An In-kernel Forensics Engine for Investigating Evasive Attacks
Javad Zandi, Lalchandra Rampersaud, Amin Kharraz
TL;DR
This work addresses the need for fine-grained, system-wide forensic visibility against evasive attacks while minimizing detectable artifacts. It introduces LASE, an open-source in-kernel forensics engine for Windows that records run-time behavior across processes, threads, and I/O without modifying user-space APIs, and demonstrates its utility in bare-metal malware analysis and cloud-based threat intelligence. Through large-scale deployments, the authors show that LASE increases observed malicious activity, captures detailed artifacts (including IRPs and registry events), and yields a valuable dataset for threat research and longitudinal analysis. The results indicate that in-kernel, low-artifact instrumentation can substantially enhance threat understanding and defense, and the provided dataset and tooling invite broader community contributions to threat intelligence and behavioral catalogs.
Abstract
Over the years, adversarial attempts against critical services have become more effective and sophisticated in launching low-profile attacks. This trend has always been concerning. However, an even more alarming trend is the increasing difficulty of collecting relevant evidence about these attacks and the involved threat actors in the early stages before significant damage is done. This issue puts defenders at a significant disadvantage, as it becomes exceedingly difficult to understand the attack details and formulate an appropriate response. Developing robust forensics tools to collect evidence about modern threats has never been easy. One main challenge is to provide a robust trade-off between achieving sufficient visibility while leaving minimal detectable artifacts. This paper will introduce LASE, an open-source Low-Artifact Forensics Engine to perform threat analysis and forensics in Windows operating system. LASE augments current analysis tools by providing detailed, system-wide monitoring capabilities while minimizing detectable artifacts. We designed multiple deployment scenarios, showing LASE's potential in evidence gathering and threat reasoning in a real-world setting. By making LASE and its execution trace data available to the broader research community, this work encourages further exploration in the field by reducing the engineering costs for threat analysis and building a longitudinal behavioral analysis catalog for diverse security domains.
