Malware · Unauthorized Access · Persistence

Windows Malware and Unauthorized Access Forensics

Investigate suspected unauthorized access, malware, persistence, suspicious programs, credential theft, and unexplained system changes on Windows endpoints and servers — with court-ready findings.

← Canonical HubThis page is part of the Windows Forensics cluster. Return to the hub for the full artifact index and cross-cluster context.

Quick Answer. Unauthorized-access and malware forensics on Windows correlates authentication anomalies (4625/4740/4776, 4624 LogonType 3/10 from unexpected sources), persistence artifacts (Run/RunOnce, Services with unsigned or LOLBin ImagePath, scheduled tasks, WMI event subscriptions, Winlogon shell hijacks, Image File Execution Options debugger keys), program execution evidence (Prefetch, Amcache SHA-1, Shimcache), PowerShell script-block logs (4104), network telemetry (SRUM, DNS cache), and known-bad IOC matching. The output is a written finding — with or without malware attribution — supporting or refuting the client’s factual claim.

Persistence: the ten places we always check

MechanismLocationEvidence recorded
Run / RunOnce (all-user)SOFTWARE\Microsoft\Windows\CurrentVersion\Run(Once)Value name, command line, LastWrite
Run / RunOnce (per-user)NTUSER.DAT\…\Run(Once)Per-account autoruns, SID attribution
ServicesSYSTEM\CurrentControlSet\Services\ImagePath, ServiceDll, Start type, Type; System 7045 install event
Scheduled TasksC:\Windows\System32\Tasks\ + SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCacheXML author, principal, triggers, actions
WMI event subscriptionsOBJECTS.DATA in \wbem\Repository\EventFilter + Consumer + Binding for persistence
WinlogonSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonShell, Userinit, Notify keys
Image File Execution OptionsSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\DebuggerDebugger hijack (accessibility-key attacks)
AppInit_DLLsSOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsAuto-loaded DLLs across processes
Startup folders\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp and per-userLegacy but still used
Print / Netsh / LSA providersVarious registry keysAdvanced persistence via provider DLLs

Living-off-the-land binaries (LOLBins) we always review

Attackers increasingly avoid custom malware and abuse signed Microsoft binaries. We review execution of the following against timing and command-line context:

  • powershell.exe / pwsh.exe with -EncodedCommand, -NoProfile, -WindowStyle Hidden
  • mshta.exe, rundll32.exe, regsvr32.exe, certutil.exe -urlcache
  • wmic.exe, bitsadmin.exe, msbuild.exe, installutil.exe
  • curl.exe, wget equivalents, Invoke-WebRequest
  • ntdsutil.exe, vssadmin.exe delete shadows (pre-encryption ransomware signal)
  • net use, net localgroup administrators, psexec

Credential theft indicators

  • LSASS access by non-Microsoft processes (Sysmon 10, or memory image evidence).
  • Presence of ntds.dit or SAM/SYSTEM copies outside System32\config\.
  • vssadmin create shadow followed by copy operations from the shadow — a classic credential-dump pattern.
  • Kerberoasting: bursts of 4769 events for service accounts with RC4 encryption type.
  • DCSync: 4662 with the specific replicate-directory-changes access mask from a non-DC source.

Ransomware pre-encryption signals

Where ransomware is suspected — or must be ruled out — we look for the tell-tale precursors: vssadmin delete shadows, wbadmin delete catalog, bcdedit /set {default} recoveryenabled No, mass rename operations in $UsnJrnl (thousands of renames within minutes), a new service or scheduled task installed just before mass encryption, and Defender / EDR tampering (Sysmon 26, Defender events 5001/5007).

What a defensive finding looks like

Many matters end with a defense-favorable conclusion: no evidence of malware execution, no unauthorized access, and observed behavior fully consistent with the legitimate user. In those cases the report enumerates what was searched, what would have appeared had the alleged event occurred, and why the absence of those artifacts is meaningful — anchored to the artifact categories detailed in the Windows Forensics hub.

How Elite Digital Forensics helps

Elite Digital Forensics is an independent, defense-aligned Windows forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Windows Forensics hub for the full analytical framework we bring to every matter.

Related Windows forensics pages

Frequently asked questions

Can you rule out malware conclusively?

Rarely in absolute terms, but we can state to a high degree of confidence when every relevant artifact (Amcache, Prefetch, Sysmon, Defender history, persistence keys, network telemetry) is negative. Reports state confidence explicitly.

What if the attacker deleted their tools?

Amcache SHA-1 records, Prefetch, USN journal CREATE + DELETE pairs, and Shimcache entries commonly survive deletion of the executable itself.

How do you distinguish a user-installed program from malware?

Signed-publisher records in Amcache, cert-chain validity, install path (user Temp vs Program Files), Prefetch parent-process context, and UserAssist presence together separate legitimate installs from covert placement.

Do you write remediation steps?

When retained for incident response, yes: containment, eviction, credential rotation, and hardening. When retained through counsel for litigation only, the report focuses on findings; remediation is left to the client’s IT or a separately scoped engagement.

Ready to move on your windows malware and unauthorized access matter?

Tell us about the computer, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.

Request Confidential Consultation Call (833) 292-3733

Primary sources and references

  1. MITRE ATT&CK: Persistence. attack.mitre.org
  2. Microsoft: Sysmon. learn.microsoft.com
  3. CISA: Ransomware guide. www.cisa.gov

This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.

#Malware #UnauthorizedAccess #IncidentResponse #Ransomware #Persistence #WindowsForensics #DFIR #EliteDigitalForensics

Assistant Icon Elite Digital Forensics Assistant
👋 Live Chat Now!
Free Virtual Consultation 24/7
Chat Now!

By submitting this form, you consent to be contacted by email, text, or phone. Your information is kept secure and confidential. Reply Stop to opt out at anytime. 

IMPORTANT: Please remember to check your spam or junk folder