Detections

Recent modifications to the ConsoleHost_history.txt file located in C:\Users\%username%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine may indicate the file has been deleted and subsequently automatically recreated by the Operating System. This may represent an anti-forensics technique if the subject in question is known to have used PowerShell any time prior to the “Created” timestamp of the ConsoleHost_history.txt file.

If the ConsoleHost_history.txt file located in C:\Users\%username%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine, is missing, this indicates that the file has been deleted. This may represent an anti-forensics technique if the subject in question is known to have used PowerShell any time.

Windows Event Log ID 4660 “An object was deleted” is generated when an object was deleted, such as a file system, kernel, or registry object. This Event is not enabled by default, and requires “Delete” auditing to be enabled in the object’s System Access Control List (SACL). This event doesn’t contain the name of the deleted object, so investigators must also utilize Event ID 4663.

Windows Event Log ID 4663 “An attempt was made to access an object” can be used in combination with Event ID 4660 to track object deletion. This Event is not enabled by default, and requires “Delete” auditing to be enabled in the object’s System Access Control List (SACL).

This may represent an anti-forensics technique if there is no reasonable explanation for why the objected was deleted from the system.

Windows Event Log ID 1102 “The audit log was cleared” is generated when the Windows Security audit log has been cleared. This Event contains the account's SID, name, and domain that cleared the log.

This may represent an anti-forensics technique if there is no reasonable explanation for why the Event Log was cleared on this system.

The Spool files can typically be found in the following directory: C:\\Windows\\System32\\spool.

A spool file with a .SPL extension contains the actual print data. This data can be in various formats, including RAW, EMF (Enhanced Metafile), or other printer-specific formats.

The spool file is stored in the spool directory associated with the printer until the print job is completed. Once the print job is finished and successfully printed, the .SPL file is typically deleted.

A job control language file with a .SHD extension contains metadata about the print job, such as document properties, print settings, and information about the account that submitted the print job.

The .SHD file is also stored in the spool directory during the print job's processing. Unlike the .SPL file, the .SHD file can sometimes persist longer, but it is generally deleted after the print job is completed or upon system cleanup.

If the files are not present, it may be possible to use file carving techniques on a disk image to retrieve .SPL and .SHD files. Content and metadata analysis can be conducted to identify timestamps, document names, and user names.

The Windows Registry stores information about installed printers and their configurations. The following registry keys can be useful to investigators:

• Printer settings -  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers
• User-specific settings -  HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices

Windows logs print job activities to Event logs, containing information such as job creation, completion, errors, and adding or deleting printer devices.

Windows Logs -> System

Event ID 307 - A document was printed.

Event ID 310 - A document failed to print.

Event ID 701 - Printer status changed.

Event ID 703 - Printer object added.

Event ID 804 - Document resumed for printing.

Event ID 805 - Printer driver was installed.

Applications and Services Logs -> Microsoft -> Windows -> PrintService -> Operational

Event ID 808 - Printer driver was installed.

Event ID 843 - The print spooler failed to import the printer driver.

Event ID 1000 - Document print started.

Event ID 1001 - Document was printed.

Event ID 1100 - Printer was added.

Event ID 1101 - Printer was deleted.

Event ID 1200 - Print spooler service started.

Event ID 1201 - Print spooler service stopped.

A tamper seal can be used to protect against tampering or unauthorized access of an object. Tamper seals can provide visual evidence if an object has been opened or attempted to be opened.

By using files with canary tokens as tripwires, investigators can create an early warning system for potential collection activities before a data exfiltration infringement occurs.

By strategically placing these files on endpoints, network shares, FTP servers, and collaboration platforms such as SharePoint or OneDrive, the canaries monitor for access and automatically trigger an alert if an action is detected.

A honeypot is a decoy system that mimics a legitimate system or service, enticing a malicious actor to interact with it. It records any interaction for later review.

In cyber deception, a "honey user" (or "honey account") is a decoy user account designed to detect and monitor malicious activities. These accounts attract attackers by appearing legitimate or using common account names, but any interaction with them is highly suspicious and flagged for investigation. Honey users can be deployed in various forms, such as Active Directory users, local system accounts, web application users, and cloud users.

Running the command CMD /K WMIC OS GET InstallDate within Command Prompt (standard privileges) provides the date and time the operating system was installed.

This can help determine if the operating system has been reinstalled by a subject, if the date is sooner than the device was provisioned to the individual.

NTFS timestamps have a precision of 100 nanoseconds. Identifying files with timestamps such as 2023-10-10 10:10:00.000:0000 is considered highly unlikely.

This may represent an anti-forensics technique where the subject has conducted timestomping to hide new files or obscure changes made to existing files.

By autonomously collecting log files from a system and transporting them to another system, such as a SIEM collector, they are typically no longer accessible by the subject, preventing them from being able to delete them. These can aid in investigations where a subject has deleted local logs.

A subject may delete a local Windows user account to delete files associated with this user.

Event ID 4726 in Windows Security logs is called "User Account Deleted." This event is logged when a user account is deleted from the local system.

This may represent an anti-forensics technique if there is no reasonable explanation for why the user was deleted from the system.

A subject may power off a system to prevent the contents of memory being read.

Event ID 41 documents when “The system has rebooted without cleanly shutting down first”.

Event ID 1074 documents when “The system has been shutdown properly by a user or process”.

This may represent an anti-forensics technique if there is no reasonable explanation for why the system was powered off.

Mozilla's Firefox browser stores the history of accessed websites.

On Windows, this information is stored in the following location:

C:\Users\<Username>\AppData\Roaming\Mozilla\Firefox\Profiles\<Profile Name>\

On macOS:

/Users/<Username>/Library/Application Support/Firefox/Profiles/<Profile Name>/

On Linux:

/home/<Username>/.mozilla/firefox/<Profile Name>/

In this location two database files are relevant, places.sqlite (browser history and bookmarks) and favicons.sqlite (favicons for visited websites and bookmarks).
 

These database files can be opened in software such as DB Browser For SQLite.

Microsoft's Edge browser stores the history of accessed websites and files downloaded.

On Windows, this information is stored in the following location:

C:\Users\<Username>\AppData\Local\Microsoft\Edge\User Data\Default\

On macOS:

/Users/<Username>/Library/Application Support/Microsoft Edge/Default/

On Linux:

/home/<Username>/.config/microsoft-edge/Default/

Where /Default/ is referenced in the paths above, this is the default profile for Edge, and can be replaced if a custom profile is used. In this location one database file is relevant, history.sqlite.
 

This database file can be opened in software such as DB Browser For SQLite. The ‘downloads’ and ‘urls’ tables are of immediate interest to understand recent activity within Chrome.

Google's Chrome browser stores the history of accessed websites and files downloaded.

On Windows, this information is stored in the following location:

C:/Users/<Username>/AppData/Local/Google/Chrome/User Data/Default/

On macOS:

/Users/<Username>/Library/Application Support/Google/Chrome/Default/

On Linux:

/home/<Username>/.config/google-chrome/Default/

Where /Default/ is referenced in the paths above, this is the default profile for Chrome, and can be replaced if a custom profile is used. In this location one database file is relevant, history.sqlite.
 

This database file can be opened in software such as DB Browser For SQLite. The ‘downloads’ and ‘urls’ tables are of immediate interest to understand recent activity within Chrome.

Shellbags are a set of Windows registry keys that contain details about a user-viewed folder, such as its size, position, thumbnail, and timestamps. Typically Shellbag information is created for folders that have been opened and closed with Windows File Explorer and default settings adjusted. However, Shellbag information can be created under various situations across different versions of Windows.

Shellbags are located in the following registry keys:

Windows XP

NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\Bags

Windows 7 and later

NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags
 

Shellbags can disclose information about USB removable storage drives that are connected to the system, disclosing the drive letter and any files that were accessed from the drive.

Located at HKLM\SYSTEM\ControlSet001\Enum\USBSTOR in the Windows registry, it holds comprehensive details for each device connected via USB ports. This key features individual subkeys for every device connected to the system, where you can find extensive information, including; timestamps, serial number, unique ID, container ID, friendly name, device name, make, model and type.

These details can be cross-referenced with evidence in the MountedDevices and USB registry keys.

Located at HKLM\SYSTEM\ControlSet001\Enum\USB, it provides a rich information source about USB devices connected to a Windows system. The information you can typically find under this key includes; connection status, information from the USBSTOR registry key, last write time, and installation date.

These details can be cross-referenced with evidence in the MountedDevices and USBSTOR registry keys.

Located at HKLM\SYSTEM\MountedDevices, this registry key provides insights into the most recently mounted devices mounted to the system, such as USB drives, hard drives, and other storage devices. It records detailed information that may include; drive letter, volume GUID, and information from the USBSTOR registry key.

These details can be cross-referenced with evidence in the USB and USBSTOR registry keys.

This Event log is not enabled by default.

The log file can be located at %systemroot%\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx.

Once a USB drive is connected, the logs will begin to populate. Each log entry includes the device ID (as registered in the system), the time it was logged, and a description of the occurrence.

Event ID 2003 marks the initiation of a USB device connection. This event logs when a USB device is first recognized and connected to the system. Event IDs 2100 and 2102 track when a USB device is disconnected or a connection session ends. Event ID 2100 typically captures an intermediate disconnection, while Event ID 2102 logs the final disconnection of the USB device. By correlating the timestamps associated with the same Device ID, an investigator can determine the duration for which a USB device was connected to the system.

The setupapi.dev file, located in %systemroot%\INF\setupAPI.dev, is a text file that documents the details of the first time a specific device was connected to the computer. This file ensures the system has the appropriate drivers to read and access the media. Each log entry in this file begins with a section header, where the latter part includes the device ID. This file does not provide information as to when the device was unplugged or disconnected.

LNK files or Shortcut files are stored in the location C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent Items and have the “.lnk” file extension.

These files are automatically created when a user account accesses a file through Windows Explorer.

This artifact can provide information as to when a file was accessed, modified, and created, the file path and name, and the file size. .LNK files persist even if the actual file has been deleted, helping to uncover if a file has been accessed then subsequently deleted or moved as it is no longer present in the recorded full file path.

In modern versions of the Windows operating system, the prefetch feature serves an important function in speeding up the run time of applications. It does this by creating a cache of information on an application on its first run that is is stored for later reference in c:\windows\prefetch, these files are created with the extension .pf and have the following format <EXECUTABLE>-<HASH>.pf.

These created files contain the created and modified timestamps of the respective file, the file size, process path, how many times it has been run, the last time it was run, and resources it references in the first 10 seconds of execution.

Since every executable that is run will have a prefetch file created when the feature is enabled, the prefetch directory and the contents within it can offer new and valuable insights during an investigation, particularly when the original executable no longer exists.

Metadata can provide rich information about a file and its content. This can include modified, accessed, and created timestamps, file type, file size, and more.

EXIF stands for Exchangeable Image File Format and is a standard that governs the formats for images, sound, and ancillary tags used by digital cameras, including those in smartphones and other systems. The essential feature of EXIF is that it embeds the metadata into the image files. It can provide detailed information about an image, including the date and time, camera settings, camera specifications, thumbnails, geographical location information, and orientation.

Audit Daemon (auditd) is a powerful tool in Linux for tracking and logging system events, including file access. It’s part of the Linux Auditing System, which provides detailed and customizable logging of various types of system activity.

Below is an example auditd rule to detect timestamp modification:

sudo nano /etc/audit/rules.d/audit.rules
Opens the auditd rules file with the Nano editor. Add the following line:

-a always,exit -F arch=b64 -S utimensat -F key=timestamp-changed

-a Add a rule to the audit system

always,exit Apply this rule to both the entry and exit points of the system call. It means that audit records will be generated both when the system call starts and when it ends

-F arch=b64 Filter condition. Specifies that this rule applies to 64-bit architecture (this can be replaced with -F arch=b32)

-S utimensat Specifies the utimensat system call to be audited

-F key=timestamp-changed Adds a key to the rule for easier identification in the logs

To review audit logs related to this rule, we can use ausearch (ausearch -k timestamp-changed) or read and retrieve lines from the raw audit logs with grep (sudo grep timestamp-changed /var/log/audit/audit.log).

Thumbnail Cache, a feature introduced in Windows operating systems starting with Windows Vista, enhances the user experience by caching thumbnail images of files. This functionality, when enabled, speeds up and makes loading these images more efficient in various views, such as File Explorer, by generating preview images or thumbnails for various multimedia files.

This artifact can provide evidence of the presence of files even if they have been deleted.

CCTV can be used to observe activity within or around a site. This control can help to detect preparation or infringement activities and record it to a video file.

When Remote Desktop is used to create a connection to a remote machine, it creates entries in the Windows registry that persist after the session has ended. These registry entries can be used in an investigation to provide insight into what remote system(s) a user account has connected to.

Registry keys are created under the Servers key for each remote system that has been connected to, with the name being the IP address of the remote system. These artifacts are located in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Servers.

This artifact can be analyzed using the standard Registry Editor, or a third party tool such as RegistryExplorer.

Persistent bitmap caching within remote desktop protocol allows the client to cache images locally, which can be pieced together using tools to identify cached images taken from the RDP session.

This artifact is located in C:\Users\<user>\AppData\local\microsoft\Terminal Server Client\Cache.

Windows Jump Lists are a feature that provides quick access to recently or frequently used files.

Audit Daemon (auditd) is a powerful tool in Linux for tracking and logging system events, including file access. It’s part of the Linux Auditing System, which provides detailed and customizable logging of various types of system activity.

Below is an example auditd rule to detect file access:

sudo nano /etc/audit/rules.d/audit.rules
Opens the auditd rules file with the Nano editor. Add the following line:

-w /path/to/directory -p war -k file_access

-w specifies the file or directory to monitor

-p specifies the permissions to monitor (write, attribute change, read)

-k specifies the key to help identify the rule

To review audit logs related to this rule, we can use ausearch (ausearch -k file_access) or read and retrieve lines from the raw audit logs with grep (sudo grep file_access /var/log/audit/audit.log).

On Windows 10, we can find the Recycle Bin directory for all users located at C:\$Recycle.Bin. Insider this location are sub-folders using user account SIDs for the naming convention. To get a list of user accounts on a system Windows Management Instrumentation Command (WMIC) can be used: wmic useraccount get name,SID.

Files that begin with $R followed by a random string contain the true file contents of the recycled file.

Files that begin with $I and end in the same string as the $R file counterpart contain the metadata for that specific file, such as the original filename, path, size, and timestamp of when the file was deleted.

If the user has emptied the Recycle Bin, we lose this artifact and cannot analyze it. Instead, we would need to carve these files from a disk image.

Depending on the solution used, web proxies can provide a wealth of information about web-based activity. This can include the IP address of the system making the web request, the URL requested, the response code, and timestamps.

An organization must perform SSL/TLS interception to receive the most complete information about these connections.

Message trace is a feature within Exchange that permits the ability to identify inbound and outbound emails within the organization.

This can be used to see which mailboxes have sent or received emails, the time, the subject line, and recipients.

Email gateway solutions offer the ability to trace inbound and outbound emails to an organization. This can be used to retrieve information such as emails sent or received, the subject line, content, attachments, timestamps, and recipients.

Network Intrusion Detection Systems (NIDS) can alert on abnormal, suspicious, or malicious patterns of network behavior. 

This detection is not enabled by default and requires additional configuration.

System Monitor (Sysmon) Event ID 1 is used to record process execution. Reviewing these logs can determine what software has been run on a system.

The Debian Package Management (dpkg) utility is responsible for software installation and management. This tool provides one or more log files, located at /var/log/dpkg.log.

This log contains the timestamp, the action conducted, and the package name and version.

To view pakage installs, the following command can be used: grep “ install ” /var/log/dpkg.log*

To view package uninstalls, the following command can be used: grep “ remove ” /var/log/dpkg.log*

An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.

The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).

Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.

Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms.

An agent capable of Endpoint Detection and Response (EDR) is a software agent installed on organization endpoints (such as laptops and servers) that (at a minimum) records the Operating System, application, and network activity on an endpoint.

Typically EDR operates in an agent/server model, where agents automatically send logs to a server, where the server correlates those logs based on a rule set. This rule set is then used to surface potential security-related events, that can then be analyzed.

An EDR agent typically also has some form of remote shell capability, where a user of the EDR platform can gain a remote shell session on a target endpoint, for incident response purposes. An EDR agent will typically have the ability to remotely isolate an endpoint, where all network activity is blocked on the target endpoint (other than the network activity required for the EDR platform to operate).

An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity.

The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established.

A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious.

Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms.

A Data Loss Prevention (DLP) solution refers to policies, technologies, and controls that prevent the accidental and/or deliberate loss, misuse, or theft of data by members of an organization. Typically, DLP technology would take the form of a software agent installed on organization endpoints (such as laptops and servers).

Typical DLP technology will alert on the potential loss of data, or activity which might indicate the potential for data loss. A DLP technology may also provide automated responses to prevent data loss on a device.

Social Media Monitoring refers to monitoring social media interactions to identify organizational risks, such as employees disclosing confidential information and making statements that could harm the organization (either directly or through an employment association).

Custom or pre-built detection logic can be used to determine if a user account has authenticated from two geographic locations in a period of time that is not feasible for legitimate travel between the locations.

Logging DNS requests made by corporate devices can assist with identifying what web resources a system has attempted to or successfully accessed.

Audit Logs are records generated by systems and applications to document activities and changes within an environment. They provide an account of events, including user actions, system modifications, and access patterns.

The .bash_history file, located within a user's directory on MacOS and Linux, is written with command history from shell sessions.

If the file is missing, this could indicate that it has been deleted, if a user account has used a shell utility previously.

The .bash_history file, located within a user's directory on MacOS and Linux, is written with command history from shell sessions.

If the file has a Created timestamp, but a user has used a shell utility previously, this may indicate the file was deleted and manually or automatically re-created.

Detailed PowerShell logging is not enabled by default and must be configured.

PowerShell is able to record the processing of commands, script blocks, functions, and scripts whether invoked interactively, or through automation. These can be reviewed as Windows Event logs to the PowerShellCore/Operational log as Event ID 4104.

Additional configuration may be required for these Event logs to be generated.

Within the Security log, Event ID 4726 (A user account was deleted) and Event ID 4743 (Computer account was successfully deleted) can be used to identify account deletion.

These two Event logs contain the account domain, name, and SID of both the account requesting the deletion, and the target account to be deleted.

Google's Chrome browser stores cookies that can reveal valuable insights into user behavior, including login details, session durations, and frequently visited sites.

On Windows, this information is stored in the following location:

C:\Users\[Username]\AppData\Local\Google\Chrome\User Data\Default\Network\cookies.

This database file can be opened in software such as DB Browser For SQLite. The ‘cookies' table is of interest to understand recent activity within Chrome.

Google's Chrome browser stores some login data of accessed websites, that can provide the URLs and usernames used for authentication.

On Windows, this information is stored in the following location:

C:\Users\[Username]\AppData\Local\Google\Chrome\User Data\Default\Login Data.

This file is a database file and can be opened in software such as DB Browser For SQLite. The ‘logins’ and ‘stats’ tables are of immediate interest to understand saved login data.

The passwords are not visible as they are encrypted. However, the encryption key is stored locally and can be used to decrypt saved passwords. The key is stored in the file C:\Users\[Username]\AppData\Local\Google\Chrome\User Data\Local State, which can be read with any text editor, such as Notepad, and searching for the “encrypted_key” value. The tool decrypt_chrome_password.py (referenced) can decrypt the AES-encrypted passwords to plaintext.

Google's Chrome browser stores the history of accessed websites and files downloaded.

On Windows, this information is stored in the following location: C:\Users\[Username]\AppData\Local\Google\Chrome\User Data\Default\Login Data. This file is a JSON file and can be opened in any text editor, such as Notepad. This contains the URL, page title, date added, and date the bookmark was last used.

Google's Chrome browser stores details about any browser extensions that are installed, providing the user with additional functionality.

On Windows, this information is stored in the following location: C:\Users\[Username]\AppData\Local\Google\Chrome\User Data\Default\Extensions. Several directories will be listed, each one representing an installed extension. The directories and files inside, notably 'manifest.json', will contain information about the extension and its functionality. This can be combined with OSINT to learn more about the extension.

The contents of Notepad sessions can be recovered, even if the user has not saved the .txt file. This artifact is located in C:\Users\[Username]\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState.

Each Notepad tab will have three files [GUID].bin, [GUID].0.bin, [GUID].1.bin where [GUID].bin is the actual tab content. This file can be opened to retrieve the strings in any text editor, or PowerShell can be used with the Get-Content cmdlet to read a specific file, or read all .bin files in a location: Get-Content *.bin.

From the Microsoft 365 Admin Center homepage (https://admin.microsoft.com/#/homepage), after a specific user account has been selected under ‘Users’ > ‘Active Users’, it is possible to view limited sign-in activity under ‘Last sign-in’ > ‘View last 30 days’.

This displays the Date, Status, and Failure reason (if appropriate).

From the Microsoft Entra Admin Center (https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), or through the Azure Portal (https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), it is possible to view detailed sign-in logs for user accounts.

This information includes (but is not limited to) the Date, User, Application, Status, IP Address, and Location.

CloudTrail logs by themselves, or in conjunction with CloudWatch, can be used to identify resource deletion events. These logs contain the account that performed the action (within the userIdentity field), a timestamp (within the eventTime field), and more detailed information depending on what resource was deleted. Some eventName examples include; DeleteBucket (For S3 bucket deletion), DeleteDBInstance (For RDS deletion), and TerminateInstances (For EC2 termination).

GCP Cloud Audit Logs can be used to identify resource deletion events. These logs contain the account that performed the action (within the Principal field), a timestamp, and more detailed information depending on what resource was deleted. Some query examples include; resource.type="gcs_bucket" and protoPayload.methodName="storage.buckets.delete" for bucket deletion and resource.type="gce_instance" and protoPayload.methodName="v1.compute.instances.delete" for computer instance deletion.

Azure Activity Log can be used to identify resource deletion events by using the search bar to filter by operations related to deletion, such as Delete or Delete Resource. These logs contain the account that performed the action (within the Caller field), a timestamp and more detailed information depending on what resource was deleted (within the Resource, Status, and Properties fields).

Financial auditing independently reviews financial records to ensure accuracy and compliance, detecting irregularities and evaluating internal controls. It protects against abuse by identifying fraud and deterring dishonest behavior through increased accountability.

By comparing three notable Event IDs, it is possible to build a timeline of when a user account was actively logged into a system. This can help to identify potential periods of inactivity where the account isn't actively being used.

Event ID 4624:  A user successfully logged on to a computer.

Event ID 4634:  The logoff process was completed for a user.

Event ID 4647:  A user initiated the logoff process.

Commercial security software may have the ability to generate alerts when suspected tampering is detected, such as interacting with the process in memory, or attempting to access files related to its operation.

Event ID 4946: A change has been made to Windows Firewall exception list. A rule was added.

This event indicates that a change has been made to the Windows Firewall settings and typically logs information about the specific settings that were changed.

Event ID 4947: A change has been made to Windows Firewall exception list. A rule was modified.

This event is logged when an outbound rule is modified in the Windows Firewall. It provides details about the rule that was changed.

Event ID 4948: A change has been made to Windows Firewall exception list. A rule was deleted.

This event is logged when an inbound rule is modified in the Windows Firewall. It provides details about the rule that was changed.

Event ID 4950: A Windows Firewall setting has changed.

This event indicates that a change has been made to the Windows Firewall's global configuration, such as enabling or disabling the firewall.

The MRU (Most Recently Used) Map Network Drive is a Windows registry key located at HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU. This key stores information about recently mapped network drives. By examining the entries in this key, investigators can identify which network drives were mapped by the computer to which drive letter.

TypedPaths is a Windows registry key located at NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths. This key records the last 25 paths entered or pasted into the path bar of Windows File Explorer. By analyzing the entries within TypedPaths registry key, investigators can uncover information about recent access to network resources through Explorer.

In Microsoft Windows, when a subject maps a network drive persistently, a key named after the drive letter will appear in the Windows registry location HKEY_CURRENT_USER\Network\.  Each subkey under the Network key corresponds to a mapped network drive and contains information about the drive, including the network share path and the username used to connect to it.

Shellbags are a set of Windows registry keys that contain details about a user-viewed folder, such as its size, position, thumbnail, and timestamps. Typically Shellbag information is created for folders that have been opened and closed with Windows File Explorer and default settings adjusted. However, Shellbag information can be created under various situations across different versions of Windows.

Shellbags are located in the following registry keys:

Windows XP

NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\Bags

Windows 7 and later

NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags
 

Shellbags can disclose information about network drives that have been mapped to the system, such as FTP servers and samba shares, including the drive letter and any files accessed from the drive.

MountPoints2 is a Windows Registry key used to store information about previously connected removable devices, such as USB drives, CDs, and other external storage media. It is located at:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Each subkey under MountPoints2 represents a unique device, often identified by its GUID (Globally Unique Identifier) or other unique identifier.
These subkeys can contain various values that describe the properties and behavior of the corresponding device, such as the assigned drive letter, volume label, and other relevant data.

Bash history refers to the commands, files, and shortcuts that record the commands run in a Bash shell. Bash history can be viewed in a Bash shell with the history command.

By default, history stores commands in RAM until the user logs out of the terminal, then writes them to ~/.bash_history. The history buffer is limited to 1,000 command entries, and the history file to 2,000 entries.

It is trivial for the ~/.bash_history file to be modified with a text editor, where entries can be deleted or falsified.

On Windows, when PowerShell is used to interact with AzureAD, .log files are written to disk in the following location:

C:\Users\<Username>\AppData\Local\Microsoft\AzureAD\Powershell

These TXT .log files contain information about activities and the timestamps they occurred, and can help understand how a system is communicating with AzureAD including the account name, tenant ID, and domain name.

This artifact is only generated where both “Clipboard History” and “Clipboard history across your devices” is enabled within the Windows system settings for clipboard.

ActivitiesCache.db is associated with the Windows Timeline feature, which was introduced in Windows 10, allowing users to keep track of their activities across different devices and sessions.

This artifact is located in:

C:\Users\Username\%AppData%\Local\ConnectedDevicesPlatform\<UserProfile>\
 

This .db file can be opened using appropriate software, such as DB Browser for SQLite. The ActivityOperations table is of interest, with the following notable fields:

• StartTime (epoch time) – When the data was first copied to the clipboard 
• ExpirationTime (epoch time) – When the data will be deleted from the ActivitiesCache.db (roughly 12 hours) 
• ClipboardPayload – Base64 encoded string of the clipboard contents  
• Payload – This field tells you where the clipboard data was copied from
• ActivityType – Type 10 means data resides in clipboard, Type 16 shows if data was copied or pasted

MFT Entry Number Sequence Irregularities refer to inconsistencies where the sequential order of Master File Table (MFT) entries in an NTFS file system does not align with the chronological order of file timestamps. Such irregularities can indicate potential file manipulation or tampering, such as timestamping, where timestamps are altered to obscure the true timeline of file creation or modification.

If multiple files have suspiciously aligned creation or modification times or identical timestamps but different entry numbers, this might indicate that the timestamps were manually set to specific values rather than being naturally generated by the system.

By extracting and comparing timestamps from MFT and Shimcache, it is possible to identify inconsistencies that could represent timestomping in relation to executable files.

The Application Compatibility Cache (referred to as Shimcache) records a value for the Last Modified Time when an executable file is last run. The Master File Table (MFT) contains information about every file and directory on an NTFS volume. Each file or directory is represented by an MFT entry, which stores metadata about the file, including modified, accessed, and created timestamps.

If the Shimcache timestamp indicates a file was run at a certain time but the MFT shows a different or much later modification timestamp, this would be considered unexpected.

Microsoft's Purview portal has a feature named Audit that permits access to critical audit log event data to gain insight and further investigate user activities. This can be used to investigate activity from a range of Microsoft services, such as SharePoint, OneDrive, and Outlook. Searches can be scoped to a specific timeframe, user account, and platform using the extensive filters available. 

In some cases it is possible to identify software that has been uninstalled by reviewing two specific Event IDs within the Windows Logs > Application log relating to the Windows installer service.

Event ID 11724: This event is logged when a software product is uninstalled. The event provides information about the product name, the version, and the user who initiated the uninstallation.

Event ID 1034: This event is generated by the Windows Installer service and indicates that an application has been uninstalled. It provides details about the product name and the success or failure of the uninstallation process.

Monitor outbound DNS traffic for unusual or suspicious queries that may indicate DNS tunneling. DNS monitoring entails observing and analyzing Domain Name System (DNS) queries and responses to identify abnormal or malicious activities. This can be achieved using various security platforms and network appliances, including Network Intrusion Detection Systems (NIDS), specialized DNS services, and Security Information and Event Management (SIEM) systems that process DNS logs.

Implement Deep Packet Inspection (DPI) tools to inspect the content of network packets beyond the header information. DPI can identify unusual patterns and hidden data within legitimate protocols. DPI can be conducted with a range of software and hardware solutions, such as Unified Threat Management (UTM) and Next-Generation Firewalls (NGFWs), as well as Intrusion Detection and Prevention Systems (IDPS) such as Snort and Suricata, 

Analyze network flow data (NetFlow) to identify unusual communication patterns and potential tunneling activities. Flow data offers insights into the volume, direction, and nature of traffic.

NetFlow, a protocol developed by Cisco, captures and records metadata about network flows—such as source and destination IP addresses, ports, and the amount of data transferred.

Various network appliances support NetFlow, including Next-Generation Firewalls (NGFWs), network routers and switches, and dedicated NetFlow collectors.

With Group Policy it is possible to enable object access auditing in regards to removeable storage events.

Go to Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Object Access.
Double click Audit Removable Storage and check both Success and Failures
 

Monitor Event ID 4663 (An attempt was made to access an object) and/or 4656 (A handle to an object was requested). This can be used to detect events where a user account is attempting to use removable storage devices on a system.

Depending on the type of VPN appliance or service used, VPN logs can provide detailed records of user activity. These logs typically include information such as user IDs, device types, IP addresses, and connection timestamps. By analyzing VPN logs, security teams can identify deviations from normal usage patterns, such as connections from unusual geographic locations, access during odd hours, or unusually large data transfers. Anomalies in VPN usage can serve as early indicators of suspicious behavior, potentially signaling attempts at data exfiltration or other unauthorized activities. Alerts triggered by these irregularities allow for further investigation to assess potential threats.

Implement UBA tools tailored for cloud environments to continuously monitor and analyze user activities, detecting anomalies that may signal security risks. Typically offered as services by cloud providers or third-party platforms, Cloud UBA can track and flag unusual behavior, such as excessive data downloads, accessing a higher-than-usual number of resources, or large-scale transfers inconsistent with a user’s typical patterns. These tools can also provide real-time alerts when users engage in behavior that deviates from established norms, such as accessing sensitive data during off-hours or from unfamiliar locations. By identifying such anomalies, UBA enhances the detection of insider threats and unauthorized activities within cloud environments.

Deploy UEBA solutions designed for cloud environments to monitor and analyze the behavior of users, applications, network devices, servers, and endpoints accessing cloud resources. Cloud UEBA systems track normal behavior patterns and detect anomalies that could indicate potential security risks. For instance, they can identify when a user or entity is downloading unusually large volumes of data, accessing an excessive number of resources, or engaging in data transfers that deviate from their usual behavior.

During the recruitment or onboarding process, the individual’s appearance in in-person or online interviews should be compared with their government-issued photographic identification, which must match the details provided by the applicant before the interview. This helps detect potential fraudulent discrepancies and reduces the risk of one person attending the interview while another carries out the work for the organization.

In relevant security tooling (such as a SIEM or EDR), a watchlist (also known as a reference set) should be used to monitor for any activity generated by accounts belonging to employees who have left the organization, as this is unexpected. This can help to ensure that the security team readily detects any unrevoked access or account usage.

This process must be in partnership with the Human Resources team, which should inform the security team when an individual leaves the organization (during an Employee Off-Boarding Process, see PV024), including their full and user account names. Ideally, this process should be automated to prevent any gaps in monitoring between the information being sent and the security team adding the name(s) to the watchlist. All format variations should be considered as individual entries in the watchlist to ensure accounts using different naming conventions will generate alerts, such as john.smith, john smith, john.smith@company.com, and jsmith.

False positives could occur if there is a legitimate reason for interaction with the account(s), such as actions conducted by IT staff.