Вы находитесь на странице: 1из 2

FOR500 FOR508

Windows Forensics Advanced Incident


GCFE Response and Threat
Hunting GCFA

OP ER AT I NG INCID ENT
FOR572
Advanced Network
Forensics: Threat Hunting,
FOR518 SYST EM & RESPO NSE Analysis, and Incident
Mac and iOS
Forensic Analysis D EVICE & THREAT Response GNFA
and Incident
Response IN- D EP T H HUNTING
FOR578

Hunt Evil
Cyber Threat Intelligence
GCTI

FOR526
Memory Forensics
In-Depth FOR610
REM: Malware Analysis
GREM

P O S T E R Advanced
Smartphone
FOR585

Forensics GASF
SEC504
Hacker Tools, Techniques,
Exploits, and Incident
Handling GCIH

$25.00
DFIR_HuntEvil_v4.1_8-18 dfir.sans.org
Poster was created by Rob Lee and Mike Pilkington
©2018 Rob Lee and Mike Pilkington. All Rights Reserved. @sansforensics sansforensics dfir.to/DFIRCast dfir.to/gplus-sansforensics dfir.to/MAIL-LIST

Find Evil – Know Normal


Knowing what’s normal on a Windows host helps cut through the noise to quickly locate potential malware.
Use the information below as a reference to know what’s normal in Windows and to focus your attention on the outliers.

Process Hacker
Image Path: N/A for system.exe – Not generated from an executable image Hacker View Tools Users Help Image Path: %SystemRoot%\System32\csrss.exe
Parent Process: None Parent Process: Created by an instance of smss.exe that exits, so analysis tools usually do not provide the parent
Refresh Options Search Processes (Ctrl+K)
process name.
Number of Instances: One
Processes Services Network Disk Number of Instances: Two or more
User Account: Local System
User Account: Local System
Start Time: At boot time Name Start Time: Within seconds of boot time for the first two instances (for Session 0 and 1). Start times for additional
Description: The System process is responsible for most kernel-mode threads.
instances occur as new sessions are created, although often only Sessions 0 and 1 are created.
Modules run under System are primarily drivers (.sys files), but also include System Idle Process Description: The Client/Server Run-Time Subsystem is the user-mode process for the Windows subsystem. Its duties
several important DLLs as well as the kernel executable, ntoskrnl.exe.
System include managing processes and threads, importing many of the DLLs that provide the Windows API, and facilitating
shutdown of the GUI during system shutdown. An instance of csrss.exe will run for each session. Session 0 is for
smss.exe services and Session 1 for the local console session. Additional sessions are created through the use of Remote
Desktop and/or Fast User Switching. Each new session results in a new instance of csrss.exe.
Image Path: %SystemRoot%\System32\smss.exe
Memory Compression
Parent Process: System Interrupts
Number of Instances: One master instance and another child instance per
session. Children exit after creating their session.
Secure System Image Path: %SystemRoot%\System32\services.exe
User Account: Local System csrss.exe Parent Process: wininit.exe
Start Time: Within seconds of boot time for the master instance csrss.exe Number of Instances: One
Description: The Session Manager process is responsible for creating new User Account: Local System
sessions. The first instance creates a child instance for each new session. wininit.exe Start Time: Within seconds of boot time
Once the child instance initializes the new session by starting the Windows
subsystem (csrss.exe) and wininit.exe for Session 0 or winlogon.exe services.exe Description: Implements the Unified Background Process Manager (UBPM), which is responsible for background
activities such as services and scheduled tasks. Services.exe also implements the Service Control Manager (SCM),
for Session 1 and higher, the child instance exits. svchost.exe which specifically handles the loading of services and device drivers marked for auto-start. In addition, once a user
has successfully logged on interactively, the SCM (services.exe) considers the boot successful and sets the Last
ShellExperienceHost.exe Known Good control set (HKLM\SYSTEM\Select\LastKnownGood) to the value of the CurrentControlSet.
SearchUI.exe
Image Path: %SystemRoot%\System32\wininit.exe
Parent Process: Created by an instance of smss.exe that exits, so tools
RuntimeBroker.exe
usually do not provide the parent process name. RuntimeBroker.exe Image Path: %SystemRoot%\system32\svchost.exe
Number of Instances: One Parent Process: services.exe (most often)
User Account: Local System
WmiPrvSE.exe Number of Instances: Many (generally at least 10)
Start Time: Within seconds of boot time svchost.exe User Account: Varies depending on svchost instance, though it typically will be Local System, Network Service, or
Local Service accounts. Windows 10 also has some instances running as logged-on users.
Description: Wininit.exe starts key background processes within Session 0.
It starts the Service Control Manager (services.exe), the Local Security
svchost.exe Start Time: Typically within seconds of boot time. However, services can be started after boot (e.g., at logon), which
Authority process (lsass.exe), and lsaiso.exe for systems with Credential sihost.exe results in new instances of svchost.exe after boot time.
Guard enabled. Note that prior to Windows 10, the Local Session Manager Description: Generic host process for Windows services. It is used for running service DLLs. Windows will
process (lsm.exe) was also started by wininit.exe. As of Windows 10, that taskhostw.exe run multiple instances of svchost.exe, each using a unique “-k” parameter for grouping similar services.
functionality has moved to a service DLL (lsm.dll) hosted by svchost.exe. Typical “-k” parameters include DcomLaunch, RPCSS, LocalServiceNetworkRestricted, LocalServiceNoNetwork,
svchost.exe LocalServiceAndNoImpersonation, netsvcs, NetworkService, and more. Malware authors often take advantage of the
ctfmon.exe ubiquitous nature of svchost.exe and use it either to host a malicious DLL as a service, or run a malicious process
named svchost.exe or similar spelling. Beginning in Windows 10 version 1703, Microsoft changed the default
svchost.exe grouping of similar services if the system has more than 3.5 GB of RAM. In such cases, most services will run under
Image Path: %SystemRoot%\System32\RuntimeBroker.exe their own instance of svchost.exe. On systems with more than 3.5 GB RAM, expect to see more than 50 instances of
Parent Process: svchost.exe svchost.exe svchost.exe (the screenshot in the poster is a Windows 10 VM with 3 GB RAM).
Number of Instances: One or more svchost.exe
User Account: Typically the logged-on user(s)
Start Time: Start times vary greatly
svchost.exe
Image Path: %SystemRoot%\System32\lsaiso.exe
Description: RuntimeBroker.exe acts as a proxy between the constrained svchost.exe
Universal Windows Platform (UWP) apps (formerly called Metro apps) and the Parent Process: wininit.exe
full Windows API. UWP apps have limited capability to interface with hardware audiodg.exe Number of Instances: Zero or one
and the file system. Broker processes such as RuntimeBroker.exe
are therefore used to provide the necessary level of access for UWP
svchost.exe User Account: Local System
Start Time: Within seconds of boot time
apps. Generally, there will be one RuntimeBroker.exe for each UWP svchost.exe Description: When Credential Guard is enabled, the functionality of lsass.exe is split between two processes –
app. For example, starting Calculator.exe will cause a corresponding
RuntimeBroker.exe process to initiate. svchost.exe itself and lsaiso.exe. Most of the functionality stays within lsass.exe, but the important role of safely storing
account credentials moves to lsaiso.exe. It provides safe storage by running in a context that is isolated from other
svchost.exe processes through hardware virtualization technology. When remote authentication is required, lsass.exe proxies
the requests using an RPC channel with lsaiso.exe in order to authenticate the user to the remote service. Note
spoolsv.exe that if Credential Guard is not enabled, lsaiso.exe should not be running on the system.
Image Path: %SystemRoot%\System32\taskhostw.exe svchost.exe
Parent Process: svchost.exe
Number of Instances: One or more
svchost.exe
User Account: Multiple taskhostw.exe processes are normal. One or more may SecurityHealthService.exe Image Path: %SystemRoot%\System32\lsass.exe
be owned by logged-on users and/or by local service accounts. Parent Process: wininit.exe
Start Time: Start times vary greatly
MsMpEng.exe Number of Instances: One
Description: The generic host process for Windows Tasks. Upon initialization, NisSrv.exe User Account: Local System
taskhostw.exe runs a continuous loop listening for trigger events. Example Start Time: Within seconds of boot time
trigger events that can initiate a task include a defined schedule, user logon, SearchIndexer.exe Description: The Local Security Authentication Subsystem Service process is responsible for authenticating users by
system startup, idle CPU time, a Windows log event, workstation lock, or
workstation unlock.
svchost.exe calling an appropriate authentication package specified in HKLM\SYSTEM\CurrentControlSet\Control\Lsa.
Typically, this will be Kerberos for domain accounts or MSV1_0 for local accounts. In addition to authenticating
There are more than 160 tasks preconfigured on a default installation of lsaiso.exe users, lsass.exe is also responsible for implementing the local security policy (such as password policies and
Windows 10 Enterprise (though many are disabled). All executable files (DLLs & audit policies) and for writing events to the security event log. Only one instance of this process should occur and it
EXEs) used by the default Windows 10 scheduled tasks are signed by Microsoft. lsass.exe should not have child processes.
fontdrvhost.exe
winlogon.exe
Image Path: %SystemRoot%\System32\winlogon.exe fontdrvhost.exe Image Path: %SystemRoot%\explorer.exe
Parent Process: Created by an instance of userinit.exe that exits, so analysis tools usually do not provide the
Parent Process: Created by an instance of smss.exe that exits, so analysis
tools usually do not provide the parent process name.
dwm.exe parent process name.
Number of Instances: One or more explorer.exe Number of Instances: One or more per interactively logged-on user
User Account: <logged-on user(s)>
User Account: Local System MSASCuiL.exe Start Time: First instance starts when the owner’s interactive logon begins
Start Time: Within seconds of boot time for the first instance (for Session 1).
Start times for additional instances occur as new sessions are created, typically OneDrive.exe Description: At its core, Explorer provides users access to files. Functionally, though, it is both a file browser
through Remote Desktop or Fast User Switching logons. via Windows Explorer (though still explorer.exe) and a user interface providing features such as the user’s
Description: Winlogon handles interactive user logons and logoffs. It launches
powershell.exe Desktop, the Start Menu, the Taskbar, the Control Panel, and application launching via file extension associations
and shortcut files. Explorer.exe is the default user interface specified in the Registry value HKLM\SOFTWARE\
LogonUI.exe, which uses a credential provider to gather credentials from the conhost.exe Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, though Windows can alternatively function with
user, and then passes the credentials to lsass.exe for validation. Once the
another interface such as cmd.exe or powershell.exe. Notice that the legitimate explorer.exe resides in the
user is authenticated, Winlogon loads the user’s NTUSER.DAT into HKCU and
CPU Usage: 4.50% Physical Memory: 20.67% Processes: 125 %SystemRoot% directory rather than %SystemRoot%\System32. Multiple instances per user can occur, such as
starts the user’s shell (usually explorer.exe) via userinit.exe.
when the option "Launch folder windows in a separate process" is enabled.
Process listing from Windows 10 Enterprise
Hunt Evil: Lateral Movement
During incident response and threat hunting, it is critical to understand how attackers move around your network. Lateral movement is an inescapable requirement for attackers to stealthily
move from system to system and accomplish their objectives. Every adversary, including the most skilled, will use some form of lateral movement technique described here during a breach.
Understanding lateral movement tools and techniques allows responders to hunt more efficiently, quickly perform incident response scoping, and better anticipate future attacker activity.
Tools and techniques to hunt the artifacts described below are detailed in the SANS DFIR course FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting

Additional Event Logs Additional FileSystem Artifacts Additional References Artifacts in Memory Analysis
Process-tracking events, Sysmon, and similar logging Deep-dive analysis techniques such as file SANS DFIR FOR508 course: http://sans.org/FOR508 Artifacts in memory analysis will allow for additional tracking of potential evidence of execution and command line
capabilities are not listed here for the sake of brevity. carving, volume shadow analysis, and NTFS log ATT&CK Lateral Movement: http://for508.com/attck-lm history. We recommend auditing and dumping the "conhost" processes on the various systems. Example:
However, this type of enhanced logging can provide file analysis can be instrumental in recovering vol.py -f memory.img --profile=<profile> memdump -n conhost --dump-dir=.
significant visibility of an intruder’s lateral movement, given many of these artifacts (including the recovery JPCERT Lateral Movement: http://for508.com/jpcert-lm strings -t d -e l *.dmp >> conhost.uni
that the logs are not overwritten or otherwise deleted. of registry and event log files and records). Perform searches for executable keywords using grep. Also check running processes (mstsc, rdpclip, etc.).

R E MOT E ACC E S S
S O U RC E D E STI N ATI ON
EVENT LOGS REGISTRY FILE SYSTEM Remote Desktop EVENT LOGS REGISTRY FILE SYSTEM
security.evtx  emote desktop destinations
R UserAssist – NTUSER.DAT J umplists – C:\Users\<Username>\  ecurity Event Log –
S  icrosoft-Windows-Terminal
M ShimCache – SYSTEM Prefetch – C:\Windows\Prefetch\
4648 – Logon specifying alternate are tracked per-user mstsc.exe Remote AppData\Roaming\Microsoft\Windows\ security.evtx Services-RemoteConnection rdpclip.exe rdpclip.exe-{hash}.pf
credentials - if NLA enabled on NTUSER\Software\ Desktop Client execution Recent\AutomaticDestinations\ 4624 Logon Type 10 Manager%4Operational.evtx tstheme.exe tstheme.exe-{hash}.pf
destination Microsoft\Terminal Last Time Executed {
 MSTSC-APPID}- Source IP/Logon User Name 1149
Server Client\Servers automaticDestinations-ms  mCache.hve –
A
Current logged-on User Name Number of Times Executed 4778/4779 Source IP/Logon User Name First Time Executed
Alternate User Name ShimCache – SYSTEM Tracks remote desktop connection IP Address of Source/Source •B
 lank user name may indicate
RecentApps – NTUSER.DAT destination and times rdpclip.exe
Destination Host Name/IP mstsc.exe Remote System Name use of Sticky Keys
mstsc.exe Remote tstheme.exe
Process Name Desktop Client Desktop Client execution Prefetch – C:\Windows\Prefetch\ Logon User Name  icrosoft-Windows-Terminal
M
 icrosoft-Windows-
M  AM/DAM – SYSTEM – Last
B Last Time Executed mstsc.exe-{hash}.pf  icrosoft-Windows-
M Services-LocalSession
TerminalServices- RemoteDesktopServices- Manager%4Operational.evtx
Time Executed Number of Times Executed  itmap Cache – C:\USERS\<USERNAME>\
B
RDPClient%4Operational.evtx mstsc.exe Remote RecentItems subkey tracks AppData\Local\Microsoft\Terminal RdpCoreTS%4Operational.evtx 21, 22, 25
1024 Desktop Client connection destinations and Server Client\Cache 131 – Connection Attempts Source IP/Logon User Name
Destination Host Name times bcache##.bmc Source IP/Logon User Name 41
 mCache.hve – First Time
A
1102 Executed cache####.bin 98 – Successful Connections Logon User Name
Destination IP Address mstsc.exe

EVENT LOGS REGISTRY FILE SYSTEM Map Network Shares EVENT LOGS REGISTRY FILE SYSTEM
security.evtx MountPoints2 – Remotely mapped shares
NTUSER\Software\Microsoft\Windows\
Prefetch – C:\Windows\Prefetch\
net.exe-{hash}.pf
(net.exe)  ecurity Event Log –
S
security.evtx
4768 – TGT Granted
Source Host Name/Logon User
File Creation
Attacker's files (malware) copied to
4648 – Logon specifying
alternate credentials CurrentVersion\Explorer\MountPoints2 net1.exe-{hash}.pf to C$ or Admin$ 4624 Logon Type 3 Name destination system
Current logged-on User Name Shellbags – USRCLASS.DAT Source IP/Logon User Name Available only on domain controller Look for Modified Time before
User Profile Artifacts
Alternate User Name 4672 4769 – Service Ticket Granted if Creation Time
Remote folders accessed inside an interactive session via Review shortcut files and jumplists for
Destination Host Name/IP Explorer by attackers Logon User Name authenticating to Domain Controller Creation Time is time of file copy
remote files accessed by attackers, if they
Process Name had interactive access (RDP) Logon by user with Destination Host Name/Logon User
ShimCache – SYSTEM Name
administrative rights
 icrosoft-Windows-
M net.exe
Requirement for accessing Source IP
SmbClient%4Security.evtx net1.exe default shares such as C$ Available only on domain controller
31001 – Failed logon to
BAM/DAM – NTUSER.DAT – Last Time Executed and ADMIN$ 5140
destination
Destination Host Name net.exe 4776 – NTLM if authenticating Share Access
net1.exe to Local System 5145
U ser Name for failed logon
Source Host Name/Logon Auditing of shared files – NOISY!
R
 eason code for failed AmCache.hve – First Time Executed
User Name
destination logon (e.g. bad net.exe
password) net1.exe
net use z: \\host\c$ /user:domain\username <password>

R E MOT E E X E C U T I O N
S O U RC E D E STI N ATI ON
EVENT LOGS REGISTRY FILE SYSTEM PsExec EVENT LOGS REGISTRY FILE SYSTEM
security.evtx NTUSER.DAT Prefetch – C:\Windows\Prefetch\ security.evtx  ew service creation
N Prefetch – C:\Windows\Prefetch\
4648 – Logon specifying Software\SysInternals\PsExec\EulaAccepted psexec.exe-{hash}.pf 4
 624 Logon Type 3 (and Type 2 if “-u” Alternate Credentials are used) configured in SYSTEM\ psexesvc.exe-{hash}.pf
alternate credentials Possible references to other files accessed Source IP/Logon User Name CurrentControlSet\ evil.exe-{hash}.pf
ShimCache – SYSTEM Services\PSEXESVC
Current logged-on User Name by psexec.exe, such as executables copied to 4672
psexec.exe “-r” option can allow File Creation
Alternate User Name target system with the “-c” option Logon User Name
BAM/DAM – SYSTEM – Last Time Executed attacker to rename service User profile directory structure
Destination Host Name/IP File Creation Logon by a user with administrative rights created unless “-e” option used
psexec.exe ShimCache – SYSTEM
Process Name psexec.exe file downloaded and created on Requirement for access default shares such as C$ and ADMIN$ psexesvc.exe will be placed in
AmCache.hve – First Time Executed local host as the file is not native to Windows 5140 – Share Access psexesvc.exe ADMIN$ (\Windows) by default, as
psexec.exe ADMIN$ share used by PsExec AmCache.hve well as other executables (evil.exe)
psexec.exe psexesvc.exe
First Time Executed pushed by PsExec
system.evtx
7045 psexesvc.exe
Service Install
psexec.exe \\host -accepteula -d -c c:\temp\evil.exe

EVENT LOGS REGISTRY FILE SYSTEM Scheduled Tasks EVENT LOGS REGISTRY FILE SYSTEM
security.evtx ShimCache – SYSTEM  mCache.hve -
A Prefetch – C:\Windows\Prefetch\ security.evtx 4698 – Scheduled task created SOFTWARE File Creation
4648 – Logon specifying alternate at.exe First Time Executed at.exe-{hash}.pf 4
 624 Logon Type 3 4702 – Scheduled task updated Microsoft\Windows evil.exe
credentials schtasks.exe at.exe schtasks.exe-{hash}.pf Source IP/Logon User Name 4699 – Scheduled task deleted NT\CurrentVersion\ Job files created in
Current logged-on User Name schtasks.exe 4672 4700/4701 – Scheduled task Schedule\TaskCache\Tasks C:\Windows\Tasks
 AM/DAM – SYSTEM – Last
B
Alternate User Name Time Executed Logon User Name enabled/disabled Microsoft\Windows XML task files created in
Destination Host Name/IP Logon by a user with NT\CurrentVersion\ C:\Windows\System32\Tasks
at.exe  icrosoft-Windows-Task
M Schedule\TaskCache\Tree\
Process Name administrative rights Scheduler%4Maintenance.evtx Author tag under "RegistrationInfo"
schtasks.exe
Requirement for accessing ShimCache – SYSTEM can identify:
106 – Scheduled task created
default shares such as C$ and 140 – Scheduled task updated evil.exe •S ource system name
ADMIN$ • Creator username
at \\host 13:00 "c:\temp\evil.exe" 141 – Scheduled task deleted  mCache.hve –
A
200/201 – Scheduled task First Time Executed Prefetch – C:\Windows\Prefetch\
schtasks /CREATE /TN taskname /TR c:\temp\evil.exe /SC once /RU “SYSTEM” /ST 13:00 /S host /U username executed/completed evil.exe evil.exe-{hash}.pf

EVENT LOGS REGISTRY FILE SYSTEM Services EVENT LOGS REGISTRY FILE SYSTEM
ShimCache – SYSTEM Prefetch – C:\Windows\Prefetch\ security.evtx system.evtx SYSTEM File Creation
sc.exe sc.exe-{hash}.pf 4
 624 Logon Type 3 7 034 – Service crashed \CurrentControlSet\ evil.exe or evil.dll malicious
Source IP/Logon User Name unexpectedly Services\ service executable or service DLL
BAM/DAM – SYSTEM – Last Time Executed
4697 7035 – Service sent a Start/Stop New service creation Prefetch – C:\Windows\Prefetch\
sc.exe
Security records service install, control
ShimCache – SYSTEM evil.exe-{hash}.pf
AmCache.hve – First Time Executed if enabled 7036 – Service started or stopped evil.exe
sc.exe Enabling non-default Security 7040 – Start type changed (Boot S himCache records
events such as ID 4697 are | On Request | Disabled) existence of malicious
particularly useful if only the 7045 – A service was installed on service executable, unless
Security logs are forwarded to a the system implemented as a service DLL
centralized log server
sc \\host create servicename binpath= “c:\temp\evil.exe”  mCache.hve –
A
First Time Executed
sc \\host start servicename
evil.exe

EVENT LOGS REGISTRY FILE SYSTEM WMI/WMIC EVENT LOGS REGISTRY FILE SYSTEM
security.evtx ShimCache – SYSTEM Prefetch – C:\Windows\Prefetch\ security.evtx  icrosoft-Windows-WMI-
M ShimCache – SYSTEM File Creation
4648 – Logon specifying alternate wmic.exe wmic.exe-{hash}.pf 4
 624 Logon Type 3 Activity%4Operational.evtx wmiprvse.exe evil.exe
credentials BAM/DAM – SYSTEM – Last Time Executed Source IP/Logon User Name 5857 evil.exe evil.mof – .mof files can be used
Current logged-on User Name wmic.exe 4672 Indicates time of wmiprvse execution mofcomp.exe to manage the WMI Repository
Alternate User Name Logon User Name and path to provider DLL – attackers
 mCache.hve –
A Prefetch – C:\Windows\Prefetch\
Destination Host Name/IP AmCache.hve – First Time Executed sometimes install malicious WMI
Logon by an a user with First Time Executed evil.exe-{hash}.pf
Process Name wmic.exe administrative rights provider DLLs
wmic.exe wmiprvse.exe wmiprvse.exe wmiprvse.exe-{hash}.pf
5860, 5861
Registration of Temporary (5860) and evil.exe mofcomp.exe-{hash}.pf
mofcomp.exe
wmic /node:host process call create "evil.exe" Permanent (5861) Event Consumers.  nauthorized changes to the
U
Typically used for persistence, but WMI Repository in C:\Windows\
Invoke-WmiMethod –Computer host –Class Win32_Process –Name create –Argument “c:\temp\evil.exe" can be used for remote execution. System32\wbem\Repository

EVENT LOGS REGISTRY FILE SYSTEM PowerShell Remoting EVENT LOGS REGISTRY FILE SYSTEM
s
 ecurity.evtx  , 15, 16, 33 – WSMan Session
8 ShimCache – SYSTEM Prefetch – C:\Windows\Prefetch\ security.evtx Windows PowerShell.evtx ShimCache – SYSTEM File Creation
4648 – Logon specifying deinitialization powershell.exe powershell.exe-{hash}.pf 4
 624 Logon Type 3 400/403 "ServerRemoteHost" wsmprovhost.exe evil.exe
alternate credentials Closing of WSMan session  AM/DAM – SYSTEM –
B PowerShell scripts (.ps1 files) that run within Source IP/Logon User Name indicates start/end of Remoting evil.exe With Enter-PSSession, a user
Current logged-on User Name Current logged-on User Name 10 seconds of powershell.exe launching will be 4672 session SOFTWARE profile directory may be created
Last Time Executed
Alternate User Name tracked in powershell.exe prefetch file Logon User Name 800 Includes partial script code M
 icrosoft\PowerShell\1
M
 icrosoft-Windows- powershell.exe Prefetch – C:\Windows\Prefetch\
Destination Host Name/IP PowerShell%4Operational.evtx Command history Logon by an a user with  icrosoft-Windows-
M \ShellIds\Microsoft. evil.exe-{hash].pf
AmCache.hve – First PowerShell\
Process Name 40961, 40962 C:\USERS\<USERNAME>\AppData\Roaming\ administrative rights WinRM%4Operational.evtx wsmprovhost.exe-{hash].pf
Time Executed ExecutionPolicy
Microsoft\Windows\PowerShell\  icrosoft-Windows-
M 91 Session creation
 icrosoft-Windows-
M Records the local initiation powershell.exe powershell.exe wsmprovhost.exe Attacker may change
PSReadline\ConsoleHost_history.txt PowerShell%4Operational.evtx 168 Records the authenticating
WinRM%4Operational.evtx of powershell.exe and execution policy to a less
associated user account With PS v5+, a history file with previous 4096 4103, 4104 – Script Block logging user restrictive setting, such as
6 – WSMan Session initialize
8193 & 8194 commands is maintained per user "bypass"
Session created Logs suspicious scripts by
Destination Host Name or IP Session created default in PS v5  mCache.hve –
A
Current logged-on User Name 8197 - Connect Enter-PSSession –ComputerName host Logs all scripts if configured First Time Executed
Session closed 53504 Records the authenticating wsmprovhost.exe
Invoke-Command –ComputerName host –ScriptBlock {Start-Process c:\temp\evil.exe} user evil.exe

UserAssist RecentApps ShimCache Jump Lists Prefetch Amcache.hve


Description: Description: Description: Description: Description: Description:
GUI-based programs launched from the desktop are tracked in the
Program execution launched on the Win10 • Windows Application Compatibility Database is used by • The Windows 7-10 task bar (Jump List) is engineered • Increases performance of a system by pre-loading code ProgramDataUpdater (a task associated with the
launcher on a Windows System.
system is tracked in the RecentApps key Windows to identify possible application compatibility to allow users to “jump” or access items they have pages of commonly used applications. Cache Manager Application Experience Service) uses the registry file
Location: Location: challenges with executables. frequently or recently used quickly and easily. This monitors all files and directories referenced for each Amcache.hve to store data during process creation
NTUSER.DAT HIVE • T racks the executables’ file name, file size, last modified time functionality cannot only include recent media files; application or process and maps them into a .pf file. Location:
NTUSER.DAT\Software\Microsoft\Windows\Currentversion\
Win10 it must also include recent tasks. Utilized to know an application was executed on a system.

Evidence
NTUSER.DAT\Software\Microsoft\Windows\ Location: Win7/8/10
Explorer\UserAssist\{GUID}\Count • The data stored in the AutomaticDestinations folder • Limited to 128 files on Win7
Current Version\Search\RecentApps C:\Windows\AppCompat\Programs\Amcache.hve
Win7/8/10
Interpretation: will each have a unique file prepended with the • Limited to 1024 files on Win8-10 (Windows 7/8/10)
Interpretation: SYSTEM\CurrentControlSet\Control\Session Manager\
All values are ROT-13 Encoded AppCompatCache
AppID of the associated application.
Each GUID key points to a recent application. • (exename)-(hash).pf Interpretation:

of Program
• GUID for Win7/8/10 Interpretation: Location: Location: • Amcache.hve – Keys =
AppID = Name of Application
- CEBFF5CD Executable File Execution Win7/8/10 Amcache.hve\Root\File\{Volume GUID}\#######
LastAccessTime = Last execution time in UTC Any executable run on the Windows system could be found Win7/8/10
- F4E57C4B Shortcut File Execution C:\%USERPROFILE%\AppData\Roaming\Microsoft\
in this key. You can use this key to identify systems that C:\Windows\Prefetch • Entry for every executable run, full path information, File’s
LaunchCount = Number of times executed Windows\Recent\AutomaticDestinations
specific malware was executed on. In addition, based on the $StandardInfo Last Modification Time, and Disk volume

Execution
Interpretation:
BAM/DAM interpretation of the time-based data you might be able to
determine the last time of execution or activity on the system.
Interpretation:
• F irst time of execution of application.
• Each .pf will include last time of execution, number
the executable was run from
of times run, and device and file handles used by the • First Run Time = Last Modification Time of Key
Description: • Windows 7/8/10 contains at most 1,024 entries - Creation Time = First time item added to the
Windows Background Activity Moderator (BAM) program • SHA1 hash of executable also contained in the key
- LastUpdateTime does not exist on Win7/8/10 systems AppID file.
Location: • Date/Time file by that name and path was first executed
• Last time of execution of application with file open.
Win10 - Creation Date of .pf file (-10 seconds)
- Modification Time = Last time item added to the
SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID} AppID file. • Date/Time file by that name and path was last executed
SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID} - Embedded last execution time of .pf file
• List of Jump List IDs ->
Investigative Notes - Last modification date of .pf file (-10 seconds)
www.forensicswiki.org/wiki/List_of_Jump_List_IDs
Provides full path of the executable file that was run on the - Win8-10 will contain last 8 times of execution
system and last execution date/time