SANSForensics @SANSForensics

CURRICULUM dfir.to/DFIRCast drir.to/LinkedIn

DIGITAL FORENSICS

FOR498 FOR500 FOR518 FOR585

Digital Acquisition Windows Forensic Mac and iOS Forensic Smartphone Forensic
and Rapid Triage Analysis Analysis & Incident Response Analysis In-Depth
GBFA GCFE GIME GASF

Hunt Evil
INCIDENT RESPONSE & THREAT HUNTING

FOR508 FOR509 FOR528 FOR572 FOR577

P O S T E R
Advanced Incident Enterprise Cloud Ransomware Advanced Network Forensics: LINUX Incident
Response, Threat Hunting Forensics & for Incident Threat Hunting, Analysis & Response and Threat
& Digital Forensics Incident Response Responders Incident Response Hunting
GCFA GCFR GNFA

$25.00
FOR578 FOR589 FOR608 FOR610 FOR710 SEC504
DFPS_FOR508_v4.11_0624
Poster was created by Rob Lee and Mike Pilkington
dfir.sans.org Cyber Threat
Intelligence
Cybercrime
Intelligence
Enterprise-Class Incident
Response & Threat Hunting
REM: Malware Analysis
Tools & Techniques
Reverse-Engineering
Malware: Advanced
Hacker Tools, Techniques
& Incident Handling
with support of the SANS DFIR Faculty
©2024 Rob Lee and Mike Pilkington. All Rights Reserved. GCTI GEIR GREM Code Analysis GCIH

Find Evil – Know Normal

Knowing what’s normal on a Windows host helps cut through the noise to quickly locate potential malware.
Use the information below as a reference to know what’s normal in Windows and to focus your attention on the outliers.

System Informer
Image Path: N/A for system.exe – Not generated from an executable image Hacker View Tools Users Help Image Path: %SystemRoot%\System32\csrss.exe
Parent Process: None Refresh Options Parent Process: Created by an instance of smss.exe that exits, typically appearing as an orphan process.
Search Processes (Ctrl+K)
Number of Instances: One Number of Instances: Two or more
Processes Services Network Disk User Account: Local System
User Account: Local System
Start Time: At boot time Name Start Time: Within seconds of boot time for the first two instances (for Session 0 and 1). Start times for additional
instances occur as new sessions are created, although often only Sessions 0 and 1 are created.
Description: The System process is responsible for most kernel-mode threads.
Modules run under System are primarily drivers (.sys files), but also include System Idle Process Description: The Client/Server Run-Time Subsystem is the user-mode process for the Windows subsystem. Its duties
several important DLLs as well as the kernel executable, ntoskrnl.exe. include managing processes and threads, importing many of the DLLs that provide the Windows API, and facilitating
System shutdown of the GUI during system shutdown. An instance of csrss.exe will run for each session. Session 0 is for
services and Session 1 for the local console session. Additional sessions are created through the use of Remote
smss.exe Desktop and/or Fast User Switching. Each new session results in a new instance of csrss.exe.

Image Path: %SystemRoot%\System32\smss.exe

Memory Compression
Parent Process: System Interrupts
Number of Instances: One master instance and another child instance per
session. Children exit after creating their session.
Secure System Image Path: %SystemRoot%\System32\services.exe
Parent Process: wininit.exe
User Account: Local System csrss.exe Number of Instances: One
Start Time: Within seconds of boot time for the master instance
Description: The Session Manager process is responsible for creating new
csrss.exe User Account: Local System
sessions. The first instance creates a child instance for each new session. wininit.exe Start Time: Within seconds of boot time
Once the child instance initializes the new session by starting the Windows Description: Implements the Unified Background Process Manager (UBPM), which is responsible for background
subsystem (csrss.exe) and wininit.exe for Session 0 or winlogon.exe services.exe activities such as services and scheduled tasks. Services.exe also implements the Service Control Manager (SCM),
for Session 1 and higher, the child instance exits.
svchost.exe which specifically handles the loading of services and device drivers marked for auto-start. In addition, once a user
has successfully logged on interactively, the SCM (services.exe) considers the boot successful and sets the Last
ShellExperienceHost.exe Known Good control set (HKLM\SYSTEM\Select\LastKnownGood) to the value of the CurrentControlSet.

SearchUI.exe
Image Path: %SystemRoot%\System32\wininit.exe
Parent Process: Created by an instance of smss.exe that exits, typically RuntimeBroker.exe
Image Path: %SystemRoot%\system32\svchost.exe
appearing as an orphan process.
RuntimeBroker.exe Parent Process: services.exe (most often)
Number of Instances: One
User Account: Local System WmiPrvSE.exe Number of Instances: Many (generally at least 10 and often more than 50)
Start Time: Within seconds of boot time svchost.exe User Account: Varies between Local System, Network Service, or Local Service accounts. Windows 10+ also has “per-
user services” running under a user account context with Medium integrity level.
Description: wininit.exe starts key background processes within Session
0. It starts the Service Control Manager (services.exe), the Local Security svchost.exe Start Time: Typically close to boot time. However, services can be started after boot (e.g., at logon), resulting in new
Authority process (lsass.exe), and lsaiso.exe for systems with Credential instances of svchost.exe long after boot time.
Guard enabled. Note that prior to Windows 10, the Local Session Manager
sihost.exe Description: Generic host process for Windows services. It is used for running service DLLs. Windows differentiates
process (lsm.exe) was also started by wininit.exe. As of Windows 10, that
functionality has moved to a service DLL (lsm.dll) hosted by svchost.exe.
taskhostw.exe multiple instances of svchost.exe, using the “-k” parameter pointing to Service Host Groups within the registry.
Typical “-k” parameters include DcomLaunch, RPCSS, LocalService, netsvcs, NetworkService, UnistackSvcGroup, and
svchost.exe more. The “-s” parameter identifies the service, such as LanmanServer, WinRM, or Winmgmt. “-p” signifies policy
enforcement. Malware authors often take advantage of the ubiquitous nature of svchost.exe and use it either to
ctfmon.exe host a malicious DLL as a service, or to blend in using a malicious process named svchost.exe or similar spelling. In
Image Path: %SystemRoot%\System32\RuntimeBroker.exe svchost.exe Windows 10 version 1703, Microsoft changed the default grouping of similar services for systems with more than 3.5 GB
of RAM. In such cases, most services will now run under their own instance of svchost.exe resulting in more than 50
Parent Process: svchost.exe svchost.exe instances of svchost.exe.
Number of Instances: One or more
User Account: Typically the logged-on user(s)
svchost.exe
Start Time: Start times vary greatly svchost.exe
Description: RuntimeBroker.exe acts as a proxy between the constrained svchost.exe Image Path: %SystemRoot%\System32\lsaiso.exe
Universal Windows Platform (UWP) apps (formerly called Modern or Metro Parent Process: wininit.exe
apps) and the full Windows API. UWP apps have limited capability to interface audiodg.exe Number of Instances: Zero or one
with hardware and the file system. Broker processes such as RuntimeBroker.exe
are therefore used to provide the necessary level of access for UWP svchost.exe User Account: Local System
apps. Generally, there will be one RuntimeBroker.exe for each UWP Start Time: Within seconds of boot time
app. For example, starting Calculator.exe will cause a corresponding svchost.exe Description: When Virtualization-based Security (VBS) is enabled (used with Credential Guard), the functionality
RuntimeBroker.exe process to initiate.
svchost.exe of lsass.exe is split between two processes—itself and lsaiso.exe. Most of the functionality stays within
lsass.exe, but the important role of safely storing account credentials moves to lsaiso.exe. It provides safe
svchost.exe storage by running in a context that is isolated from other processes through hardware virtualization technology.
When remote authentication is required, lsass.exe proxies the requests using an RPC channel with lsaiso.exe
spoolsv.exe in order to authenticate the user to the remote service. Note that if VBS is not enabled, lsaiso.exe should not be
Image Path: %SystemRoot%\System32\taskhostw.exe
Parent Process: svchost.exe svchost.exe running on the system.

Number of Instances: One or more taskhostw.exe processes are normal. svchost.exe

User Account: Task processes can be owned by logged-on users and/or by local
service accounts. SecurityHealthService.exe
Image Path: %SystemRoot%\System32\lsass.exe
Start Time: Start times vary greatly MsMpEng.exe Parent Process: wininit.exe
Description: The generic host process for Windows Scheduled Tasks. Upon
initialization, taskhostw.exe runs a continuous loop listening for trigger NisSrv.exe Number of Instances: One
events. Example trigger events that can initiate a task include a defined time
schedule, user logon, system startup, idle CPU time, a Windows log event, or
SearchIndexer.exe User Account: Local System
Start Time: Within seconds of boot time
workstation lock/unlock. There are more than 200 tasks pre-configured on
a default installation of Windows 11 Enterprise (though not all are enabled).
svchost.exe Description: The Local Security Authentication Subsystem Service process is responsible for authenticating users by
All executable files (DLLs & EXEs) used by the default Windows 10+ scheduled lsaiso.exe calling an appropriate authentication package specified in HKLM\SYSTEM\CurrentControlSet\Control\Lsa.
Typically, this will be Kerberos for domain accounts or MSV1_0 for local accounts. In addition to authenticating
tasks are signed by Microsoft. This process replaced the older taskhost.exe
and taskhostex.exe processes. lsass.exe users, lsass.exe is also responsible for implementing the local security policy (such as password policies and
audit policies) and for writing events to the security event log. Only one instance of this process should occur and it
fontdrvhost.exe should rarely have child processes (Encrypting File System is a known exception).
winlogon.exe
Image Path: %SystemRoot%\System32\winlogon.exe fontdrvhost.exe
Parent Process: Created by an instance of smss.exe that exits, typically
appearing as an orphan process. dwm.exe Image Path: %SystemRoot%\explorer.exe
Parent Process: Created by an instance of userinit.exe that exits, typically appearing as an orphan process.
Number of Instances: One or more explorer.exe Number of Instances: One or more per interactively logged-on user
User Account: Local System
Start Time: Within seconds of boot time for the first instance (for Session 1).
MSASCuiL.exe User Account: Logged-on user(s)
Start times for additional instances occur as new sessions are created, typically OneDrive.exe Start Time: First instance starts when the owner’s interactive logon begins
through Remote Desktop or Fast User Switching logons. Description: At its core, Explorer provides users access to files. Functionally, though, it is both a file browser
Description: Winlogon handles interactive user logons and logoffs. It launches powershell.exe via Windows Explorer (though still explorer.exe) and a user interface providing features such as the user’s
LogonUI.exe, which uses a credential provider to gather credentials from Desktop, the Start Menu, the Taskbar, the Control Panel, and application launching via file extension associations
the user, ultimately passing the credentials to lsass.exe for validation. Once
conhost.exe and shortcut files. Explorer.exe is the default user interface specified in the Registry value HKLM\SOFTWARE\
the user is authenticated, winlogon.exe loads the user’s NTUSER.DAT into Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, though Windows can alternatively function with
HKCU and starts the user’s shell (usually explorer.exe) via userinit.exe. Process listing
CPU Usage: from
4.50% Windows
Physical 10 Enterprise
Memory: 20.67% Processes: 125 another interface such as cmd.exe or powershell.exe. Notice that the legitimate explorer.exe resides in the
dwm.exe and fontdrvhost.exe are common children of this process and are %SystemRoot% directory rather than %SystemRoot%\System32. Multiple instances per user can occur, such as
responsible for display management. when the option “Launch folder windows in a separate process” is enabled.
 Hunt Evil: Lateral Movement
During incident response and threat hunting, it is critical to understand how attackers move around your network. Lateral movement is an inescapable requirement for attackers to stealthily
move from system to system and accomplish their objectives. Every adversary, including the most skilled, will use some form of lateral movement technique described here during a breach.
Understanding lateral movement tools and techniques allows responders to hunt more efficiently, quickly perform incident response scoping, and better anticipate future attacker activity.
Tools and techniques to hunt the artifacts described below are detailed in the SANS DFIR course FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting

Additional Event Logs
Process-tracking events, Sysmon, and similar logging
capabilities are not listed here for the sake of brevity.
However, this type of enhanced logging can provide
significant visibility of an intruder’s lateral movement, given
that the logs are not overwritten or otherwise deleted.
Additional FileSystem Artifacts
Deep-dive analysis techniques such as file
carving, volume shadow analysis, and NTFS log
file analysis can be instrumental in recovering
many of these artifacts (including the recovery
of registry and event log files and records).
Additional References
SANS DFIR FOR508 course: http://sans.org/FOR508
ATT&CK Lateral Movement: http://for508.com/attck-lm
JPCERT Lateral Movement: http://for508.com/jpcert-lm
Artifacts in Memory Analysis
Artifacts in memory provide additional capabilities to track tools used to accomplish lateral movement. Evidence
of execution can be identified via running processes like rdpclip.exe, mstsc.exe, and wsmprovhost.exe.
Command-line extraction from processes like conhost.exe can provide valuable insight into how tools were used.
Network connections and associated ports can be powerful indicators of lateral movement (e.g., port 445 for SMB
traffic and port 3389 for RDP). MUP devices and named pipe usage can also be identified via memory forensics.

R E MOT E ACC E S S
S O U RC E D E STI N ATI ON
EVENT LOGS REGISTRY FILE SYSTEM Remote Desktop EVENT LOGS REGISTRY FILE SYSTEM
security.evtx  emote desktop destinations
R UserAssist – NTUSER.DAT J umplists – C:\Users\<Username>\  ecurity Event Log –
S  icrosoft-Windows-Terminal
M ShimCache – SYSTEM Prefetch – C:\Windows\Prefetch\
4648 – Logon specifying alternate are tracked per-user mstsc.exe Remote AppData\Roaming\Microsoft\Windows\ security.evtx Services-RemoteConnection rdpclip.exe rdpclip.exe-{hash}.pf
credentials - if NLA enabled on NTUSER\Software\ Desktop Client execution Recent\AutomaticDestinations\ 4624 Logon Type 10 Manager%4Operational.evtx tstheme.exe tstheme.exe-{hash}.pf
destination Microsoft\Terminal Last Time Executed {MSTSC-APPID}- Source IP/Logon User Name 1149
Server Client\Servers automaticDestinations-ms  mCache.hve –
A
Current logged-on User Name Number of Times Executed 4778/4779 Source IP/Logon User Name First Time Executed
Tracks remote desktop connection • Blank user name may indicate
Alternate User Name ShimCache – SYSTEM RecentApps – NTUSER.DAT destination and times IP Address of Source/Source rdpclip.exe
Destination Host Name/IP mstsc.exe Remote System Name use of Sticky Keys
mstsc.exe Remote Prefetch – C:\Windows\Prefetch\ tstheme.exe
Process Name Desktop Client Desktop Client execution Logon User Name  icrosoft-Windows-Terminal
M
mstsc.exe-{hash}.pf Services-LocalSession
 icrosoft-Windows-
M  AM/DAM – SYSTEM – Last
B Last Time Executed  icrosoft-Windows-
M
TerminalServices- Time Executed Number of Times Executed  itmap Cache – C:\Users\<Username>\
B RemoteDesktopServices- Manager%4Operational.evtx
RDPClient%4Operational.evtx AppData\Local\Microsoft\Terminal RdpCoreTS%4Operational.evtx 21, 22, 25
mstsc.exe Remote RecentItems subkey tracks Server Client\Cache Source IP/Logon User Name
1024 Desktop Client connection destinations and 131 – Connection Attempts
bcache##.bmc 41
Destination Host Name  mCache.hve – First Time
A times Source IP
cache####.bin
1102 Executed 98 – Successful Connections Logon User Name
 efault.rdp file –
D
Destination IP Address mstsc.exe C:\Users\<Username>\Documents\

EVENT LOGS REGISTRY FILE SYSTEM Map Network Shares EVENT LOGS REGISTRY FILE SYSTEM
security.evtx MountPoints2 – Remotely mapped shares
NTUSER\Software\Microsoft\Windows\
Prefetch – C:\Windows\Prefetch\
net.exe-{hash}.pf
(net.exe)  ecurity Event Log –
S
security.evtx
4768 – TGT Granted
Source Host Name/Logon User
File Creation
Attacker's files (malware) copied to
4648 – Logon specifying
alternate credentials CurrentVersion\Explorer\MountPoints2 net1.exe-{hash}.pf to C$ or Admin$ 4624 Logon Type 3 Name destination system
Current logged-on User Name Shellbags – USRCLASS.DAT Source IP/Logon User Name Available only on domain controller Look for Modified Time before
User Profile Artifacts
Alternate User Name 4672 4769 – Service Ticket Granted if Creation Time
Remote folders accessed inside an interactive session via Review shortcut files and jumplists for
Destination Host Name/IP Explorer by attackers Logon User Name authenticating to Domain Controller Creation Time is time of file copy
remote files accessed by attackers, if they
Process Name had interactive access (RDP) Logon by user with Destination Host Name/Logon User User Access Logging (Servers only)
ShimCache – SYSTEM Name
administrative rights
 icrosoft-Windows-
M net.exe  :\Windows\System32\
C
Requirement for accessing Source IP
SmbClient%4Security.evtx net1.exe LogFiles\Sum
default shares such as C$ Available only on domain controller
31001 – Failed logon to User Name
BAM/DAM – NTUSER.DAT – Last Time Executed and ADMIN$ 5140
destination Source IP Address
Destination Host Name net.exe 4776 – NTLM if authenticating Share Access
to Local System First and Last Access Time
U  ser Name for failed logon net1.exe 5145
Source Host Name/Logon Auditing of shared files – NOISY!
Reason code for failed AmCache.hve – First Time Executed
User Name
destination logon (e.g., bad net.exe
password) net1.exe
net use z: \\host\c$ /user:domain\username <password>

R E MOT E E X E C U T I O N
S O U RC E D E STI N ATI ON
EVENT LOGS REGISTRY FILE SYSTEM PsExec EVENT LOGS REGISTRY FILE SYSTEM
security.evtx NTUSER.DAT Prefetch – C:\Windows\Prefetch\ security.evtx  ew service creation
N Prefetch – C:\Windows\Prefetch\
4648 – Logon specifying Software\SysInternals\PsExec\EulaAccepted psexec.exe-{hash}.pf 4648 Logon specifying alternate credentials configured in SYSTEM\ psexesvc.exe-{hash}.pf
alternate credentials Possible references to other files accessed Connecting User Name CurrentControlSet\ evil.exe-{hash}.pf
ShimCache – SYSTEM Services\PSEXESVC
Current logged-on User Name by psexec.exe, such as executables copied to Process Name File Creation
psexec.exe “-r” option can allow
Alternate User Name target system with the “-c” option 4624 Logon Type 3 (and Type 2 if “-u” Alternate Credentials are used) User profile directory structure
Destination Host Name/IP BAM/DAM – SYSTEM – Last Time Executed attacker to rename service created unless “-e” option used
File Creation Source IP/Logon User Name
psexec.exe ShimCache – SYSTEM psexesvc.exe will be placed in
Process Name psexec.exe file downloaded and created on 4672
AmCache.hve – First Time Executed local host as the file is not native to Windows Logon User Name psexesvc.exe ADMIN$ (\Windows) by default, as
psexec.exe well as other executables (evil.exe)
psexec.exe psexesvc.exe Logon by a user with administrative rights AmCache.hve pushed by PsExec
Requirement for access default shares such as C$ and ADMIN$ First Time Executed
User Access Logging (Servers only)
5140 – Share Access psexesvc.exe
ADMIN$ share used by PsExec  :\Windows\System32\
C
LogFiles\Sum
system.evtx User Name
psexec.exe \\host -accepteula -d -c c:\temp\evil.exe 7045 Source IP Address
Service Install First and Last Access Time

EVENT LOGS REGISTRY FILE SYSTEM Scheduled Tasks EVENT LOGS REGISTRY FILE SYSTEM
security.evtx ShimCache – SYSTEM  mCache.hve -
A Prefetch – C:\Windows\Prefetch\ security.evtx 4698 – Scheduled task created SOFTWARE File Creation
4648 – Logon specifying alternate at.exe First Time Executed at.exe-{hash}.pf 4624 Logon Type 3 4702 – Scheduled task updated Microsoft\Windows evil.exe
credentials schtasks.exe at.exe schtasks.exe-{hash}.pf Source IP/Logon User Name 4699 – Scheduled task deleted NT\CurrentVersion\ Job files created in
Current logged-on User Name schtasks.exe 4672 4700/4701 – Scheduled task Schedule\TaskCache\Tasks C:\Windows\Tasks
 AM/DAM – SYSTEM – Last
B
Alternate User Name Time Executed Logon User Name enabled/disabled Microsoft\Windows XML task files created in
Destination Host Name/IP Logon by a user with NT\CurrentVersion\ C:\Windows\System32\Tasks
at.exe  icrosoft-Windows-Task
M Schedule\TaskCache\Tree\
administrative rights C:\Windows\SysWOW64\Tasks
Process Name schtasks.exe Scheduler%4Operational.evtx
Requirement for accessing ShimCache – SYSTEM Author tag can identify:
106 – Scheduled task created
default shares such as C$ and 140 – Scheduled task updated evil.exe • Source system name
ADMIN$ • Creator username
at \\host 13:00 "c:\temp\evil.exe" 141 – Scheduled task deleted  mCache.hve –
A
200/201 – Scheduled task First Time Executed Prefetch – C:\Windows\Prefetch\
schtasks /CREATE /TN taskname /TR c:\temp\evil.exe /SC once /RU “SYSTEM” /ST 13:00 /S host /U username executed/completed evil.exe evil.exe-{hash}.pf

EVENT LOGS REGISTRY FILE SYSTEM Services EVENT LOGS REGISTRY FILE SYSTEM
ShimCache – SYSTEM Prefetch – C:\Windows\Prefetch\ security.evtx system.evtx SYSTEM File Creation
sc.exe sc.exe-{hash}.pf 4624 Logon Type 3 7034 – Service crashed \CurrentControlSet\ evil.exe or evil.dll malicious
Source IP/Logon User Name unexpectedly Services\ service executable or service DLL
BAM/DAM – SYSTEM – Last Time Executed
4697 7035 – Service sent a Start/Stop New service creation Prefetch – C:\Windows\Prefetch\
sc.exe
Security records service install, control
ShimCache – SYSTEM evil.exe-{hash}.pf
AmCache.hve – First Time Executed if enabled 7036 – Service started or stopped evil.exe
sc.exe Enabling non-default Security 7040 – Start type changed (Boot ShimCache records
events such as ID 4697 are | On Request | Disabled) existence of malicious
particularly useful if only the 7045 – A service was installed on service executable, unless
Security logs are forwarded to a the system implemented as a service DLL
centralized log server
sc \\host create servicename binpath= “c:\temp\evil.exe”  mCache.hve –
A
First Time Executed
sc \\host start servicename
evil.exe

EVENT LOGS REGISTRY FILE SYSTEM WMI/WMIC EVENT LOGS REGISTRY FILE SYSTEM
security.evtx ShimCache – SYSTEM Prefetch – C:\Windows\Prefetch\ security.evtx  icrosoft-Windows-WMI-
M ShimCache – SYSTEM File Creation
4648 – Logon specifying alternate wmic.exe wmic.exe-{hash}.pf 4624 Logon Type 3 Activity%4Operational.evtx scrcons.exe evil.exe
credentials Source IP/Logon User Name 5857 mofcomp.exe evil.mof – .mof files can be used
BAM/DAM – SYSTEM – Last Time Executed to manage the WMI Repository
Current logged-on User Name wmic.exe 4672 Indicates time of wmiprvse execution wmiprvse.exe
Alternate User Name Logon User Name and path to provider DLL – attackers evil.exe Prefetch – C:\Windows\Prefetch\
Destination Host Name/IP AmCache.hve – First Time Executed sometimes install malicious WMI scrcons.exe-{hash}.pf
Logon by an a user with  mCache.hve –
A
Process Name wmic.exe administrative rights provider DLLs mofcomp.exe-{hash}.pf
wmic.exe wmiprvse.exe First Time Executed
5860, 5861 wmiprvse.exe-{hash}.pf
Registration of Temporary (5860) and scrcons.exe evil.exe-{hash}.pf
mofcomp.exe
wmic /node:host process call create "C:\temp\evil.exe" Permanent (5861) Event Consumers.  nauthorized changes to the
U
Typically used for persistence, but wmiprvse.exe WMI Repository in C:\Windows\
Invoke-WmiMethod –Computer host –Class Win32_Process –Name create –Argument “c:\temp\evil.exe" can be used for remote execution. evil.exe System32\wbem\Repository

EVENT LOGS
security.evtx
4648 – Logon specifying
alternate credentials
Current logged-on User Name
Alternate User Name
Destination Host Name/IP
Process Name
 icrosoft-Windows-
M Records the local initiation
WinRM%4Operational.evtx
161 – Remote Authentication
Error
6 – WSMan Session initialize
Session created
Destination Host Name or IP
Current logged-on User Name
REGISTRY FILE SYSTEM PowerShell Remoting EVENT LOGS REGISTRY FILE SYSTEM
 , 15, 16, 33 – WSMan Session
8 ShimCache – SYSTEM Prefetch – C:\Windows\Prefetch\ security.evtx Windows PowerShell.evtx ShimCache – SYSTEM File Creation
deinitialization powershell.exe powershell.exe-{hash}.pf 4624 – Logon Type 3 400/403 "ServerRemoteHost" wsmprovhost.exe evil.exe
Closing of WSMan session  AM/DAM – SYSTEM –
B PowerShell scripts (.ps1 files) that run within Source IP/Logon User Name indicates start/end of Remoting evil.exe With Enter-PSSession, a user
Current logged-on User Name 10 seconds of powershell.exe launching will be 4672 session SOFTWARE profile directory may be created
Last Time Executed
tracked in powershell.exe prefetch file Logon User Name 800 Includes partial script code Microsoft\PowerShell\1
 icrosoft-Windows-
M powershell.exe Prefetch – C:\Windows\Prefetch\
PowerShell%4Operational.evtx Command history Logon by an a user with  icrosoft-Windows-
M \ShellIds\Microsoft. evil.exe-{hash].pf
AmCache.hve – First PowerShell\
40961, 40962 C:\Users\<Username>\AppData\Roaming\ administrative rights WinRM%4Operational.evtx wsmprovhost.exe-{hash].pf
Time Executed ExecutionPolicy
Microsoft\Windows\PowerShell\  icrosoft-Windows-
M 91 – Session creation
powershell.exe powershell.exe wsmprovhost.exe Attacker may change
PSReadline\ConsoleHost_history.txt PowerShell%4Operational.evtx 142 – WSMan Operation Failure
of powershell.exe and execution policy to a less
associated user account With PS v5+, a history file with previous 4096 4103, 4104 – Script Block logging 169 – Records the authenticating restrictive setting, such as
8193 & 8194 commands is maintained per user user "bypass"
Logs suspicious scripts by
Session created default in PS v5  mCache.hve –
A
8197 – Connect Enter-PSSession –ComputerName host Logs all scripts if configured First Time Executed
Session closed 53504 – Records the wsmprovhost.exe
Invoke-Command –ComputerName host –ScriptBlock {Start-Process c:\temp\evil.exe} authenticating user evil.exe

UserAssist BAM/DAM System Resource ShimCache Jump Lists Prefetch Amcache.hve

Description:
UserAssist records metadata on GUI-based
Description:
Windows Background/Desktop Activity Moderator Usage Monitor (SRUM) Description: Description: Description: Description:
The Windows Application Compatibility Database Windows Jump Lists allow user access Prefetch increases performance of a system by pre-loading Amcache tracks installed
program executions. (BAM/DAM) is maintained by the Windows power Description:
management sub-system. (Available in Win10+) is used by Windows to identify possible application to frequently or recently used items code pages of commonly used applications. It monitors applications, programs executed (or
Location: SRUM records 30 to 60 days of historical compatibility challenges with executables. It tracks the quickly via the task bar. First introduced in all files and directories referenced for each application or present), drivers loaded, and more.
Location: system performance including applications executable file path and binary last modified time. Windows 7, they can identify applications in process and maps them into a .pf file. It provides evidence What sets this artifact apart is it also
NTUSER.DAT HIVE
Win10 run, user accounts responsible, network use and a wealth of metadata about items that an application was executed. tracks the SHA1 hash for executables

Evidence
NTUSER.DAT\Software\Microsoft\Windows\
SYSTEM\CurrentControlSet\Services\bam\ connections, and bytes sent/received per Location:
CurrentVersion\Explorer\UserAssist\ accessed via those applications. • Limited to 128 files on XP and Win7 and drivers. (Available in Win7+)
UserSettings\{SID} application per hour. XP: S
 YSTEM\CurrentControlSet\Control\Session
{GUID}\Count Location: • Up to 1024 files on Win8+ Location:
SYSTEM\CurrentControlSet\Services\dam\ Manager\AppCompatibility
Location: %USERPROFILE%\AppData\Roaming\ C:\Windows\AppCompat\Programs\
Interpretation: UserSettings\{SID} Win7+: S
 YSTEM\CurrentControlSet\Control\Session Location:
Microsoft\Windows\Recent\ Amcache.hve

of Program
Win8+
• GUIDs identify type of execution (Win7+) Interpretation: C:\Windows\System32\SRU\SRUDB.dat Manager\AppCompatCache AutomaticDestinations C:\Windows\Prefetch
- CEBFF5CD Executable File Execution • Naming format: (exename)-(hash).pf Interpretation:
• Provides full path of file executed and last Interpretation: Interpretation:
- F4E57C4B Shortcut File Execution Interpretation: • A complete registry hive, with
execution date/time SYSTEM\CurrentControlSet\Control\Session Manager\
• SRUDB.dat is an Extensible Storage Engine Any executable present in the file system could be • Each jump list file is named according to multiple sub-keys
• Values are ROT-13 Encoded • Typically up to one week of data available Memory Management\PrefetchParameters

Execution
database found in this key. Data can be particularly useful to an application identifier (AppID).
• Application path, last run time, run count, • EnablePrefetcher value • Full path, file size, file modification
• “State” key used in Win10 1809+ identify the presence of malware on devices where List of Jump List IDs
focus time and focus count • Three tables in SRUDB.dat are particularly (0 = disabled; 3 = application launch and boot enabled) time, compilation time, and
other application execution data is missing (such as -> https://dfir.to/EZJumpList
important: Interpretation: publisher metadata
Windows servers).
- {973F5D5C-1D90-4944-BE8E-24B94231A174} • Automatic Jump List Creation Time = • SHA1 hash of executables and
• Full path of executable First time an item added to the jump • Date/Time file by that name and path was first executed
= Network Data Usage - Creation date of .pf file (~-10 seconds) drivers
• Windows 7+ contains up to 1,024 entries list. Typically, the first time an object was
- {d10ca2fe-6fcf-4f6d-848e-b2e99266fa89} • Date/Time file by that name and path was last executed • Amcache should be used as an
(96 entries in WinXP) opened by the application.
= Application Resource Usage - Last modification date of .pf file (~-10 seconds) indication of executable and driver
• Post-WinXP no execution time is available • Automatic Jump List Modification Time presence on the system, but not to
- {DD6636C4-8929-4683-974E-22C046A43763} • Each .pf file includes embedded data, including the last
• Executables can be preemptively added to the = Last time item added to the jump list. prove actual execution
= Network Connectivity Usage eight execution times (only one time available pre-Win8),
database prior to execution. The existence of an Typically, the last time the application
executable in this key does not prove actual execution. opened an object. total number of times executed, and device and file
handles used by the program