Exam CS0-003 topic 1 question 221 discussion

The question says that the Malware would disables any host security services (which is C. EDR) and performs clean-up routines on it's affected host in eluding deletion of initial dropper (A.Creation time of dropper) and removal of event log entries (F.Sysmon event log) and prefetch files from the host (D.Prefetch files). So wouldn't the only left be B.Registry artifacts and E. File System metadata?

B. Registry artifacts E. File system metadata I was stuck between E and F, but the question says event logs were deleted and file system metadata can be extracted from file recovery or inspecting timestamps of modified files.

Sysmon logs provide detailed monitoring of system activity, including process creation, file modifications, and network activity. It operates independently from the normal Windows event logs, which the malware is likely trying to erase or manipulate. Even if the malware is trying to erase traditional event logs, Sysmon may still capture events like process execution (when the dropper first ran), file modifications, or network connections. Sysmon is typically harder for malware to disable or clean up fully, as it logs more granular details about system activity. Since the malware is tampering with logs, using an alternative logging source like Sysmon can provide more robust evidence of what happened.

Everything has been tampered with other than the registry, file system metadata and sysmon entries. So obviously the registry should be checked, it's between sysmon and metadata. Sysmon will store more info than metadata so sysmon is the clear winner. (Sysmon is a separate logging system than windows event logs, if setup properly they can contain more data than windows event logs.

BE during forensic analysis

C. EDR data: Endpoint Detection and Response (EDR) tools are designed to continuously monitor endpoint and network events and store this information in a centralized database. EDR data can provide detailed information about the processes that have been executed on the infected hosts, network connections that were established, and possibly the actions taken by the malware before event logs and prefetch files were deleted. F. Sysmon event log: System Monitor (Sysmon) is a Windows system service and device driver that remain resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time, which malware often modifies. Sysmon logs can be very comprehensive and, if configured properly before an incident, could provide information that regular event logs do not capture, especially since malware often targets and deletes standard Windows event logs to cover its tracks.

EDR wont work if the malware disabling it.

B and E?

B. Registry artifacts: Malware often leaves traces in the Windows Registry, and analyzing registry entries can provide insights into the activities of the malware, including changes made to the system settings. E. File system metadata: File system metadata, such as file creation times, modification times, and access times, can reveal information about the malware's actions, including the creation time of the initial dropper and other files manipulated during cleanup routines.

C, E. Here are the two data sources most likely to reveal evidence of the root cause of the malware outbreak, considering the malware's cleanup routines: C. EDR data: Endpoint Detection and Response (EDR) solutions offer extensive visibility into endpoint activity. Even though the malware attempts to remove evidence by deleting prefetch files and event logs, EDR solutions might have already captured these details before they were erased. EDR can provide valuable information about the initial infection vector, suspicious processes, and network connections that could lead to the root cause. E. File system metadata: File system metadata includes information about files beyond their content, such as creation time, modification time, and access time. While the malware deletes the dropper file itself, the file system metadata associated with the deleted dropper file might still be present. This metadata, particularly the creation time (A.), could be crucial in pinpointing when the initial infection occurred and potentially identifying the entry point.

Registry artifacts and Sysmon event log