The Wild Ambush

Home Our Articles The Wild Ambush

The Wild Ambush – SRUM and a gaze to the future of the world of defense

Abstract

SRUM is a new forensic object that has made its first appearance in Windows 8.

In this article we will learn about SRUM, its functions, the data it contains and how we can retrieve that information in order to assist us in a forensic investigation.

We will make this dry topic a little more interesting and see that despite its important role its activity can be harmed relatively easily using a small PoC that we built.

We will see that this Log Prevention PoC is one example of a collection of options that can be used by attackers to prevent logging. Finally, we will try to sober up, and look at the cyberspace from above in order to understand if it is possible to get out of the cat and mouse cage that the attackers put us in.

The authors assume that the reader is familiar with the following topics:

  • Windows Internals
  • Windows Forensics
  • C++

    • SRUM for short

    System Resource Usage Monitor, or SRUM for short, is a forensic object used to monitor the use of system resources.

    This object, contains a lot of information about the use of data and network connectivity, use of applications, energy consumption on the endpoint and more.

    From our conversations with information security specialists it turns out that many of them do not know it, which strengthened our desire to write an article on this subject.
    SRUM is first seen on Windows 8 and is part of the Service Policy Diagnostic (DPS) (an entire topic we will not cover in this article).

    The appearance of the svchost.exe process of the service is the one that enters data into SRUM. This base of information stores a lot of forensic data on activities that take place at our endpoint. But how exactly does this happen?

    The SRUB.DAT file functions as the permanent database which is stored in the path:

    path = %windir%/System32/sru

    This database stores data in Microsoft ESE (Extensible Storage Engine) technology. Microsoft uses it in other products such as: Microsoft Exchange Server, Active Directory and Windows Search.

    srum Cyber Tech Defense
    Image placeholder

    By Shay Nachum and Orit Cohen

    Shay Nachum – an alumni information security officer at the elite C4I unit – “Mamram” and an academic master from the “Technion - Israel Institute of Technology”.

    Orit Cohen - Expert OS developer and forensics enthusiastic.

    Latest Articles

  • The Wild Ambush
  • Detection in the Dark
  • Dll\Code Injection, Hooking, Execution\Loading Hijacking

    • Tag Cloud

    Dll Malware GrayHat code SRUM Forensics CYBER TECH DEFENSE Malware

    Our Value

    Cyght deploys top talent and implements the operational art of elite military units, digital combat experience, and a deep understanding of attackers to secure organizations. Cyght’s teams have extensive hands-on experience in the most complex offensive and defensive cyber environments. These capabilities create a real differentiator in building resilience and effectively responding to sophisticated attacks.

    c