- Windows keeps track of the applications opened the most often and preloads them into memory before they're executed
- Prefetch files (*.pf) stored in
- For example, prefetch file for
calc.exe-<8 char hash of filepath>.pf
- Body of prefetch file tells us when program was executed, how many times, from what path
- Windows stores the size, icon, position of a folder when using Windows Explorer
- Persists after the folder is deleted
- Can be used to list deleted files and previously mounted volumes
Windows Event Logs
- Application = events apps want to log
- Security = sign in/out, user creation, program execution, etc
- System = changes to system time, service runs, etc
- Aka App Compatibility Cache
- Stored in registry
- Limited in size - overwrites itself when out of space
- Stores file paths and metadata of files that are browsed interactively in
- Process execution flag indicates if file was executed
- Shortcut files. The Google Chrome "shortcut file" on the Desktop is a LNK file
- Created whenever an user opens a file -- not just when he creates a file!
- Useful if the original file is deleted
- MACE times of original file
- serial number of volume where original file was stored (useful if an USB was plugged in)
- original file's size when last opened
- a few other things
NTFS MACE timestamps
- NTFS stores 2 sets of
MFT entry modifiedtimestamps
- Stores metadata about every file in filesystem
- Can look for anomalies using AnalyzeMFT
- In a directory, files should have sequential MFT Record Numbers. Helps us identify newly added files to
C:\Windows, for example
- Designed to centralize configuration files in Windows
- 5 main system hives:
- User specific hives:
How are hives structured?
- Essentially, as folders of key-value pairs
- Keys = "folders"
- Values = "keys in each folder"
- Data = "values in each folder"
HLKM\SOFTWARE\cygwinis a key,
rootdiris a value,
- Registry keys (folders) only store one timestamp:
- Windows API doesn't have a function to set
LastWriteTimefor a registry key, so malware timestomping a registry key isn't common
- Hundreds of them! Some still undocumented
- Run, RunOnce, AppInit_DLLs, a lot more
- Are executed by
- Look for a
HKEY_LOCAL_MACHINEhive is erased after computer is shutdown, as it's only stored in memory
Scenario 1: The attacker placed the filename “kas.exe” on the folder “c:\PerfLogs\Admin”. Which artifacts could record evidence about this action?
MFT, USN, $LogFile, $INDX attributes
Scenario 2: Which account did the attacker used to log into the system when he placed “kas.exe” on the file system?
Windows Event Logs (Security)
Scenario 3: Attacker executed the “kas.exe” binary. Which artifacts might record this evidence?
ShimCache, Prefetch, Windows Event Logs (Security)
Scenario 4: The execution of “kas.exe” dropped three files on disk that used DLL Search Order Hijacking to achieve persistence and install the malicious payload. Which artifacts might help identifying this technique?
I didn't know. Correct - use a mixture of artifacts
Scenario 5: The PlugX dropped files have the NTFS timestamps manipulated i.e., It copies the timestamps obtained from the operating system filename ntdll.dll to set the timestamps on the dropped files. What artifacts could be used to detect this?
Check for inconsistencies between NTFS
Also, to identify dropped file, can look for MFT anomalies. Usually, files in a folder have sequential MFT Record Numbers. Dropped files will have later record numbers.
Scenario 6: Attacker used the PlugX controller to Invoke a command shell and execute Windows built-in commands. Are there any artifacts left behind that could help understand commands executed?
Use Volatility -
Scenario 7: Attacker established a persistence mechanism either using a Service or Registry Key.
Use RegRipper. Check last modified timestamp for each registry key
Scenario 8: The attacker accessed the Active Directory database using the “ntdsutil.exe” command. What could be used to detect this activity?
cmdscan, ShimCache, Windows Event logs. (Can't use Prefetch - not enabled on servers!)