U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Checklist Program

National Checklist Program

NCP

  1. Checklist Repository

APT-Suspicious file names and file locations v0.4 Checklist Details (Checklist Revisions)

SCAP 1.2 Content:

Supporting Resources:

Target:

Target CPE Name
Microsoft Windows 7 cpe:/o:microsoft:windows_7 (View CVEs)
Microsoft Windows XP cpe:/o:microsoft:windows_xp (View CVEs)

Checklist Highlights

Checklist Name:
APT-Suspicious file names and file locations
Checklist ID:
517
Version:
v0.4
Type:
Specialized
Review Status:
Final
Authority:
Third Party: CyberESI
Original Publication Date:
04/04/2017

Checklist Summary:

This SCAP resource is meant to be a starting point for documenting malicious artifacts typically identified via computer forensic analysis and/or malware analysis. This set of rules consists of suspicious file names and suspicious location of files. These artifacts are typically associated with malware or intruder activity. Item 1 looks for ntshrui.dll located in a suspicious location. Item 2 recursively looks for the existence of svch0st.exe in a specific location, this file is typically malicious. Item 3 recursively looks for the existence of svchost.dll in a specific location, this file is typically malicious. Item 4 recursively looks for svchosts.exe in a specific location, this file is typically malicious. Item 5 recursively looks for the existence of winsvr.exe in a specific location, this file is typically malicious. Item 6 looks for mspk.sys and item 7 looks for Trojan.noise0, these artifacts are considered suspicious. These rules are only meant to point out the presence of these artifacts, and do not guarantee that the identified files are actually malicious.

Checklist Role:

  • Desktop Operating System

Known Issues:

None

Target Audience:

This checklist has been created for IT professionals, particularly Windows 7 and XP system administrators and information security personnel. The document assumes that the reader has experience installing and administering Windows-based systems in domain or standalone configurations.

Target Operational Environment:

  • Standalone
  • Sector-Specific Environment

Testing Information:

Windows 7 and XP workstations.

Regulatory Compliance:

N/A

Comments/Warnings/Miscellaneous:

For this checklist to be effective, the SCAP tool used must support directory recursion.

Disclaimer:

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. CyberESI assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. CyberESI would appreciate acknowledgement if the document and template are used.

Product Support:

CyberESI will provide best efforts support in line with the customer's support contract.

Point of Contact:

Contact@CyberESI.com

Sponsor:

Cyber Engineering Services (CyberESI)

Licensing:

Pursuant to title 17 Section 105 of the United States Code this document and template are not subject to copyright protection and are in the public domain.

Change History: 

Updated status to "Final" - 07 January 2015
Content Revision - 04/04/2017
Updated to FINAL - 05/05/2017

Dependency/Requirements:

URL Description

References:

Reference URL Description

NIST checklist record last modified on 05/06/2017