I received an interesting question via LinkedIn not long ago, but before we dive into the question and the response…
If you’ve followed me for any amount of time, particularly recently, you’ll know that I’ve put some effort forth in correcting the assumption that individual artifacts, particularly ShimCache and AmCache, provide “evidence of execution”. The is a massive oversimplification of the nature and value of each of these artifacts, in addition to just being an extremely poor analytic process; that is, viewing single artifacts in isolation to establish a finding.
Okay, so now, the question I was asked was, what is my “go to” artifact to demonstrate evidence of execution?
First, let me say, I get it…I really do. During my time in the industry, I’ve heard customers ask, “..what is the product I need to purchase to protect my infrastructure?”, so an analyst asking, “…what is the artifact that illustrates evidence of execution?” is not entirely unexpected. After all, isn’t that the way things work sometimes? What is the one thing, which button do I push, which is the lever I pull, what is the one action I need to take, or one choice I need to make to move forward?
So, in a way, the question of the “go to” artifact to demonstrate…well, anything…is a trick question. Because there should not be one. Looking just at “evidence of execution”, some might think, “…well, there’s Prefetch files…right?”, and that’s a good option, but what do we know about application prefetching?
We know that the prefetcher monitors the first 10 seconds of execution, and tracks files that are loaded.
We know that beginning with Windows 8, Prefetch files can hold up to 8 “last run” times, embedded within the file itself.
We know that application prefetching is enabled by default on workstations, but not servers.
Okay, this is great…but what happens after those first 10 seconds? What I mean is, what happens if code within the program throws an error, doesn’t work, or the running application is detected by AV? Do we consider that the application “executed” only if it started, or do we consider “evidence of execution” to include the application completing, and impacting the endpoint in some manner
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from Windows Incident Response
Read the original article: