ReZaAdineH

Host-based artifacts are crucial elements in threat detection and forensic investigations. They are digital footprints left by an attacker or malware on a system, and they provide valuable information for identifying and analyzing security incidents. This white paper discusses some of the key host-based artifacts that can be used to detect and investigate security incidents, focusing on running processes, services, parent-child process trees, integrity hash of background executables, installed applications, local and domain users, unusual authentications, non-standard formatted usernames, listening ports and associated services, domain name system (DNS) resolution settings and static routes, established and recent network connections, run key and other AutoRun persistence, scheduled tasks, artifacts of execution (prefetch and shimcache), event logs, and anti-virus detections.

Running Processes: Running processes are a fundamental part of any operating system. In the context of threat detection and forensic investigations, running processes can provide valuable insights into what is happening on a system. Malware often tries to disguise itself as a legitimate process or hide behind a process with a similar name. By monitoring the running processes on a system, it is possible to detect suspicious behavior and identify malicious code. Furthermore, the command-line arguments of a process can reveal additional information about its purpose, which can be useful in determining whether it is benign or malicious.

Running Services: Services are processes that run in the background and provide functionality to other processes or users. Services can be used to automate tasks or provide network services. In the context of threat detection and forensic investigations, running services can provide valuable insights into what is happening on a system. Malware often installs itself as a service to ensure persistence and hide from the user. By monitoring the running services on a system, it is possible to detect suspicious behavior and identify malicious code.

Parent-Child Process Trees: Parent-child process trees are a way to visualize the relationships between processes on a system. By examining the parent-child process trees on a system, it is possible to identify malicious behavior such as a process spawning a child process that is not normally associated with its operation. This can be a sign of a process attempting to execute malicious code or propagate itself across the system.

Integrity Hash of Background Executables: The integrity hash of background executables refers to a checksum or digital signature that can be used to verify the integrity of a file. Malware often tries to modify legitimate executables to evade detection or gain persistence on a system. By monitoring the integrity hash of background executables, it is possible to detect when files have been modified or replaced.

Installed Applications: Installed applications can provide valuable information for threat detection and forensic investigations. Malware often installs itself as a legitimate application or modifies an existing application to evade detection. By examining the list of installed applications on a system, it is possible to identify suspicious or malicious applications.

Local and Domain Users: Local and domain users are the users who have access to a system. By monitoring the local and domain users on a system, it is possible to detect suspicious activity such as unauthorized logins or attempts to escalate privileges. Additionally, monitoring user behavior can help identify insider threats.

Unusual Authentications: Unusual authentications refer to authentication attempts that are outside the normal patterns for a system. For example, if a user logs in from an IP address that is outside of the normal geographic region or outside of normal business hours, it may be a sign of a compromised account or unauthorized access.

Non-Standard Formatted Usernames: Non-standard formatted usernames refer to usernames that do not follow the usual naming convention for a system. For example, if a username contains special characters or is much longer than the usual username length, it may be a sign of an attacker attempting to bypass security controls.

Listening Ports and Associated Services: Listening ports and associated services are the network services that are available on

a system. By monitoring the listening ports and associated services on a system, it is possible to detect suspicious or malicious network activity. For example, a new listening port or service may indicate that a new backdoor or remote access tool has been installed.

Domain Name System (DNS) Resolution Settings and Static Routes: DNS resolution settings and static routes can provide valuable information for threat detection and forensic investigations. Malware often modifies these settings to redirect traffic or evade detection. By monitoring the DNS resolution settings and static routes on a system, it is possible to detect when these settings have been modified.

Established and Recent Network Connections: Established and recent network connections refer to the network connections that are currently active or have been recently established on a system. By monitoring these connections, it is possible to detect suspicious or malicious network activity. For example, a connection to a known command and control server may indicate that a system has been compromised.

Run Key and other AutoRun Persistence: The Run key and other AutoRun persistence methods are used by malware to ensure that it runs automatically when a system is booted up. By monitoring the Run key and other AutoRun persistence methods, it is possible to detect when malware is attempting to gain persistence on a system.

Scheduled Tasks: Scheduled tasks are automated tasks that run at a specified time or interval. Malware often uses scheduled tasks to ensure persistence and to perform malicious actions. By monitoring the scheduled tasks on a system, it is possible to detect suspicious or malicious behavior.

Artifacts of Execution (Prefetch and Shimcache): Artifacts of execution refer to the digital footprints that are left by executables on a system. Prefetch and Shimcache are two examples of artifacts of execution. Prefetch is a Windows feature that records information about the execution of applications to speed up their startup times. Shimcache is a Windows feature that records information about the execution of applications that have been shimmed to modify their behavior. By examining these artifacts of execution, it is possible to identify when and how executables were executed on a system.

Event Logs: Event logs are records of significant events that occur on a system. By examining the event logs on a system, it is possible to identify suspicious or malicious behavior. For example, a logon event from an unknown user account may indicate that an attacker has gained unauthorized access to a system.

Anti-virus Detections: Anti-virus detections refer to the alerts generated by anti-virus software when it detects suspicious or malicious activity on a system. By monitoring the anti-virus detections on a system, it is possible to detect when malware has been installed or is attempting to execute.

In conclusion, host-based artifacts are crucial elements in threat detection and forensic investigations. By monitoring and analyzing running processes, services, parent-child process trees, integrity hash of background executables, installed applications, local and domain users, unusual authentications, non-standard formatted usernames, listening ports and associated services, DNS resolution settings and static routes, established and recent network connections, Run key and other AutoRun persistence, scheduled tasks, artifacts of execution (Prefetch and Shimcache), event logs, and anti-virus detections, it is possible to detect and investigate security incidents and prevent further compromise of a system.