The Background Activity Moderator (BAM) is a Windows service that Controls activity of background applications. This service exists in Windows 10 only after Fall Creators update – version 1709.
It provides full path of the executable file that was run on the system and last execution date/time
name: Windows.Forensics.Bam
description: |
The Background Activity Moderator (BAM) is a Windows service that
Controls activity of background applications. This service exists
in Windows 10 only after Fall Creators update – version 1709.
It provides full path of the executable file that was run on the
system and last execution date/time
reference:
- https://andreafortuna.org/2018/05/23/forensic-artifacts-evidences-of-program-execution-on-windows-systems/
parameters:
- name: bamKeys
type: csv
default: |
KeyGlob
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\*\*
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\*\*
- name: userRegex
default: .
type: regex
sources:
- precondition:
SELECT OS from info() where OS = "windows"
query: |
LET users <= SELECT Name, UUID
FROM Artifact.Windows.Sys.Users()
WHERE Name =~ userRegex
SELECT OSPath.Components[-2] as SID, {
SELECT Name FROM users
WHERE UUID = OSPath.Components[-2]
} As UserName,
Name as Binary,
timestamp(winfiletime=parse_binary(
filename=Data.value, accessor="data",
profile="[]", struct="int64")) AS Bam_time
FROM glob(globs=bamKeys.KeyGlob, accessor="registry")
WHERE Data.type =~ "BINARY"