Checklist Summary:

This SCAP resource is meant to be a starting point for documenting malicious artifacts typically identified via computer forensic analysis and/or malware analysis. This set of rules consists of suspicious file names and suspicious location of files. These artifacts are typically associated with malware or intruder activity. Definition 1 looks within the recycler for suspicious files. Definition 2 looks for the existence of winsrv.exe in a specific location, this file is typically malicious. Definition 3 looks for the existence of svch0st.exe in a specific location, this file is typically malicious. Definition 4 looks for the existence of svchost.dll in a specific location, this file is typically malicious. Definition 5 looks for the existence of svchosts.exe in a specific location, this file is typically malicious. Definition 6 looks for the file name sp0olsv or spo0lsv in a specific location, this file is typically malicious. Definition 7 looks for executable files or dynamic link libraries within the fonts folder. Definition 8 looks for executable files within the help folder. Definition 9 looks for executable files or dynamic link libraries within the debug folder. Definition 10 looks for ntshrui.dll located in a suspicious location. Definition 11 looks for a single character file name in a specific location. Definition 12 looks for the RAR utility which is commonly used to compress and encrypt content for exfiltration. Definition 13 looks for the existence of tabcteng.dll, a malicious file. Definition 14 looks for noise0.dat and definition 15 looks for mspk.sys, these artifacts are considered suspicious. These rules are only meant to point out the presence of these artifacts, and do not guarantee that the identified files are actually malicious.

Checklist Role:

• Desktop Operating System

Known Issues:

None

Target Audience:

This checklist has been created for IT professionals, particularly Windows XP system administrators and information security personnel. The document assumes that the reader has experience installing and administering Windows-based systems in domain or standalone configurations.

Target Operational Environment:

• Standalone
• Sector-Specific Environment

Testing Information:

Windows XP Workstation

Regulatory Compliance:

N/A

Comments/Warnings/Miscellaneous:

For this checklist to be effective, the SCAP tool used must support directory recursion.

Disclaimer:

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. CyberESI assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. CyberESI would appreciate acknowledgement if the document and template are used.

Product Support:

CyberESI will provide best efforts support in line with the customer's support contract.

Point of Contact:

Contact@CyberESI.com

Sponsor:

CyberESI

Licensing:

Pursuant to title 17 Section 105 of the United States Code this document and template are not subject to copyright protection and are in the public domain.

Change History:

Added additional content to the summary section.
Check/change SCAP expressed status
We have added several more definitions and modified a regular expression.
Changed the summary information. Removed comments about definitions 16 and 17.

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 06/07/2011