Table of Contents
Fetching ...

An In-kernel Forensics Engine for Investigating Evasive Attacks

Javad Zandi, Lalchandra Rampersaud, Amin Kharraz

TL;DR

This work addresses the need for fine-grained, system-wide forensic visibility against evasive attacks while minimizing detectable artifacts. It introduces LASE, an open-source in-kernel forensics engine for Windows that records run-time behavior across processes, threads, and I/O without modifying user-space APIs, and demonstrates its utility in bare-metal malware analysis and cloud-based threat intelligence. Through large-scale deployments, the authors show that LASE increases observed malicious activity, captures detailed artifacts (including IRPs and registry events), and yields a valuable dataset for threat research and longitudinal analysis. The results indicate that in-kernel, low-artifact instrumentation can substantially enhance threat understanding and defense, and the provided dataset and tooling invite broader community contributions to threat intelligence and behavioral catalogs.

Abstract

Over the years, adversarial attempts against critical services have become more effective and sophisticated in launching low-profile attacks. This trend has always been concerning. However, an even more alarming trend is the increasing difficulty of collecting relevant evidence about these attacks and the involved threat actors in the early stages before significant damage is done. This issue puts defenders at a significant disadvantage, as it becomes exceedingly difficult to understand the attack details and formulate an appropriate response. Developing robust forensics tools to collect evidence about modern threats has never been easy. One main challenge is to provide a robust trade-off between achieving sufficient visibility while leaving minimal detectable artifacts. This paper will introduce LASE, an open-source Low-Artifact Forensics Engine to perform threat analysis and forensics in Windows operating system. LASE augments current analysis tools by providing detailed, system-wide monitoring capabilities while minimizing detectable artifacts. We designed multiple deployment scenarios, showing LASE's potential in evidence gathering and threat reasoning in a real-world setting. By making LASE and its execution trace data available to the broader research community, this work encourages further exploration in the field by reducing the engineering costs for threat analysis and building a longitudinal behavioral analysis catalog for diverse security domains.

An In-kernel Forensics Engine for Investigating Evasive Attacks

TL;DR

This work addresses the need for fine-grained, system-wide forensic visibility against evasive attacks while minimizing detectable artifacts. It introduces LASE, an open-source in-kernel forensics engine for Windows that records run-time behavior across processes, threads, and I/O without modifying user-space APIs, and demonstrates its utility in bare-metal malware analysis and cloud-based threat intelligence. Through large-scale deployments, the authors show that LASE increases observed malicious activity, captures detailed artifacts (including IRPs and registry events), and yields a valuable dataset for threat research and longitudinal analysis. The results indicate that in-kernel, low-artifact instrumentation can substantially enhance threat understanding and defense, and the provided dataset and tooling invite broader community contributions to threat intelligence and behavioral catalogs.

Abstract

Over the years, adversarial attempts against critical services have become more effective and sophisticated in launching low-profile attacks. This trend has always been concerning. However, an even more alarming trend is the increasing difficulty of collecting relevant evidence about these attacks and the involved threat actors in the early stages before significant damage is done. This issue puts defenders at a significant disadvantage, as it becomes exceedingly difficult to understand the attack details and formulate an appropriate response. Developing robust forensics tools to collect evidence about modern threats has never been easy. One main challenge is to provide a robust trade-off between achieving sufficient visibility while leaving minimal detectable artifacts. This paper will introduce LASE, an open-source Low-Artifact Forensics Engine to perform threat analysis and forensics in Windows operating system. LASE augments current analysis tools by providing detailed, system-wide monitoring capabilities while minimizing detectable artifacts. We designed multiple deployment scenarios, showing LASE's potential in evidence gathering and threat reasoning in a real-world setting. By making LASE and its execution trace data available to the broader research community, this work encourages further exploration in the field by reducing the engineering costs for threat analysis and building a longitudinal behavioral analysis catalog for diverse security domains.
Paper Structure (18 sections, 4 figures, 8 tables)

This paper contains 18 sections, 4 figures, 8 tables.

Figures (4)

  • Figure 1: The high-level view of Lase's architecture. Lase provides a system-wide multi-process forensics engine by defining three in-kernel modules: (1) Process and thread module, (2) Filesystem and I/O module, (3) Event recording module. In this figure, Lase records run-time behavior of the malicious process that uses DLL injection to launch a proxy attack.
  • Figure 2: The collected artifacts for a micro-based malware attack. The malicious process invokes 15 processes in the background to launch a successful attack.
  • Figure 3: File system activities in Lase-enabled machines in baremetal and virtual environments. The results show that malware samples manifest more activities in the baremetal environment, resulting in more dropped files and execution payloads.
  • Figure 4: Distribution of the origin of successful attacks. While US-based attacks are the largest by volume, we observed that most of them are being abused as proxy nodes.