Windows Covert Compilers III.
DFIR ARTIFACTS
Dénes Olivér Óvári, Detection and Response Architect
CSIS Security Group A/S
A three-part blog series focusing on the Digital Forensics and Incident Response aspect of the compilers shipped with the Windows operating system and their usage from PowerShell.
- Part I: C#, Visual Basic and JScript – all within PowerShell
- Part II: Under the Hood
- Part III: DFIR Artifacts
This post describes some of the typical artifacts left behind if the built-in C#, Visual Basic or JScript compilers are used in Windows through PowerShell.
All the artifacts listed below are collected and analysed by CSIS' proprietary Chronos platform.
Temporary directory
A file name consisting of 8 random characters is used to name the temporary files created by TempFileCollection, such as mxsuwxha.
These files get deleted almost immediately and will not leave any artifacts due to caching. The only exception is when PowerShell runs as an elevated process. Then the files are dropped to a directory with the same name, such as %TEMP%\mxsuwxha and this folder might remain on the disk.
Prefetch files
The Prefetch files associated with the used external executables might contain entries referring to the used temporary files located either in %TEMP% or in %TEMP%\mxsuwxha, and to the "Resource File To COFF Object Conversion Utility" as well.
Below we'll show examples for each of these filenames. Remember - all of them contain random characters except for cvtres.exe.
C# and Visual Basic
csc.exe / vbc.exe
|
|
|
|
|
|
|
|
|
|
|
|
|
|
cvtres.exe
|
|
|
|
|
|
JScript
cvtres.exe
|
|
|
|
Windows Event Log
The expected PowerShell-related Event Log entries (see [1]) could be observed.
Thanks to my colleague, Conor Kelly for his review.
"Jscript, Microsoft, PowerShell, Windows are trademarks of the Microsoft group of companies."
References
| [1] | Vikas, PowerShell Command History Forensics, 2020. |
