An In-kernel Forensics Engine for Investigating Evasive Attacks

TL;DR

This paper introduces LASE, a low-artifact in-kernel forensics engine for Windows that enhances threat investigation by providing detailed system monitoring with minimal detectable artifacts, aiding early attack detection.

Contribution

The paper presents LASE, an open-source in-kernel forensics tool that balances visibility and stealth, and demonstrates its effectiveness in real-world threat analysis scenarios.

Findings

LASE provides detailed system-wide monitoring with minimal artifacts.

Deployment scenarios show LASE's effectiveness in evidence gathering.

Open-source release encourages further research and behavioral analysis.

Abstract

Over the years, adversarial attempts against critical services have become more effective and sophisticated in launching low-profile attacks. This trend has always been concerning. However, an even more alarming trend is the increasing difficulty of collecting relevant evidence about these attacks and the involved threat actors in the early stages before significant damage is done. This issue puts defenders at a significant disadvantage, as it becomes exceedingly difficult to understand the attack details and formulate an appropriate response. Developing robust forensics tools to collect evidence about modern threats has never been easy. One main challenge is to provide a robust trade-off between achieving sufficient visibility while leaving minimal detectable artifacts. This paper will introduce LASE, an open-source Low-Artifact Forensics Engine to perform threat analysis and forensics in Windows operating system. LASE augments current analysis tools by providing detailed, system-wide monitoring capabilities while minimizing detectable artifacts. We designed multiple deployment scenarios, showing LASE's potential in evidence gathering and threat reasoning in a real-world setting. By making LASE and its execution trace data available to the broader research community, this work encourages further exploration in the field by reducing the engineering costs for threat analysis and building a longitudinal behavioral analysis catalog for diverse security domains.