Program Execution [0.1]
Indications of suspicious programs, or programs executing in a way which known attackers have been observed to use has been identified.
This search provides a summary of programs executed on the computer to assist in providing contextual information for suspicious activities. For example, this search may identify programs executing from unexpected locations. These records of execution should be investigated to help to identify suspicious activity, such as those performed by attackers during various phases of intrusion, or indications that other user accounts may be compromised.
This search looks in multiple locations for any record of execution of particular programs within a Windows system.
The programs and behaviours searched for are derived from intelligence provided by the ACSC, and by other sources such as CyberCX and CrowdStrike and investigations. See the threat intelligence sources section below for further details.
Hits are derived from the intelligence provided, and do not consider environmental factors specific to your computer or network environment.
Packs.CyberCX.Windows.ExecutionsTimeline
- Those provided by the ACSC 2020-008 report ‘Copy and Paste’ attacks, which are indicated as Traffic Light Protocol (TLP) White.
- Investigations performed by CyberCX
- Investigations performed by CrowdStrike
- Contributions from the community
Any hits identified may not indicate compromise on your system, but might be indicative of attacker activity. It is recommended to review each detection contextually to confirm if the hit is definitively malicious or a false positive. Guidance for how to approach these investigations is provided within this section.
This section provides general guidance on how to determine if the hit is indicative of a suspicious program, and why it may be suspicious. Please note the specific detection results within the report generated by CCX Digger when conducting the investigation, as some of the content below may not be applicable for your system.
The instructions below are provided to assist with interpreting the results, but the following considerations must be made:
- Each computer and network varies wildly in terms of what programs should be run.
- Environmental factors can determine the degree of risk for specific program execution.
Please consider the network environment of the computer which has been scanned and adjust the advice to what may be worth investigating accordingly. Do not assume that there is no suspicious activity on the computer should no results be identified. Methods exist in which attackers can hide malicious code within legitimate executions.
The following programs have been known to be used by attackers:
- WHOAMI.EXE: This is often run as an initial reconnaissance command when first accessing a computer, especially on computers infrequently used by administrators
- Repeated calls to PING.EXE, IPCONFIG.EXE, NETSTAT.EXE, or execution of any network or port scanning tool: These programs are often used during reconnaissance to gather information about the host. This may be expected behaviour for the computer.
- Mimikatz, fgdump, or other credential theft tools: An attacker may use tools such as these to steal credentials, often to move laterally across the victim network.
- MAKECAB.EXE, NTDSUTIL.EXE, WEVTUTIL.EXE, and other unexpected Windows activities: Depending on the environment which the program is running, the execution of these utilities is likely to be unexpected.
- Execution of programs with long, randomly generated names, or names with a single letter such as 'A.EXE'.
- Programs run from unexpected directories, such as Temp folders or ProgramData, which are not recognised as benign.
- Programs run from the profiles of non-interactive or inactive users in a time when access to those accounts would be unexpected.
- Programs run outside of business hours for user computers. Note that times in these results may be recorded in UTC.
- Programs run from network shares that should not hold software.
- Programs run from user folders outside of what would be expected from those users' roles.
- Usage of non-sanctioned remote access tools such as TeamViewer or Remote Desktop Protocol.
The following section details potentially suspicious locations or behaviours for executable to be run:
The ACSC has recently released a list of Indicators of Compromise (IOCs) relating to actions performed in recent attacks targeting Australian businesses. Some of the indicators, particularly 'File Name' and 'Hash' may be useful for comparison against the program execution indicated in the results.
UserAssist is a record of programs run interactively by users specifically which contain a Graphical User Interface (GUI). The programs recorded in this section are likely to have been double clicked on by a user and opened on their Desktop. The scan results will have captured link files with the same timestamps as these executables, which when present, indicate that one of the programs was opened by a shortcut - such as the one on a user's Desktop.
Prefetch is a record of recent programs which have been run on a Windows system for the purpose of optimisation. Prefetch also stores details of the programs, such as modules that are loaded on program startup. This is useful for a deeper investigation of a program, but should not be of great concern during initial investigations.
Prefetch records recent execution dates of programs, which is useful to identify repeated use of programs, such as repeated calls to PING.EXE to indicate reconnaissance activities. A list of all prefetch data results can be found within the full collection. Note: Prefetch data does not contain user association. This information will need to be confirmed elsewhere to confirm malicious activity.
Shimcache is a record of programs present on the system prior to previously shutting it down, which is designed for compatibility tracking. This record rolls over as new programs are loaded, but typically stores a fair duration of logs. This makes it useful to identify historical programs, as well as recent ones. Shimcache contains a lot of entries that may not be meaningful to an incident, but it will also contain details which may not be present in other artefacts. This may be useful for many purposes, such as looking at the execution of command line tools used for exploitation (such as NTDSUtil), password cracking utilities (such as fgdump or Mimikatz), or other generic malware.
Unlike other methods listed in this article, the presence of an executable within Shimcache does not specifically mean execution, only if the 'execution flag' within the entry is set. It does however, indicate that the executable file was present within that folder.
- If any suspicious programs are identified, it is recommended to analyse the context which the program exists on the computer, including the location of the file and presence of other files within the same folder.
- If it can't be determined to be legitimate from contextual analysis, local malware scans, online malware lookups (such as VirusTotal), or usage of malware sandboxing services can be helpful in detecting whether the identified files are malicious or not.
As Shimcache is only written to disk whenever a computer shuts down, the data in this artefact may not be recent for always-online servers.
The System Resource Usage Monitor (SRUM) database is a database kept by Windows on the system resources of previously used programs. Some of this information is provided to the user in the App History section of the Windows Task Manager. This can be used to identify programs which have executed, how long they ran for, and other details, such as how much data they communicated over the network. A list of all SRUM data results can be found within the full collection.
Note: This feature is only available on computers with operating system versions of Windows 8 or newer, or equivalent Windows Server versions.
User information is stored within this artifact as Security Identifiers (SIDs) instead of usernames. To interpret this data, it may be required to convert this back to usernames. However, there are a few SIDs that are consistent across all computers, as follows:
- S-1-5-18 - Local System
- S-1-5-19 - Local Service
- S-1-5-20 - Network Service
For other SIDs, this will most likely indicate a user account. Information about how to interpret this can be found here.
Specific details to look for in this artefact include:
- Programs which ran for a long time based on the duration statistic which were not expected to do so, such as a large duration of the Windows PowerShell program on a network where this is unexpected behaviour.
- Large amounts of network data being communicated by user programs which are not expected to be running.
RecentApps is a record of programs run by users. This is a newer artefact, and is not as extensively researched as other sources of program execution. This artefact provides a launch count, which indicates how many times a specific program has been run by each user. This record details the most frequently run programs by users, based on the number of times they have executed the program, particularly by the same user. A list of all RecentApps data results can be found within the full collection.
Note: This feature is only available on computers with operating systems equivalent to Windows 10.
A timeline of activity has been recently added as a feature for Windows 10. This includes both file and program activity, and tracks programs executed by users in the Graphical User Interface (GUI). This artefact does not record certain background processes, but can be useful for a more targeted identification of what programs have been manually opened by a user at a specific time. A list of all Timeline data results can be found within the full collection.
Under certain circumstances it may also provide more detailed information about what the user was doing in those programs. This artefact is most useful for identifying malicious activity performed by compromised user accounts.
Note: This feature is only available on computers with an operating system of at least Windows 10. It is not available by default on equivalent Windows Server operating systems, although it could be enabled through configuration.
If you have followed the investigations to confirm the validity of the findings, and believe your system may be at risk, please visit the Need Help? page for further instructions. Please refer to the same page for further context on how to use this wiki.
[v0.1]:
