Use This Windows Feature To Help Track a Hackers’ Moves During a Data Breach

By Christopher Sanchez, ERMProtect, Senior Information Security Manager

Most companies have a robust incident response plan that requires an internal team or service provider to be at the ready should a data breach occur. While these teams may each have their own means of detecting and responding to cyberattacks, all of them have in common the requirement to collect data related to a breach, whether from logs or other sources.

The collection of data gives incident response members the ability to look back into past events and learn what has occurred during a given time frame. This can be the execution of a program, the transfer of information, user log ins and so forth.

For companies that do not maintain extensive traffic logs or want to enhance their current logging process, the system resource utilization management (SRUM) feature in Windows is a good option. It gives investigators the ability to learn of ransomware exfiltration where logging of transferred data is not being recorded or is not sufficient.

A Complement To Logs

It should be stated, though, that the SRUM feature is not something that should replace logging for Windows systems but rather complement it.

System Resource Utilization Management (SRUM) is a feature that was introduced back in Windows 8 as a means of diagnostics. Applications, services, and network connections are monitored through it and recorded into a database held on the system.

The major benefit of this, from a forensic and incident response standpoint, is the ability to see the amount of data that applications have transferred and when the transfers occurred, as it maintains a database of historical activity. SRUM collects the following information into its database which may be useful for incident response teams:

1.      Network Connectivity

  1. Interface Type & ID
  2. Network Profile ID
  3. Time connection was established
  4. Length of time connected

2.      Network Data usage

  1. Application/Service/App consuming data (User SID)
  2. Bytes Uploaded & downloaded
  3. Interface Type & ID
  4. Network Profile ID

3.      Windows push notifications

Good Tool For Data Breaches

SRUM is invaluable for an incident response team to determine programs run and data sizes sent. If ransomware were to infect a corporation where logs are not properly recorded, at the very least SRUM allows you to determine if the program has spoken out to the internet and the total size of the packets sent and/ or received.

One of the major tools to go alongside SRUM, is one created by Mark Baggett. The tool srum-dump, (https://github.com/MarkBaggett/srum-dump), parses through the SRUM database to present information in a much easier and more digestible fashion in an excel file.

The output has proven useful in many of our investigations by giving a little more clarification on what processes and applications have run on a system as well as how much data it has transmitted. It gives a good insight into the commands run by an attacker even when they attempt to hide their footsteps.

If you need help with a data breach, our incident response team stands ready to help utilizing techniques and methodologies developed in our 24 years in business as a cybersecurity services firm. Learn more about our digital forensic and incident response services here.

Get a curated briefing of the week's biggest cyber news every Friday.

Intelligence and Insights

pci dss compliance

Why PCI Standards Are Just the Starting Point for Securing Payment Data

While PCI DSS compliance offers a solid baseline, it is not an all-encompassing solution to build a proactive and resilient data security framework …
pci dss in the cloud

How to Achieve PCI Compliance in the Cloud as Security Controls Evolve

The integration of cloud services with PCI DSS compliance is particularly crucial for enterprises that handle sensitive payment card information …
Digital Forensics Investigation

What Are the 5 Stages of a Digital Forensics Investigation?

In this article, we delve deeply into the five stages of a digital forensics investigation and provide tips on how to select the right digital forensics company …