Tabletop Exercise Questions: Identifying Evidence of Execution, Persistence, and Common Windows Event IDs in Ransomware Investigations.

As cybersecurity leaders, it's essential to equip our teams with the skills to detect and analyze signs of cyber threats, especially ransomware. This set of tabletop exercise questions, along with an answer key, is designed to enhance the team's forensic capabilities in recognizing evidence of execution, persistence, and the significance of common Windows Event IDs in ransomware investigations.

Execution and Persistence Artifacts

1. BAM and Recent Files: Question: How can BAM and recent file paths be used to detect early signs of a ransomware attack? What specific user activities or executed programs should we look for? Answer Key: BAM (located at HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\) logs executed programs. Look for entries related to ransomware executables or unusual tools. Recent files (found in C:\users\<username>\AppData\Roaming\Microsoft\Windows\Recent) can show files accessed by the user, potentially altered by ransomware.
2. Shortcut (LNK) Files: Question: Discuss the process of analyzing LNK files in the context of a ransomware attack. What metadata from LNK files can provide crucial leads in an investigation? Answer Key: LNK files in user profiles (C:\users\<username>\AppData\Roaming\Microsoft\Windows\Recent) contain metadata like file access time, original file path, and network location. These can reveal the execution of specific ransomware payloads or access to encrypted files.
3. Registry Run Keys: Question: In the scenario where malware uses Run and RunOnce keys for persistence, what steps should we take to identify and mitigate this threat? Answer Key: Regularly audit the Run (HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\Software\Microsoft\Windows\CurrentVersion\Run) and RunOnce (HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce, HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce) keys. Be alert for unknown or suspicious entries that execute upon login or startup.
4. AmCache and Prefetch Files: Question: Explain how AmCache and Prefetch files can be leveraged to trace the execution history of a ransomware attack. Answer Key: AmCache (C:\Windows\AppCompat\Programs\Amcache.hve) contains records of executed programs, while Prefetch (C:\Windows\Prefetch\*.pf) tracks frequently run programs, helping in reconstructing the attack timeline and identifying malicious executables.
5. Scheduled Tasks and Startup Folders: Question: How can we effectively monitor scheduled tasks and startup folders for signs of compromise? Answer Key: Regularly review the Task Scheduler (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks and HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree) and Startup Folders (C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp) for unexpected entries or modifications. (do you have an EDR/SIEM alert for these?)
6. Windows Services: Question: What indicators in the Windows Services registry keys can signal a ransomware infection? Answer Key: Investigate the Services registry key (HKLM\SYSTEM\CurrentControlSet\Services) for new or altered service entries. Unusual service names, paths, or modifications to existing services can indicate ransomware activity.

Deeper Insights into Common Windows Event IDs in Ransomware Investigations

Windows Defender Events (5000, 5001):

• Question: How can Windows Defender event IDs 5000 and 5001 be interpreted in the context of a ransomware attack?
• Answer Key: Event ID 5000 indicates that Windows Defender is active, which is the expected state for secure operations. This event is a normal occurrence and suggests that the system's primary defense mechanism is operational. Event ID 5001 signifies that Defender has been disabled. In ransomware attacks, attackers might disable Defender to avoid detection of their malicious activities. Monitoring for 5001 events is crucial as it could indicate a compromise or an attempt to subvert security measures.

System Event 7045:

• Question: What significance does System Event 7045 have in ransomware investigations?
• Answer Key: System Event 7045 is logged when a new service is installed on the system. In the context of ransomware, this could be indicative of the malware installing itself as a service to gain persistence or to execute as part of the system startup process. An unexpected service installation, especially with unusual service names or executables located in atypical directories, should be thoroughly investigated. It's a key indicator of potentially malicious activity, as many ransomware variants install themselves as services to maintain persistence and launch automatically.

Security Event 4624:

• Question: Why is Security Event 4624 critical in ransomware investigations?
• Answer Key: Security Event 4624 is logged for successful account logons. This event is crucial for identifying unauthorized access or lateral movement within a network, which are common tactics in ransomware attacks. Pay special attention to logon types:
• Type 2: Interactive (local) logon.
• Type 3: Network logon, often used for remote access - critical for spotting lateral movements.
• Type 4: Batch logon, often used for scheduled tasks.
• Type 5: Service logon, used by services and batch jobs.
• Type 10: RemoteInteractive logon, used for RDP access. Unusual patterns, such as logons at odd hours, logons to critical servers, or multiple failed logon attempts followed by a successful one, might indicate compromised credentials or an attacker moving within the network.

Windows PowerShell Events (400):

• Question: How should PowerShell Event 400 be interpreted in ransomware scenarios?
• Answer Key: Event 400 signifies a state change in the PowerShell engine from unavailable to available. This event is significant because ransomware and other malicious scripts often leverage PowerShell for execution. An uptick in PowerShell usage, especially with unusual or obfuscated commands, should prompt an investigation. Monitoring PowerShell activity is crucial in a ransomware context, as attackers frequently use PowerShell to execute payloads, bypass security measures, and automate tasks.

Sysmon Events (1, 3, 11, 12, 13, 22):

• Question: What can Sysmon events reveal in the context of a ransomware attack?
• Answer Key: Sysmon, a system monitoring tool, logs various events that are vital in detecting and understanding ransomware attacks:
• Event 1: Process creation, key for identifying the start of potentially malicious processes.
• Event 3: Network connection, helpful to spot unusual external communications or data exfiltration attempts.
• Events 11, 12, and 13: File and registry events, important for tracking changes to files and the registry that might indicate malicious activity.
• Event 22: DNS query, useful for identifying external domains contacted by malware. These events help in creating a timeline of the attacker’s actions, from the initial breach to the execution of the ransomware and possible data exfiltration attempts.