discuss the technique of carving files from unallocated disk space. "Carving" simply means extracting a specific section of bytes from an area of disk space; ideally those bytes make up a complete file. You can carve any kind of file, but in this post we will specifically address how to carve RAR archives from unallocated disk space.

Why RAR files? In many of Mandiant's investigations of targeted attacks, an attacker will collect data and compress it into a RAR archive prior to taking it from the targeted network.

Using a Custom VDB Debugger for Exploit Analysis

Analyzing an exploit and understanding exactly how the exploit lands can take a long time due to inadequate analysis tools. One way to speed up understanding of how an exploit behaves is to use Vtrace and VDB. This post explains how to create a custom VDB debugger in order to detect, analyze, and prevent execution of an exploit payload.