Host-level artifacts of compromise represent persistent indicators left by attackers on compromised systems, including unauthorized files, registry modifications, anomalous processes, and configuration changes that reveal infection, persistence, and execution activity in computer and cyber forensics investigations.
These artifacts persist across reboots and provide concrete evidence of dwell time, capabilities, and tactics, complementing volatile memory analysis with disk-based proof. Identifying them enables investigators to map attack timelines, attribute behaviors to threat actors, and develop targeted mitigations against sophisticated intrusions.
Persistence Mechanisms
Persistence artifacts ensure malware survives reboots and system changes.
Registry Run/RunOnce keys (Windows: HKLM\Software\Microsoft\Windows\CurrentVersion\Run) execute payloads on startup. Scheduled tasks (schtasks /query) launch at triggers; WMI event subscriptions persist via repositories.
Linux cron jobs (/var/spool/cron) and systemd timers provide similar functionality.
Suspicious Files and Paths
Unusual executables in system directories signal compromise.
Temporary folders (C:\Windows\Temp, %TEMP%) hold droppers; recent DLLs in C:\Windows\System32 indicate injection. Linux /tmp, /dev/shm executables warrant scrutiny. Mutexes (hidden handles) prevent multiple infections.
High-entropy executables or renamed system tools (ps.exe) flag packing.
Process and Service Anomalies
Runtime indicators expose active compromise.
Parent-child mismatches (svchost.exe spawning cmd.exe) suggest injection. Orphaned processes (no parent) or high-privilege unexpected binaries indicate escalation. Services with recent creation dates (sc query) often serve C2.
Linux: ps aux reveals zombie processes, unusual binaries in /proc.
Registry and Configuration Changes
System settings alterations enable control.
Windows: Recent UserInit, Winlogon values; policy changes (Secedit). BootExecute registry for pre-OS persistence. Linux: Modified /etc/passwd, sudoers; unusual kernel modules (lsmod).
ShimCache (AppCompatCache) proves execution despite deletions.
Network and File Artifacts
Linux: ~/.ssh/authorized_keys, bash_history commands.
Detection and Analysis Workflow
Systematic hunting uncovers artifacts.
1. Baseline normal (Sysinternals Autoruns).
2. Scan with Sigma/YARA rules.
3. Timeline correlation (bodyfile from multiple sources).
4. Volatility for memory confirmation.
5. Extract IOCs (hashes, paths) for hunting.
Tools: Autoruns, Sysmon (Event ID 1 processes), Velociraptor collectors.
In APTs: Persistence (scheduled task) → Execution (prefetch) → C2 (netscan) traces full lifecycle.
