Research

WSH (Windows Script Host) is an automation tool built into Windows, providing powerful scripting abilities. It was introduced in Windows 98, long predating .NET and PowerShell. Whilst being largely abandoned by system administrators, It is sometimes used by attackers to evade detection and obfuscate their infection chains. Typically, an attacker will drop a malicious script on disk - a .vbs, .js or a .wsf file, and then execute it using either the WScript or the CScript host....

I was working on a case the other day, when I first came across a rather interesting registry key, HKLM\Software\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications. It caught my eye, because it has sub-keys for (what appears to be) applications executed on the system. This is what it looks like on my own system: It has quite a few sub-keys, and each one has a LastDetectionTime QWORD value, containing what appears to be a Windows FILETIME timestamp:...