Section 2.1: Intrusion Analysis: Evidence of Execution

Question 1

Name two ways credential theft can be detected.

Answer 1

By seeing the execution of credential dump, and by tracking credential usage via event log.

Question 2

What is Windows Prefetch?

Answer 2

It is a process in which the OS loads key pieces of data and code from disk into memory before it is needed. The directory is “C:\Windows\Prefetch” and carries 1024 files since Windows 8. It can be turned off through the registry. Prefetch files are compressed but PECmd.exe can decompress them.

Question 3

What information does each prefetch file contain?

Answer 3

The file contains the application name, hash based on its path, and ends with “.pf” extension. Embedded in each file is the total number of times an application has been executed, the original path, and the last time it ran. A total of 9 execution times if creation time is counted.

Question 4

Why is it important for an analyst to take notice of prefetch files with the same executable name?

Answer 4

Prefetch files with the same name indicate that one of the files was run from a different location.

Question 5

What is the standard path for cmd.exe?

Answer 5

System32 folder.

Question 6

Why is it a priority to collect prefetch files?

Answer 6

Extraction tools can cause new prefetch files that can cause older ones to be deleted.

Question 7

What is the registry path for prefetch?

Answer 7

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters.

Question 8

What does the cache manager do?

Answer 8

It monitors all “helper” files and directories that reference the application related to the prefetch file.

Question 9

When reading the dates on a prefetch file, what do the creation and modified tell analysts?

Answer 9

The creation date tells the first time we know the file was executed (-10 seconds) and the modified date tells the last time it was executed (-10 seconds). Be aware that if the executable is old, it can be given a new creation date if its overwritten.

Question 10

Does a prefetch file indicate application success?

Answer 10

No. Maybe the application (or malware) wasn’t compatible.

Question 11

When analyzing the prefetch file, what can I understand from the volume information and file sections?

Answer 11

I can find list of documents opened by the application, bad DLLs or hidden folders. Remember to observe SYSWOW64 paths.

Question 12

How does the prefetch timeline file help me as an analyst?

Answer 12

I can track applications that ran at the same time as other applications or it can tell me a story of what other applications adversaries ran along the way by looking at the RunTime.

Question 13

Explain the Application Compatibility Cache system (AppCompatCache AKA ShimCache)?

Answer 13

It is designed to detect and remediate programs compatibility challenges when a program launches like have it load properties of a previous version. These binaries are stored in the AppCompatCache registry inside the SYSTEM hive regardless if they are shimmed or not. This registry cannot be deleted from adversaries.

Question 14

Detail the full path of AppCompatCache and how many entries it holds.

Answer 14

SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache. It holds 1024 entries. There can be multiple files so look at all the controlsets (the parser tool gets them all thankfully).

Question 15

What information does the AppCompatCache provide to the analyst about the registered binaries?

Answer 15

It records the binary’s last modification date, file path, and if it was executed.

Question 16

What is a mistake many analysts make when analyzing the AppCompatCache modification date?

Answer 16

They assume it is the last time a program ran when in reality it is the last time the program was modified.

Question 17

What is an advanced technique analysts need to know about AppCompatCache?

Answer 17

If an applications file content is updated or renamed, then the system shims it again. Its perfect for seeing if applcations were moved, renamed, or timestomped (Ex: downloaded file is renamed).

Question 18

Name two functions on how ShimCache functions on the OS.

Answer 18

Most recent events are on the top of the list and entries are only written on shutdown. They are placed in memory until that happens.

Question 19

What does Amcache.hve do?

Answer 19

It tracks installed applications with their metadata, programs executed, its path, SHA1 hash, and drivers loaded. Just like prefetch, programs here does not indicate execution. Amcache replaced the old RecentFileCache.bcf from other older OS.

Question 20

What directories does Amcache track for new executables?

Answer 20

Program Files, Program Files (x86), and Desktop.

Question 21

What is the path to the Amcache.hve file?

Answer 21

C:\Windows\AppCompat\Programs\Amcache.hve

Question 22

When auditing executable presence inside the amcache.hve file? Where can I start?

Answer 22

Go to the InventoryApplicationFile key to see the list of executables and pick one to see its contents. ProgramId contains the identification number to cross-reference with the InventoryApplication key. LowerCaseLongPath is the Full Path. LinkDate is the PE compilation time (recent dates can be malware). The FileId is the SHA1 hash (skip the first 4 zeros).

Question 23

When auditing executable presence inside the amcache.hve file? Where can I start?

Answer 23

Go to the InventoryApplicationFile key to see the list of executables and pick one to see its contents. ProgramId contains the identification number to cross-reference with the InventoryApplication key. LowerCaseLongPath is the Full Path. LinkDate is the PE compilation time (recent dates can be malware). The FileId is the SHA1 hash (skip the first 4 zeros).

Question 24

When auditing installed drivers inside the amcache.hve file, how do I approach?

Answer 24

Start with the InventoryDriverBinary key and look for suspicious paths first. Check for legit SHA1 hashing. Last modification time is important (DriverLastWriteTime) and see if it connects with incident timeliine. Check if the driver is signed since they should always be. Lastly, observe for any missing metadata.

Question 25

What is an important command to use when parsing Amcache?

Answer 25

Make sure to parse the program entries (associated entries) because the parser only does unassociated entries. The “-i” command does that.

Question 26

When analyzing the parsed files from AmcacheParser, what are some things I should pay attention to?

Answer 26

“Am_cacheProgramEntries” is data that is from the InventoryApplication key. The InventoryApplicationFile key is divided associated and unassociated software. The latter one has information on binaries present on the system that may have not been part of the installation package.

Question 27

Should Win-64 bits always contain signed drivers?

Answer 27

Yes.

Question 28

Name common living of the land tools that an adversary may execute for malicious purposes.

Answer 28

Psexesvc.exe, wmic.exe, scrcons.exe, certutil.exe, rar.exe, wsmprovhost.exe, and whoami.exe.

Question 29

What is so special about the appcompatprocessor.py tool?

Answer 29

It can scales and parses both Shimcache and Amcache artifacts. It can take many types of formats including raw SYSTEM, amcache.hve, and in-memory extraction of Shimcache. It can be stacked and sent to an SQL database. Its good to put all files in a database so that modules can be run like: reconscan, tcorr, search, and more! Stacking can lead to results as to which computer ran the binary, all this can be done with this tool.