The is a massive oversimplification of the nature and value of each of these artifacts, in addition to just being an extremely poor analytic process; that is, viewing single artifacts in isolation to establish a finding.
First, let me say, I get it...I really do.
We know that the prefetcher monitors the first 10 seconds of execution, and tracks files that are loaded.
We know that application prefetching is enabled by default on workstations, but not servers.
Windows Event Log records include time stamps, as do MFT records, Registry keys and some values.
Our analytic process needs to encompass two concepts...artifact constellations, and validation.
First off, we don't ever look at single artifacts to establish findings; rather, we need to incorporate multiple, disparate data sources, through a process of parsing, normalization, decoration and enrichment to truly determine the context of an event.
Looking at just a log entry, or entry from EDR telemetry by itself does not truly tell us if something executed successfully.
I've seen malware launched, visible through EDR telemetry and log sources, that never succeeded.
Each time it launched, it generated an error, per Windows Error Reporting.
I've seen malicious installation processes fail to install.
If you're going to continue to view single artifacts in isolation, then please understand the nature and nuance of the artifacts themselves.
Thoroughly review this research regarding AmCache, as well as Mandiant's findings regarding ShimCache.
Over the years, I've found it so much more straightforward to incorporate these artifacts into an overall analysis process, as it continually demonstrates the value of the individual artifacts, as well as provides insights into the intent and capabilities of the threat actor.
This Cyber News was published on windowsir.blogspot.com. Publication date: Mon, 11 Dec 2023 13:43:07 +0000