Collecting Remote Volatile Artifacts and What They Can Tell You
Earlier this year, we introduced a new artifact category, volatile artifacts, which allows you to remotely collect live system information. Volatile artifacts are an especially important element of incident response investigations as they can provide unique insights into malware behavior and malicious activities that don’t leave easily detectable evidence trails.
Since introducing this artifact category, we have steadily expanded the range of volatile artifacts available and wanted to provide some context on the insights that these artifacts can provide.
Volatile Artifacts in AXIOM Cyber and What They Can Tell You
- Active Connections: These artifacts provide insight into where the computer is sending and receiving information, which can be used to determine if and where data is being exfiltrated or monitored.
- ARP Cache: Address Resolution Protocol (ARP) cache is a collection of entries created when an IP address is resolved to a media access control address (MAC address), which can be maliciously used by cyberattacks to hide behind a fake IP address.
- DNS Cache: Caching name servers (DNS caches) can be used by an attacker for DNS spoofing, resulting in traffic being diverted to a different computer.
- Running Processes: This artifact details the programs running on an endpoint which can be used to identify malicious and unauthorized programs that have been initiated by a bad actor.
- Services: Services identify the processes that are run after the initial start-up, which can be used by cyber attackers as a tactic to avoid detection
- Scheduled Processes: By leveraging the scheduled processes, attackers can employ persistence or delayed execution of malicious code that reduces the visibility of their activities.
- Prefetch Lists: Prefetch lists store information regarding the activity of a program, including how often it has been run on a system and when, as well as the files and directories referenced, which can provide important insight into applications and tactics of a cyberattack.
- Firewall Rules: These rules can be adjusted to allow access to unauthorized network traffic that allows an attacker to gain access to a system, command & control and exfiltrate data
- Scheduled Job List: Attackers may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code for Advanced Persistent Threats (APTs) that evade detection.
- Mounted Network Shares: These artifacts provide a view of any drives that have been added to the network which can be used by attackers for data exfiltration.
- Logged on Users: Providing insight into session information and visibility into the active users including remote users logged on in different sessions, which could indicate a bad actor operating in the background.
Why Are Volatile Artifacts Important?
Volatile artifacts are captured from the data that is stored in a computer’s volatile memory while it is running. Because this data is wiped every time the computer is powered off, it can provide a very appealing attack vector because evidence of the malicious activities is cleared along with the rest of the temporary memory. These near invisible attacks can result in threats going undetected for longer periods of time, allowing bad actors to move laterally through a network to gain increased credentials and access to high-value data.
Memory-Based Attacks
As preventative solutions have become more advanced, one of the ways that attackers have adapted is by developing malware that is written directly into a computer’s memory. Commonly referred to as fileless malware, this approach uses the native administrative and security tools of the operating system to insert the malware into the computer memory, all without writing data to the physical disk.
Many traditional endpoint protection solutions are not able to identify memory-based threats, providing attackers with larger windows of opportunity to identify, access and exfiltrate valuable corporate data. In their report on Cyber Security Statistics for 2022, Purplesec reported: 77% of successful ransomware attacks were from fileless techniques that completely bypassed the victim company’s antivirus.
Get Magnet AXIOM Cyber Today
Volatile artifacts are an incredibly important aspect of incident response investigations and can often be the only means of identifying a threat on your system. To explore the insights provided by volatile artifacts for yourself, request a free trial of AXIOM Cyber today!