Windows Incident Response
My previous post on this topic presented my thoughts on how the concept of “artifact categories” were being misused.
My engagement with artifact categories goes back to 2013, when Corey Harrell implemented his thoughts on categories via auto_rip. I saw, and continue to see, the value in identifying artifact categories, but as I alluded to in my previous post, it really seems that the categories are being misused. Where the artifacts should be viewed as providing an indication of the categories and requiring further analysis (including, but not limited to the population of artifact constellations), instead, the artifacts are often misinterpreted as being emphatic statements of the event or condition occurring. For example, while an entry in the ShimCache or AmCache.hve file should indicate that the file existed on the system at one point and may have been executed, too often either one is simply interpreted as “program execution”, and the analyst moves on with no other validation. Without validation, these “findings” lead to incorrect statements or understanding of the incident itself.
Program Execution
There was discussion of the “program execution” category in my previous post, along with discussion of the need to validate that the program did, indeed, execute. Often we’ll see some indication of a program or process being launched (via EDR telemetry, an entry in the Windows Event Log, etc.) and assume that it completed successfully.
Keeping that in mind, there are some less-than-obvious artifacts we can look to regarding indications of “program execution”; for example, consider the Microsoft-Windows-Shell-Core\Operational.evtx Event Log file.
Some notable event IDs of interest (all with event source “Shell-Core”):
Event ID 9705/9706 – start/finish processing of Run/RunOnce keys
Event ID 9707/9708 – indicates start and stop of process execution, with corresponding PID.
Event ID 62408/62409 – start/finish processing of <process>
Some additional, use
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: