🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page
  • Understanding Drive-By Downloads
  • How They Work
  • Detecting Drive-By Downloads on Windows
  • Best Practices for Prevention
  • Forensic Analysis

Was this helpful?

  1. Windows Artifacts
  2. File Download

Drive By Downloads

Understanding Drive-By Downloads

Drive-by downloads can be initiated by simply visiting a website with malicious content, without any interaction from the user (such as clicking on a link). These threats often leverage:

  • Exploits in Web Browsers: Outdated or vulnerable browsers can be exploited to download malware.

  • Compromised Websites: Legitimate websites that have been hacked to serve malware.

  • Malvertising: Malicious advertisements on legitimate sites that can redirect users to malware-serving pages.

How They Work

  1. Initial Contact: The user visits a compromised website, which contains malicious code.

  2. Exploit: The malicious code exploits vulnerabilities in the browser or its plugins.

  3. Download and Execute: Malware is downloaded and executed on the user’s system, often without their knowledge.

Detecting Drive-By Downloads on Windows

Detection of drive-by downloads involves monitoring for suspicious activities and artifacts indicative of unauthorized downloads or executions. Key strategies include:

Security Software

  • Antivirus and EDR Solutions: Continuously monitor for malware signatures and suspicious behaviors, including unauthorized downloads and executions.

Browser and Plugin Updates

  • Regular Updates: Keeping browsers and plugins updated reduces vulnerabilities that can be exploited by malicious websites.

Network Monitoring Tools

  • Traffic Analysis: Tools like Wireshark can monitor network traffic for suspicious activities, including connections to known malicious domains.

System Logs and Artifacts

  • Windows Event Logs: Monitor security and application logs for suspicious entries indicating unauthorized activities.

File System Monitoring

  • Unexpected Files or Directories: Automated tools can monitor file systems for the creation of new, unexpected files or directories, often used by malware.

Best Practices for Prevention

  • Use Up-to-date Security Software: Ensure comprehensive security solutions are installed and regularly updated.

  • Enable Software Restriction Policies: Use policies to block the execution of programs from common malware locations, such as temporary folders.

  • Educate Users: Training on the risks of malicious websites and the importance of cautious web browsing can reduce the risk of drive-by downloads.

Forensic Analysis

In the aftermath of a suspected drive-by download, forensic analysis can help in identifying the source and impact of the infection. This includes:

  • Timeline Analysis: Constructing a timeline of events to understand the sequence of actions leading to the malware infection.

  • Artifact Examination: Analyzing artifacts such as browser history, cache, and system logs to identify the infection vector.

  • Malware Analysis: Examining the downloaded malware to understand its capabilities, origin, and potential data exfiltration activities.

Detecting drive-by downloads on Windows systems requires a combination of technical safeguards, user education, and vigilant monitoring of system and network activities. By employing a multi-layered security approach, organizations and individuals can significantly reduce the risk of malware infection through drive-by downloads.

PreviousEmailNextMalvertising

Last updated 1 year ago

Was this helpful?

: Windows prefetch (%SystemRoot%\Prefetch) contains files that can show the execution of unexpected or unknown applications.

and : Examination of browser cache and history can reveal visits to known malicious sites or unexpected file downloads.

Prefetch Files
Browser Cache
History