Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / DFI / ARTEFACT / WINDOWS / EXECUTION

BAM

Background Activity Moderator (Location: HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\<SID>)

Tracks executables run by users in background context.

.\RegistryExplorer.exe SYSTEM

# Navigate to:

ControlSet001\Services\bam\UserSettings\<SID>

# Or export via:

.\RECmd.exe -d <SYSTEM hive path> --csv out.csv

Hunt

  • Recently executed binaries per user SID
  • Execution from user profile directories
  • Suspicious LOLBIN usage
  • Lateral movement tools
  • Post-exploitation binaries

Red Flags

  • Execution from:
    • AppData\Roaming
    • AppData\Local\Temp
    • Downloads
  • Living-off-the-land binaries used unusually:
    • powershell.exe
    • cmd.exe
    • rundll32.exe
    • wmic.exe
    • mshta.exe
  • Execution under unexpected SID
  • Execution after initial compromise window

Correlate

  • Prefetch (execution confirmation + run count)
  • ShimCache (execution trace)
  • Amcache (first run time + metadata)
  • Sysmon ID 1 (Process Creation)
  • Security 4624 (Logon events)