We help IT Professionals succeed at work.

Which Threat Artifacts are important when a system is compromised?

High Priority
1 Endorsement
Last Modified: 2019-03-20
Hallo Experts
I would like to collect the following Threat Artifacts from a compromised Windows System:
  • CPU
  • Routing-, ARP- & Process tables
  • Memory
  • Temporary files
  • Relevant data from storage media
What would you collect? Is there any best practice from NIST or anyware?
Thanks a lot
Watch Question

Exec Consultant
Distinguished Expert 2019
Cheatsheet for incident response can be useful, intrusion discovery etc.
  1. Examine Log Files
  2. Check for Odd User Accounts and Groups
  3. Check All Groups for Unexpected User Membership
  4. Look for Unauthorized User Rights
  5. Check for Unauthorized Applications Starting Automatically
  6. Check Your System Binaries for Alterations
  7. Check Your Network Configurations for Unauthorized Entries
  8. Check for Unauthorized Shares
  9. Check for Any Jobs Scheduled to Run
  10. Check for Unauthorized Processes
  11. Look Throughout the System for Unusual or Hidden Files
  12. Check for Altered Permissions on Files or Registry Keys
  13. Check for Changes in User or Computer Policies
  14. Ensure the System has not been Joined to a Different Domain



I have also list of IOC red flags in sensing potential hacks.

As you've tagged this as a Windows question, let's assume we're in Windows territory in which case:
  • changes to or new services
  • changes to list of startup programs
  • any programs or services running from a temp folder (e.g. %temp%)
  • sustained outbound network traffic
  • any process performing a lot of disk reads

These would be strong indicators that something needs investigating.
Thomas Zucker-ScharffSolution Guide
IMHO, the strongest Indicators of Compromise (IOC) are
  1. File Type Changes
  2. Similarity Measurement
  3. Shannon Entropy

These three combined indicators of compromise have been shown (by Scaife, Carter, Traynor and Butler), when taken together, to be almost 100% indicator of ransomware activity.  

File Type Changes is defined as when the internal type of the file changes, not just the header information, when it is being written.  This is not by itself an indicator of ransomware activity, but is one indicator that helps differentiate ransomware activity. A header change can be as simple as changing an image file header from JFIF to JFI.  By deleting one character in the header information the size of the file changes.  Most image viewing programs will look at the content of the file and display the image without a problem.  On the other hand if you were to flip all 0’s and 1’s in a hex editor that would make the file unreadable.  Some programs will change the file contents when writing a file to disk, for instance when a program like MS Word does a save as pdf.  Not only does the file type change from docx to pdf, but the contents of the file change to reflect the new format.

Similarity Measurement – this is a determination of how much the file is similar to itself.  Since encryption should result in very dissimilar files (if an encrypted file looked too similar to its unencrypted counterpart, it would not be very good encryption), this is another good indicator of suspicious activity.

Entropy is an indicator of the uncertainty of data.  Encrypted data has a naturally high entropy, so high entropy is a good indicator of suspicious activity.

These are the primary indicators of suspicious activity, secondary indicators could be used as well, but Scaife, et al found that the 3 primary indicators were sufficient to identify and stop nearly 100% of ransomware with a mean of only 10 files per identification being encrypted.
madunixExecutive IT Director, MVE
Most Valuable Expert 2019
When you have to respond to an incident, you will be able to meet more efficiently and effectively if you already have the right processes, personnel, and tools in place.

You should be able to:
• Detect compromises as quickly and efficiently as possible.
• Respond to incidents as quickly as possible.
• Identify the cause as effectively as possible.

In response to the incident, you should do:
• Secure data.
• Contain the incident.
• Recover from the incident to return to normal operations as quickly as possible.
• Identify how the incident occurred.
• Identify how to prevent further exploitation of the same vulnerability.
• Assess the impact and damage.
• Update policies and processes as needed.

Logging (NIST 800-92) is useful for security analysis and incident forensics. Logs should be protected from tampering. To provide logging integrity, you should hash both the log entries and the files that contain them. You should not periodically purge older log entries because older log entries may be needed during forensic analysis. Logging functions should allow new records but prevent older records from being revised or deleted. For consistency uses universal time (UTC or GMT), not the time zone of local users, for event correlation. I recommend using SIEM Tools for log management and analysis. A properly configured SIEM can provide you with incredible insight into your environment.

Tools used for Incident Response and Forensics:
• EnCase
• Clonezilla
• TestDisk
• Foremost
• The Sleuth Kit (TSK)
• Forensic Toolkit (FTK)
• FTK Imager
• Forensics Explorer
• SANS Investigative Forensic Toolkit (SIFT)
• Digital Forensics Framework (DFF)
• Computer Online Forensic Evidence Extractor (COFEE)
• WindowsSCOPE
• Volatility
• WinDbg
• Magnet RAM Capture
• PMDump
• HashMyFiles
• HashKeeper
• OSFClone
• dcfldd
• log2timeline
• Wireshark

*** Hopeleonie ***IT Manager


Thanks to all.