Detections
- ID: DT027
- Created: 31st May 2024
- Updated: 14th June 2024
- Platform: Windows
- Contributor: The ITM Team
Windows Prefetch
In modern versions of the Windows operating system, the prefetch feature serves an important function in speeding up the run time of applications. It does this by creating a cache of information on an application on its first run that is is stored for later reference in c:\windows\prefetch, these files are created with the extension .pf and have the following format <EXECUTABLE>-<HASH>.pf.
These created files contain the created and modified timestamps of the respective file, the file size, process path, how many times it has been run, the last time it was run, and resources it references in the first 10 seconds of execution.
Since every executable that is run will have a prefetch file created when the feature is enabled, the prefetch directory and the contents within it can offer new and valuable insights during an investigation, particularly when the original executable no longer exists.
Sections
| ID | Name | Description |
|---|---|---|
| IF009 | Installing Unapproved Software | A subject installs unapproved software on a corporate device, contravening internal policies on acceptable use of company equipment. |
| PR003 | Software Installation | A subject may install or attempt to install software that will be used to exfiltrate sensitive data or contravene internal policies. |
| AF015 | File Deletion | A subject deletes a file or files to prevent them from being available for later analysis or to disrupt the availability of a system. This could include log files, files downloaded by the subject, files created by the subject, or system files. |
| AF003 | Timestomping | A subject modifies the modified, accessed, created (MAC) file time attributes to hide new files or obscure changes made to existing files to hinder an investigation by removing a file or files from a timeframe scope.
nTimestomp is part of the nTimetools repository, and it provides tools for working with timestamps on files on the Windows operating system. This tool allows for a user to provide arguments for each timestamp, as well as the option to set all timestamps to the same value.
Linux has the built-in command
The argument |
| IF005 | Exfiltration via Messaging Applications | A subject uses a messaging application to exfiltrate data through messages or uploaded media. |
| ME002 | Unrestricted Software Installation | A subject can install software on a device without restriction. |
| ME003 | Installed Software | A subject can leverage software approved for installation or software that is already installed. |
| AF016 | Uninstalling Software | The subject uninstalls software, which may also remove relevant artifacts from the system's disk, such as regsitry keys or files necessary for the software to run, preventing them from being used by investigators to track activity. |
| PR003.001 | Installing Virtual Machines | A subject installs a hypervisor that allows them to create and access virtual environments on a device. |
| PR003.002 | Installing VPN Applications | A subject installs a VPN application that allows them to tunnel their traffic. |
| PR003.003 | Installing Browsers | A subject can install an unapproved browser with features that frustrate or prevent preventions or detections, such as built-in VPN, Tor access, or automatic browser artifact destruction. |
| PR003.005 | Installing Cloud Storage Applications | A subject can install an unapproved cloud storage application that has the ability to sync files across the Internet. |
| PR003.006 | Installing Note-Taking Applications | A subject installs an unapproved note taking application with the ability to sync notes across the Internet. |
| PR003.007 | Installing Messenger Applications | A subject installs an unapproved messenger application with the ability to transmit data and/or files across the Internet. |
| PR003.008 | Installing SSH Clients | A subject installs a Secure Shell (SSH) client, which can be used to access SSH servers across a network. |
| PR003.009 | Installing FTP Clients | A subject installs a File Transfer Protocol (FTP) client which can be used to access FTP servers across the a network. |
| PR003.010 | Installing RDP Clients | A subject installs a Remote Desktop Protocol (RDP) client which can be used to access RDP servers across a network. |
| PR003.011 | Installing Screen Sharing Software | A subject installs screen sharing software which can be used to capture images or other information from a target system. |
| PR017.001 | Archive via Utility | A subject uses utilities to compress and/or encrypt collected data prior to exfiltration. |
| PR017.002 | Archive via Library | A subject uses utilities to compress and/or encrypt collected data prior to exfiltration. |
| PR017.003 | Archive via Compression | A subject uses utilities to compress collected data prior to exfiltration. |
| PR017.004 | Archive via Encryption | A subject uses utilities to encrypt collected data prior to exfiltration. |
| IF005.001 | Exfiltration via Installed Messaging Application | A subject exfiltrates information using a messaging application that is already installed on the system. They will access the conversation at a later date to retrieve information on a different system. |
| ME003.011 | Screen Sharing Software | A subject has access to or can install screen sharing software which can be used to capture images or other information from a target system. |
| IF009.004 | Intentionally Introducing Malware | A subject intentionally introduces and attempts to execute malware on a system. |
| IF009.003 | Unintentionally Introducing Malware | A subject unintentionally introduces and attempts to execute malware on a system. This is can be achieved through various methods, such as phishing, malvertising, torrented downloads, and social engineering. |
| IF009.002 | Inappropriate Software | A subject installs software that is not considered appropriate by the organization. |
| IF009.001 | Unwanted Software | A subject installs software that is not inherently malicious, but is not wanted, commonly known as “greyware” or “potentially unwanted programs”. |
| IF002.006 | Exfiltration via USB to USB Data Transfer | A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment. |
| IF002.008 | Exfiltration via USB to Mobile Device | The subject uses a USB cable, and any relevant software if required, to transfer files or data from one system to a mobile device. This device is then taken outside of the organization's control, where the subject can later access the contents. |
| IF004.004 | Exfiltration via Screen Sharing Software | A subject exfiltrates data outside of the organization's control using the built-in file transfer capabilities of software such as Teamviewer. |