Program Execution [0.1]
This artefact provides a detailed list of programs executed on the computer, using forensic data obtained from multiple locations. The results can be significant. While some analysis notes are provided below, a detailed review is often most valuable when deeper forensic analysis is required, if other findings indicate potentially malicious activities.
This search extracts evidence of execution from several locations across a Windows system, including:
- UserAssist
- Prefetch
- Shimcache
- System Resource Usage Monitor (SRUM)
- Timeline
While obtaining this information from different data sources creates duplicate result entries, examining multiple data sources allows for building a richer profile of program execution, since each source records different information about program execution. Note that some data sources may not be present or populated, which will result in empty lists.
Packs.CyberCX.Windows.ExecutionsTimeline
Pay particular attention to the following programs, which are commonly used by threat actors:
- WHOAMI.EXE: Often run as an early reconnaissance command when first accessing a computer.
- Repeated calls to PING.EXE, IPCONFIG.EXE, NETSTAT.EXE, or execution of any network or port scanning tool: These programs are often used during reconnaissance to gather information about the host. This may be expected behaviour for the computer.
- Mimikatz, fgdump, or other credential theft tools: An attacker may use tools such as these to steal credentials, often to move laterally across the victim network.
- MAKECAB.EXE, NTDSUTIL.EXE, WEVTUTIL.EXE, and other unexpected Windows activities: Depending on the environment which the program is running, the execution of these utilities is likely to be unexpected.
- Execution of programs with long, randomly generated names, or names with a single letter such as 'A.EXE'.
- Programs run from unexpected directories, such as Temp folders or ProgramData.
- Programs run from the profiles of service accounts, and inactive or unexpected users.
- Programs run at unusual times, such as outside business hours. Note that times in these results should be recorded in UTC.
- Programs run from network shares that should not hold software.
- Programs run from user folders outside of those expected from the user's role.
- Use of non-sanctioned remote access tools such as TeamViewer or Remote Desktop Protocol.
The following section details potentially suspicious locations or behaviours for executable to be run:
The ACSC has recently released a list of Indicators of Compromise (IOCs) relating to actions performed in recent attacks targeting Australian businesses. Some of the indicators, particularly 'File Name' and 'Hash' may be useful for comparison against the program execution indicated in the results.
UserAssist is a record of programs run interactively by users, specifically which use a Graphical User Interface (GUI). If the scan results include link files with the same names and timestamps as executables, these indicate a program executed via a shortcut, such from a user's Desktop or Start menu.
The Windows Prefetch mechanism records details of program execution for optimisation purposes. Prefetch files are maintained for both GUI and command line programs, however they are often not present on Windows Server operating systems, nor computers with solid state drives (SSDs). Execution details include modules that are loaded on program startup, which are useful for deeper analysis of execution dependencies. Execution dates are also provided, including the last execution and often some previous executions, which can be useful for profiling execution history. A list of all prefetch data results can be found within the full collection.
Note: Prefetch does not associate program execution with user accounts. Further investigation would be required to determine which user accounts were used.
The Shimcache stores records of programs present on the computer for compatibility tracking purposes. Shimcache records are written to disk (which is where CyberCX Digger inspects them) upon a clean shutdown or reboot, meaning records here represent programs present before this occurred on the current system. This is more of an issue for always-online servers.
Unlike other methods listed in this article, the presence of an executable within Shimcache does not specifically mean execution, only if the 'execution flag' within the entry is set. It does however, indicate that the executable file was present within that folder.
- If any suspicious programs are identified, it is recommended to analyse the context which the program exists on the computer, including the location of the file and presence of other files within the same folder.
- If it can't be determined to be legitimate from contextual analysis, local malware scans, online malware lookups (such as VirusTotal), or usage of malware sandboxing services can be helpful in detecting whether the identified files are malicious or not. Care should be taken when using any online lookup service to avoid inadvertently uploading confidential information, or tipping off an attacker that their presence has been detected.
The System Resource Usage Monitor (SRUM) is a database maintained by Windows to track resource usage by programs. Some of this information is provided to the user in the App History section of the Windows Task Manager. This can be used to identify programs which executed, how long they ran and how much data they transmitted over the network. A list of all SRUM data results can be found within the full collection.
Note: This feature is only available on computers with operating system versions of Windows 8 or newer, or equivalent Windows Server versions.
User information is stored within this artefact as Security Identifiers (SIDs) instead of usernames. To interpret this data, it may be required to convert this back to usernames. However, there are a few SIDs that are consistent across all computers, including:
- S-1-5-18 - Local System
- S-1-5-19 - Local Service
- S-1-5-20 - Network Service
For other SIDs, this will most likely indicate a user account. Information about how to interpret this can be found here.
Specific details to look for in this artefact include:
- Programs which ran for a long time based on the duration statistic which were not expected to do so, such as a large duration of the Windows PowerShell program on a network where this is unexpected behaviour.
- Large amounts of network data being communicated by user programs which are not expected to be running.
RecentApps is a record of programs run by users. This is a newer artefact, and is not as extensively researched as other sources of program execution. This artefact provides a launch count, which indicates how many times a specific program has been run by each user. This record details the most frequently run programs by users, based on the number of times they have executed the program, particularly by the same user. A list of all RecentApps data results can be found within the full collection.
Note: This feature is only available on computers with operating systems equivalent to Windows 10.
A timeline of activity has been recently added as a feature for Windows 10. This includes both file and program activity, and tracks programs executed by users in the Graphical User Interface (GUI). This artefact does not record certain background processes, but can be useful for a more targeted identification of what programs have been manually opened by a user at a specific time. A list of all Timeline data results can be found within the full collection.
Under certain circumstances it may also provide more detailed information about what the user was doing in those programs. This artefact is most useful for identifying malicious activity performed by compromised user accounts.
Note: This feature is only available on computers with an operating system of at least Windows 10. It is not available by default on equivalent Windows Server operating systems, although it could be enabled through configuration.
If you've followed the steps above, but still believe your system may have been compromised, please refer to our wiki for more information about how to contact the CyberCX Digital Forensics and Incident Response (DFIR) team.
[v0.1]:
