Information Security News
In a previous diary I talked about memory acqusition with Dumpit .in this diary I will talk about how to use Mandiant Redline to analysis the memory dump.
“Redline, Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile”.
1-Download Mandiant Redline from https://www.mandiant.com/resources/download/redline
2-Double click on Redline-1.11.msi
3-follow up the steps, then click close
To analysis a memory image :
1-Select From a Saved Memory File under Analyze Data on the home screen
2-Click Browse under Location of Saved Memory Image (for this diary I will not use an Indicators of Comporomise)
3-Click Next then OK
Depending on the size of the image and the speed of your PC, Mandiant Redline will take time to process the memory image.
4-For this example I am going to choose “I am reviewing A Full Live Response or Memory Image”
Now our Image is ready for Review:
From the left hand side you can choose which type of Data you would like to analysis in this view it’s the “Processes”
Here you can find all the process which was running on the system when the memory image was acquired . It shows the full details about the process such as the Process ID,Path ,Arguemnts ,User name ,SID …etc .
If you would like to view the open ports on the System while the image was acquired , To view ports, click Ports under Processes on the Analysis Data window’s Host tab.
Overview of the March 2014 Microsoft patches and their status.
|#||Affected||Contra Indications - KB||Known Exploits||Microsoft rating(**)||ISC rating(*)|
Cummulative Security Update for Internet Explorer
Remote Code Execution Vulnerability in Microsoft Direct Show
Direct Show JPEG Library
Vulnerability in Silverlight Could Allow Security Feature Bypass
Privilege Escalation Vulnerability in Windows Kernel-Mode Driver
Windows Kernel-Mode Driver
|KB 2930275||Yes. CVE-2014-0323 was public.||
Security Bypass Vulnerabilty in Security Account Manager Remote (SAMR)
(ReplacesMS11-095 MS13-032 )
Security Account Manager Remote
(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Security researchers have uncovered a recent distributed denial-of-service (DDoS) attack that used at least 162,000 WordPress-powered websites to knock another site offline.
The technique made it possible for an attacker with modest resources to greatly amplify the bandwidth at its disposal. By sending spoofed Web requests in a way that made them appear to come from the target site, the attacker was able to trick the WordPress servers into bombarding the target with more traffic than it could handle. Besides causing such a large number of unsuspecting sites to attack another one, the attack is notable for targeting XML-RPC, a protocol the sites running WordPress and other Web applications use to provide services such as pingbacks, trackbacks, and remote access to some users.
Researchers from security firm Sucuri recently counted more than 162,000 legitimate WordPress sites hitting a single customer website. They suspect they would have seen more if they hadn't ended the attack by blocking the requests.
Adobe released a new version of Flash Player as part of today's patch Tuesday. No details are available yet. We will update this diary once the details become available. Note that this will also affect browsers like Chrome that include an embeded version of Flash.
Infosec seen as a grudge purchase
Now in its ninth year, the ITWeb Security Summit is southern Africa's premier information security event for IT and business professionals. It is presented by ITWeb, South Africa's leading technology-focused publisher, with media products and services ...