Forensicating one of compromised hosts during our recent incident response activities we have found some interesting artifacts in SQM data.
Let’s start from what SQM is. First of all, it’s an acronym for Software Quality Metrics. It used to be named Service Quality Monitoring and became an operating system component since Windows Vista. It is used to collect and send information about applications performance and usage to Microsoft. According to Microsoft, it may include:
- operating system information
- hardware information
- application response times
- application network connection speed
- application crash causes
- application usage
It seems this feature is disabled by default, but can be enabled, for example, via the following registry key:
Before being uploaded to Microsoft servers, these pieces of data are stored in files with .sqm extension under the following folder:
Unfortunately, Microsoft doesn’t share any details about the SQM file format. Nevertheless, even without knowing the file format, we can get some useful information about programs execution. For example, in our case we could find evidence of execution of ssh.exe and curl.exe, which were used by the attackers:
So what does it mean from a forensic perspective? It seems we have one more evidence of execution source!