📘
DFIR
  • Networking
    • Networking
      • SDWAN
      • VLANs
      • Virtual Networking
      • Segmentation
      • Applications
        • PAM/SSO
          • Privileged Password Management
          • Authentik
          • Beyond Trust
          • Cyberark
        • Network Tools
          • Palo Alto
          • Sonicwall
          • ZScaler
          • Firewalls
  • Windows
    • Administration
      • Honeypot
      • Deployment
      • Rogue Devices on Network
    • Forensics
      • System Info
      • Memory
        • Pagefile.sys
        • PowerShell Dump
        • Memory Forensics
      • Network Logs
        • UAL
        • Page 1
      • File System
        • Mounting File Systems
        • Log2Timeline
        • Volume Shadow Copies
        • $I30
        • UsnJournal/$LogFile
        • MFT
        • NTFS
        • Shellbags
        • Recycle Bin
      • Registry
        • Logged in Accounts
        • TypedPaths
        • WordWheelQuery
        • Page 5
      • Network Share
      • Exfiltration
        • RDP Clipboard
        • Exfil Exercise
        • DNS Over HTTPS
      • Evidence of Execution
        • Sum UAL
        • Office Apps Forensics
          • LastVisitedPidlMRU
          • File MRU
          • Trusted Documents
        • Run MRU
        • RecentDocs
        • FeatureUsage
        • BAM
          • DAM
        • Prefetch
        • Shimcache
        • RecentApps
        • AmCache
        • PCA
        • MUICache
        • UserAssist
        • SRUM
        • LNK Files
        • JumpLists
      • Hacktool Artifacts
        • DCSync
        • Impackets
          • GetUserSPN.py/Kerberoasting
          • Page
        • Psexec
        • Web Shells
        • BloodHound
      • Event Logs
        • Event Log IDs
          • SMB
            • 30803 Failed to Establish a Network Connection
            • 31010 SMB Client Failed to Connect
            • 551 SMB Auth Failed
            • SMB Forensics
          • 4740 Account Lockout
          • 4642 Logon
          • 5156 Show App IP Connections
        • Windows Defender
        • LOLBins
          • WebDav
          • Crashes (WER)
          • PowerShell
          • Scheduled Tasks
          • Services
          • WinRS
          • WinRM
          • RDP
            • 1024 RDP ClientActiveX is trying to connect
          • WMI
        • DNS Logs
        • Application NTDS.dit
        • Kerberos
        • Exchange
        • GPOs and OUs
        • Anti Forensics
      • 3rd Party Apps
        • IIS
        • Kubernetes
        • GitHub
        • Jenkins
        • Snowflake
        • Misc
          • Veeam
          • MongoDB
        • "TA Tools"
          • Ngrok
          • 7-Zip
          • PDQ Deploy
          • TotalCMD
          • WinSCP
        • Identity Apps
          • Okta
        • Microsoft
          • Microsoft Teams
          • VS Code
          • Excel
          • Notepad
        • SysInternals
          • PsExec.exe
        • RMM
          • ScreenConnect Forensics
          • AnyDesk
        • Zoom
        • Browser Forensics
          • Recovering Deleted History
          • Browser Artifacts
      • Example Page
    • Cheat Sheet
      • Red Team:
      • Windows Event Logs
      • Quick Wins
      • Docker
      • Admin
      • Zimmerman
    • Investigation
      • Malware Analysis
        • Macros Analysis
        • Packers
      • Persistence
        • Host Based Persistence Cheatsheet
        • M365 Persistence Cheatsheet
      • DFIR Tools
        • Volatility
        • Velociraptor
        • KAPE
        • Logman
      • Insider Threats
      • Scattered Identity
    • Internals
      • Structure
        • SMB
          • Admin
          • Attacks
        • Alternate Data Streams
        • Protocols
          • Wdigest
          • DPAPI
          • Kerberos
          • NetLogon
        • WinAPI
        • COM Objects
        • Files Types
        • DLLs
          • Attacks
            • Reflective DLL Injection
            • DLL Hijacking
        • Folders of Interest
      • Privileges
        • UAC
      • Applications
        • Werfault
        • Process Creation
        • Pipes
        • AMSI
        • LOLBins
          • xCyclopedia Index (EXEs)
          • WMI
          • Certutil.exe
          • Rundll32.exe
          • Schtasks.exe
          • Svchost.exe
          • DLLHOST.exe
          • MSIExec.exe
        • PowerShell
          • VBS
          • Forensics
          • Classes
          • Logging
          • PowerShell Modules
        • LSASS
          • Lsass Forensics
    • Active Directory
      • Internals
        • Sysvol
        • Attributes
      • Secure AD
        • Logs
        • Credentials
          • Restricted Admin Mode
          • LAPS
      • Attacks
        • Vulnerabilities
          • ViewState
          • ProxyShell
          • OWASSRF
        • Credential Theft
          • DCSync
        • ADCS
      • MSSQL
        • Admin
        • Attacks
    • MISC
      • Offensive Tool Analysis
      • Investigating Specific Activity
        • User Account Deleted
      • Dumping Domain Hashes with IFM Images
      • Lateral Movement
      • Advanced Obfuscation
      • SCCM
      • Malware Traffic
  • Linux
    • Forensics
      • Cron Jobs
      • File System Types and Timestamps
      • LD_PRELOAD
      • Linux Auditing Logs
      • example page
      • Process Accounting (pacct)
      • mlocate.db
    • SSH
    • Linux WebShells
    • Directories of Interest
    • Internals
      • Logs
      • File Descriptors
      • GTFOBins
  • Enterprise Architecture
    • CI/CD Pipline
      • Jenkins
    • Citrix
      • XenApp
      • Pentesting Guide
      • Forensics
    • Web Applications
      • JWT: JSON Web Tokens
      • Apache
        • CGI-Bins
      • ColdFusion
        • Attacking ColdFusion
    • The Cloud
      • AWS
        • Cases
        • Misconfigurations
        • Attacking AWS
          • SES
          • Privilege Escalation
        • Fundementals
          • Hierarchy
          • Roles
          • Security Services
          • IAM
            • Keys
          • CloudTrail
          • Services
            • S3
            • SES
      • Azure
        • Hunting
        • Admin
        • Securing Azure
          • CA Policies
        • CheatSheet
        • Detections
        • Forensics
        • Attacking Azure
          • Persistence
            • Cloud VMs
            • Applications
            • SSPR/MFA
          • Credential Theft
            • Golden SAML Theft
            • Attacking key vaults
            • Skeleton Keys (PTA Abuse)
            • Family of Client IDs
            • Token Theft
          • Initial Access
            • Subdomain Takeover
            • Authenticated Recon
            • Unauthenticated Recon
            • Password Spraying M365
            • Password Spraying OWA
            • OAuth 2.0 Abuse
            • Device code authentication abuse
            • M365 Business Email Compromise
          • Page 6
          • Test Page
        • Fundementals
          • Security/Service Principals
          • Tokens
          • Hierarchy
          • Roles
          • Architecture
          • Conditional Access
        • Logging
          • Audit Logs
      • M365
        • Forensics
          • Tokens
        • Business Email Compromise
        • Hardening
      • Cloud Labs
    • vSphere
      • Forensics
      • Hardening
      • Admin
    • Containers
      • Troubleshooting
      • Linxserver.io
      • Container Forensics
        • Docker Logs
      • Kubernetes
    • Troubleshooting
      • Cheatsheet
  • Mac
    • Forensics
      • Page 3
  • Attacker Information
    • Adversary Operations
      • c99 Webshell
      • Page 2
    • Actor Playbooks
      • TA Infrastructure
    • Abused Domains
  • IR Playbook
    • Activity from Unmanaged Host
    • Recommendations
  • Reverse Engineering
    • Python - Pyinstaller
Powered by GitBook
On this page
  • What Is BAM?
  • Forensic Value:
  • File Location:
  • Parse Data
  • Considerations
  • Example: Execution Timestamp
  • CyberChef Recipe
  • Anti-Forensics
  1. Windows
  2. Forensics
  3. Evidence of Execution

BAM

background activity monitor

PreviousFeatureUsageNextDAM

Last updated 1 year ago

What Is BAM?

Background Activity Moderator is a Windows service that controls activity of background applications. The service was first introduced on Windows 10, specifically, after the Fall Creators Update (version 1709).

Forensic Value:

  • Date - Time and date the executable was ran.

  • Date Description - Detailed explanation of the Date attribute.

  • Program - Executable that was ran. This attribute contains the path of the executable.

  • Description - Detailed description of the executable.

  • Source - Source of the artifact.

File Location:

Newer Windows 10 Systems

  • File: %SystemRoot%\System32\config\SYSTEM

  • BAM: SYSTEM\{CURRENT_CONTROL_SET}\Services\bam\state\UserSettings\{USER_SID}

  • DAM: SYSTEM\{CURRENT_CONTROL_SET}\Services\dam\state\UserSettings\{USER_SID}

Older Windows 10 Systems

  • File: %SystemRoot%\System32\config\SYSTEM

  • BAM: SYSTEM\{CURRENT_CONTROL_SET}\Services\bam\UserSettings\{USER_SID}

  • DAM: SYSTEM\{CURRENT_CONTROL_SET}\Services\dam\UserSettings\{USER_SID}

Newer Windows 10 Systems

  • BAM: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\state\UserSettings\{USER_SID}

  • DAM: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dam\state\UserSettings\{USER_SID}

Older Windows 10 Systems

  • BAM: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\{USER_SID}

  • DAM: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dam\UserSettings\{USER_SID}

Major Version
Support
Major Version
Support

Windows 11

✅

Server 2019

❌

Windows 10

⚠️

Server 2016

❌

Windows 8

❌

Server 2012

❌

Windows 7

❌

Server 2008

❌

Windows Vista

❌

Server 2003

❌

Windows XP

❌

Parse Data

  • RegistryExplorer (Eric Zimmerman)

Considerations

  • Each user specific executable is stored under the corresponding SID entry.

  • BAM entries are only populated for locally run executables. Launching executables on network shares or removable media will not generate BAM entries.

  • Console applications that are launched through a command line interface will not have BAM/DAM entries.

  • BAM entries are removed if an executable is removed from its original location; and entries older than 7 days are removed when Windows boots.

  • Entries are deleted upon reboot if the executable is deleted.

The Execution Time as seen in RegistryExplorer represents the most recent time of execution for the binary in UTC. The Program field represents the full path the the binary.

Based on testing, this execution time is written upon process creation, and again on termination.

Example: Execution Timestamp

  • Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-3471133136-2963561160-3931775028-1001

  • Key: \Device\HarddiskVolume4\Program Files\PuTTY\putty.exe

  • Type: REG_BINARY

  • Value: 60-9F-62-A8-FB-6C-D9-01-00-00-00-00-00-00-00-00-00-00-00-00-02-00-00-00

The 64-Bit FILETIME timestamp 60-9F-62-A8-FB-6C-D9-01 resolves to Wed 12 April 2023 05:00:10 UTC, which is the last known execution of the binary putty.exe.

This example was produced on Windows 10, Version 10.0.19044 Build 19044

CyberChef Recipe

Used to convert timestamps to human readable format.

[
  { "op": "From Hex",
    "args": ["Auto"] },
  { "op": "To Hex",
    "args": ["None", 0] },
  { "op": "Windows Filetime to UNIX Timestamp",
    "args": ["Milliseconds (ms)", "Hex (little endian)"] },
  { "op": "From UNIX Timestamp",
    "args": ["Milliseconds (ms)"] }
]

Anti-Forensics

  • Delete registry

Windows Baackground Activity Moderator (BAM)
Background Activity MontitorWindows Forensic Handbook
Logo
Logo