Forensic Friday - Profile Lists
What are Profile Lists?
Windows keeps track of user-profiles and their locations in the registry. The profile location is stored under the key below:
This registry key contains one subkey for each user profile on a Windows machine. Inside of each of these subkeys is a registry value called ProfileImagePath that includes the profile path for all users. You can obtain information on user profiles such as profile last modified time, profile path, and much more.
When do Profile Lists have value?
Once a threat actor gains a foothold in an environment, the next step is to obtain valid credentials so that they can move laterally throughout the environment. As you would expect, identifying the user accounts that the attackers used will help in many ways, such as:
Identifying the systems that were accessed.
Understanding the access obtained in the environment.
Threat hunt the logs for the username.
Many sophisticated threat actors will clean up their tracks by deleting the user profile from the servers on their way out. However, other times the impacted organization will identify and delete the user profile the threat actors were using from the host. Some artifacts are lost from a forensics perspective once the profile is deleted. Luckily, an artifact does remain that will inform the investigator that the profile existed on the host; this is where the profile list comes in. You can see what the Profile List registry location looks like in the image below. When a user profile is deleted from the host, the profile will still exist in the registry with the .bak extension appended to the SID for the user. So this can serve a great value when you are working on an incident response engagement.
A file with the BAK file extension is a backup file. This file type is used by many different applications, all for the same purpose: to store a copy of one or more files for backup purposes. Most BAK files are created automatically by a program that needs to store a backup. This could be anything from a web browser storing backed-up bookmarks to a dedicated backup program archiving one or more files. BAK files are sometimes created manually by a program's user, too. For example, you might create one if you want to edit the file but not make changes to the original. So, instead of moving the file out of its original folder, writing over it with new data, or deleting it altogether, you might append ".BAK" to the end of the file for safekeeping.
How to analyze the Profile List?
There are many ways you can analyze the profile list. If you have access to the host, you can leverage the registry editor to navigate the profile lists' location. If you have a forensic image of the host, you can pull the SYSTEM hive. The SYSTEM hive is located at C:\Windows\System32\config\SYSTEM. Once you have a copy of the hive, you can use a tool like Registry Explorer to navigate the hive. In some cases, you might have an EDR installed on the host. Most leading EDR platforms will allow you to navigate the registry using native features of the EDR platform.
We are here to help!
Are you looking for ongoing advisory services to assist in identifying vulnerabilities and security policies that should be in place and help improve your security posture? The team at Inception Security™ has been leveraged to enhance the security posture of fortune 100 companies, small and medium-sized businesses. Our team has a depth of knowledge in the cybersecurity industry and will be able to provide value to your business right away.
Contact Inception Security if your company is looking for advisory services.