Scenario

Forela's CTO, Dutch, stores important files on a separate Windows system because the domain environment at Forela is frequently breached due to its exposure across various industries. On 24 January 2025, our worst fears were realised when an intruder accessed the fileserver, installed utilities to aid their actions, stole critical files, and then deleted them, rendering them unrecoverable. The team was immediately informed of the extortion attempt by the intruders, who are now demanding money. While our legal team addresses the situation, we must quickly perform triage to assess the incident's extent. Note from the manager: We enabled SmartScreen Debug Logs across all our machines for enhanced visibility a few days ago, following a security research recommendation. These logs can provide quick insights, so ensure they are utilised.

https://app.hackthebox.com/sherlocks/SmartyPants

From the scenario, we know we should focus on the SmartScreen Debug logs because they were enabled across endpoints shortly before the breach. Below is a concise summary of what SmartScreen does and why its debug logs matter for forensic work.

What SmartScreen does

• Protects users from phishing sites, malicious webpages, and dangerous downloads.
• Detects suspicious pages by analyzing webpage behavior and checking against a dynamic list of reported phishing and malware sites. If a match or suspicious pattern is found, SmartScreen displays a warning to the user.
• For downloaded files, SmartScreen checks the file against lists of known-malicious programs and against a reputation list of files that are widely distributed and commonly downloaded. Files not present on the reputation list trigger a warning.

Why SmartScreen Debug logs are useful in investigations

• They are forensic artifacts that record GUI-based file access and application executions.
• They can reveal which files were executed, which installers ran, and which user sessions interacted with those files.
• Because the logs are structured and generated in near real time, they are straightforward to parse and can be fed into SIEMs with minimal processing.

How SmartScreen fits with other artifacts

• SmartScreen logs should be treated as one piece of evidence in a broader artifact stack. Corroborating sources include RecentDocs, jumplists, ShimCache, Prefetch, LNK files, UserAssist, BAM, and others.
• The more artifacts that point to the same execution or user action, the stronger the finding.

Advantages of SmartScreen Debug logs

1. Generated in near real time.