User activity will almost always leave behind a trace. As most files require the launching of a ‘program’ to view the contents, it is useful to examine computer systems for artefacts of program execution.
This type of artefact is increasingly proving to be useful when responding to cyber attacks, as each cybercriminal group tends to use certain tools. By examining this activity, we can quickly identify attackers, tools, and the methodologies to then help limit the spread of an attack, and help prevent a recurrence by recommending appropriate mitigations and safeguards.
The tools attackers use can often give us the clearest indication of their goals in the victim’s network. Some of the tools we have seen fall into the following categories:
- Credential stealing software to enable the attackers to breach further into the network
- Data exfiltration tools for stealing intellectual property
- Network reconnaissance tools to search the network for vulnerable connected devices or the attacker’s target
- Ransomware, a program which encrypts all of your files and demands a ransom be paid to restore them
- Crypto mining software which produces crypto currency for the attacker by using huge amounts of the victim’s electricity and computing power
An attacker will gain access to a victim machine as per the ‘Cyber Kill Chain’, by exploiting a vulnerability and installing their tools to conduct further activities. Examination of these program execution artifacts can reveal:
- The name of the tools used
- The time a tool was used. This could indicate the time of first compromise or whether the attack was entirely automated or had a human controller
- The location on the victim machine where those tools were running from. This often leads us to a folder full of tools for us to analyse
- The pattern of attack the cybercrime group is likely to attempt to conduct.
Program execution artifacts tend to show us most clearly what attackers were attempting to do to their victims and help us to contain and eradicate the attack.