As preventative tools have gotten more adept at blocking traditional cyberattacks, bad actors have increasingly leveraged tactics that run only in memory, making them near invisible to most detection tools. In the absence of detectable evidence on drive data, memory analysis is needed to identify threats advanced persistent threats (APTs) leveraging fileless malware and living off the land (LOTL) techniques.
We have recently updated the memory capabilities of Magnet IGNITE with the integration of the Comae Memory Analysis, which significantly increases the speed of memory processing in IGNITE in addition to adding support and insight into the latest Windows OS.
How to Use the Updated Memory Capabilities in IGNITE
As a SaaS based solution, this change is already live in IGNITE. To try it out for yourself, simply select the memory checkbox when building the agent for your case and IGNITE will take care of the rest.
What is Different About the Memory Collection in IGNITE?
IGNITE is now able to capture full memory crash dumps of Windows machines (x86, x64, ARM64). Unlike raw dumps, Crash dumps are a type of full memory dump, containing additional information in the header, providing a more complete dataset with added context for incident response.
While the menu option is the same, there are a several new insights that are provided with this update:
- Scheduled Tasks – Scheduled tasks can allow malicious code to be launched, downloaded, or perform tasks based on specific times or events, while remaining in memory, hiding the activities.
- Callbacks – Instances of ransomware leveraging legitimate drivers to gain kernel access to a machine they often employ callbacks to nullify security software running on the system and hide their activity.
For more information on the To learn more about the attributed of a full memory crash dump , check out this blog Full Memory Crash Dumps vs. Raw Dumps: Which Is Best for Memory Analysis for Incident Response? by Matt Suiche (Director, Memory, IR & R&D and Comae Founder).
New Memory View and Exports
An additional change that coincides with the memory update is the addition of a tree view of processes that provides a visual representation of process relationships to facilitate your analysis, in addition to the existing table view or each memory artifact.
As part of this update, the export options from IGNITE now also include memory DMPs as well as an MFDB file format for the memory collection that can be opened and examined in AXIOM Cyber.
Try the New Memory Capabilities For Yourself
This update is live in Magnet IGNITE, if you already have an account simply log in to try out the new memory collection capabilities. If you haven’t tried IGNITE request a free trial here to check it out for yourself!