Home Science Characteristics and detectability of Windows auto-start extensibility points in memory forensics

Characteristics and detectability of Windows auto-start extensibility points in memory forensics

0
0
548

Computer forensicsĀ is performed during a securityĀ incident response processĀ on disk devices or on the memory of theĀ compromised system. The latter case, known asĀ memory forensics, consists in dumping the memory to a file and analyzing it with the appropriate tools. Many security incidents are caused by malware that targets and persists as long as possible in a Windows system within an organization. The persistence is achieved usingĀ Auto-Start Extensibility Points (ASEPs), the subset of OS and application extensibility points that allow a program to auto-start without any explicit user invocation. In this paper, the authors propose a taxonomy of the Windows ASEPs, considering the features that are used or abused by malware to achieve persistence. This taxonomy splits into four categories: system persistence mechanisms, program loader abuse, application abuse, and system behavior abuse. They detail the characteristics of each extensibility point (namely, write permissions, execution privileges, detectability in memory forensics, freshness of system requirements, and execution and configuration scopes). Many of these ASEPs rely on the Windows Registry. They also introduce the tool Winesap, a Volatility plugin that analyzes the registry-based Windows ASEPs in a memory dump. Furthermore, the authors state the order of execution of some of these registry-based extensibility points and evaluate the effectiveness of our tool in memory dumps taken from a Windows OS where extensibility points were used. Winesap was successful in marking all the registry-based Windows ASEPs as suspicious registry keys.

The paper is available here, the plugin – here.

Load More Related Articles
Load More In Science

Leave a Reply

Your email address will not be published. Required fields are marked *