Home Articles SQM: New Evidence of Execution Source?

SQM: New Evidence of Execution Source?

Comments Off on SQM: New Evidence of Execution Source?
1
9,905

Forensicating one of compromised hosts during our recent incident response activities we have found some interesting artifacts in SQM data.

Let’s start from what SQM is. First of all, it’s an acronym for Software Quality Metrics. It used to be named Service Quality Monitoring and became an operating system component since Windows Vista. It is used to collect and send information about applications performance and usage to Microsoft. According to Microsoft, it may include:

  • operating system information
  • hardware information
  • application response times
  • application network connection speed
  • application crash causes
  • application usage

It seems this feature is disabled by default, but can be enabled, for example, via the following registry key:

HKLM\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable

Before being uploaded to Microsoft servers, these pieces of data are stored in files with .sqm extension under the following folder:

C:\ProgramData\Microsoft\Windows\Sqm\Upload

Unfortunately, Microsoft doesn’t share any details about the SQM file format. Nevertheless, even without knowing the file format, we can get some useful information about programs execution. For example, in our case we could find evidence of execution of ssh.exe and curl.exe, which were used by the attackers:

Evidence of ssh.exe execution found in an SQM file

So what does it mean from a forensic perspective? It seems we have one more evidence of execution source!

Load More Related Articles
Load More In Articles
Comments are closed.