Saturday, August 25, 2018

Daily Blog #462: ObjectIDs and intrusion triage

Hello Reader,
         I was thinking more about yesterdays test kitchen in regards to ObjectID creation on Windows 10. To summarize the point if a file gets created in the GUI in Windows 10 it creates a shell item (lnk, jumplist, recent doc, etc...) as well as gets an ObjectID. It occurred to me that just as we have trained examiners to look for Zone.Identifiers for evidence of files downloaded we could use the absence of a ObjectID on a Windows 10 file to find those files that were either not created within the GUI or created in one of the special exclusion directories (outlook temp, internet temp, etc..).

With this in mind we could quickly triage through and in an intrusion scenario eliminate all the files that a user created through the GUI, then eliminate the system files through hash comparison leaving us with just a smaller set of files whose hashes aren't known and were not created by the user. This along with a comparison of the execution artifacts could lead to some pretty fast triage for possible malicious executables.

I'm going to see next week about writing a python script to do this, expect a sunday funday challenge related to this. 

No comments:

Post a Comment