📘
DFIR
  • Networking
    • Networking
      • SDWAN
      • VLANs
      • Virtual Networking
      • Segmentation
      • Applications
        • PAM/SSO
          • Privileged Password Management
          • Authentik
          • Beyond Trust
          • Cyberark
        • Network Tools
          • Palo Alto
          • Sonicwall
          • ZScaler
          • Firewalls
  • Windows
    • Administration
      • Honeypot
      • Deployment
      • Rogue Devices on Network
    • Forensics
      • System Info
      • Memory
        • Pagefile.sys
        • PowerShell Dump
        • Memory Forensics
      • Network Logs
        • UAL
        • Page 1
      • File System
        • Mounting File Systems
        • Log2Timeline
        • Volume Shadow Copies
        • $I30
        • UsnJournal/$LogFile
        • MFT
        • NTFS
        • Shellbags
        • Recycle Bin
      • Registry
        • Logged in Accounts
        • TypedPaths
        • WordWheelQuery
        • Page 5
      • Network Share
      • Exfiltration
        • RDP Clipboard
        • Exfil Exercise
        • DNS Over HTTPS
      • Evidence of Execution
        • Sum UAL
        • Office Apps Forensics
          • LastVisitedPidlMRU
          • File MRU
          • Trusted Documents
        • Run MRU
        • RecentDocs
        • FeatureUsage
        • BAM
          • DAM
        • Prefetch
        • Shimcache
        • RecentApps
        • AmCache
        • PCA
        • MUICache
        • UserAssist
        • SRUM
        • LNK Files
        • JumpLists
      • Hacktool Artifacts
        • DCSync
        • Impackets
          • GetUserSPN.py/Kerberoasting
          • Page
        • Psexec
        • Web Shells
        • BloodHound
      • Event Logs
        • Event Log IDs
          • SMB
            • 30803 Failed to Establish a Network Connection
            • 31010 SMB Client Failed to Connect
            • 551 SMB Auth Failed
            • SMB Forensics
          • 4740 Account Lockout
          • 4642 Logon
          • 5156 Show App IP Connections
        • Windows Defender
        • LOLBins
          • WebDav
          • Crashes (WER)
          • PowerShell
          • Scheduled Tasks
          • Services
          • WinRS
          • WinRM
          • RDP
            • 1024 RDP ClientActiveX is trying to connect
          • WMI
        • DNS Logs
        • Application NTDS.dit
        • Kerberos
        • Exchange
        • GPOs and OUs
        • Anti Forensics
      • 3rd Party Apps
        • IIS
        • Kubernetes
        • GitHub
        • Jenkins
        • Snowflake
        • Misc
          • Veeam
          • MongoDB
        • "TA Tools"
          • Ngrok
          • 7-Zip
          • PDQ Deploy
          • TotalCMD
          • WinSCP
        • Identity Apps
          • Okta
        • Microsoft
          • Microsoft Teams
          • VS Code
          • Excel
          • Notepad
        • SysInternals
          • PsExec.exe
        • RMM
          • ScreenConnect Forensics
          • AnyDesk
        • Zoom
        • Browser Forensics
          • Recovering Deleted History
          • Browser Artifacts
      • Example Page
    • Cheat Sheet
      • Red Team:
      • Windows Event Logs
      • Quick Wins
      • Docker
      • Admin
      • Zimmerman
    • Investigation
      • Malware Analysis
        • Macros Analysis
        • Packers
      • Persistence
        • Host Based Persistence Cheatsheet
        • M365 Persistence Cheatsheet
      • DFIR Tools
        • Volatility
        • Velociraptor
        • KAPE
        • Logman
      • Insider Threats
      • Scattered Identity
    • Internals
      • Structure
        • SMB
          • Admin
          • Attacks
        • Alternate Data Streams
        • Protocols
          • Wdigest
          • DPAPI
          • Kerberos
          • NetLogon
        • WinAPI
        • COM Objects
        • Files Types
        • DLLs
          • Attacks
            • Reflective DLL Injection
            • DLL Hijacking
        • Folders of Interest
      • Privileges
        • UAC
      • Applications
        • Werfault
        • Process Creation
        • Pipes
        • AMSI
        • LOLBins
          • xCyclopedia Index (EXEs)
          • WMI
          • Certutil.exe
          • Rundll32.exe
          • Schtasks.exe
          • Svchost.exe
          • DLLHOST.exe
          • MSIExec.exe
        • PowerShell
          • VBS
          • Forensics
          • Classes
          • Logging
          • PowerShell Modules
        • LSASS
          • Lsass Forensics
    • Active Directory
      • Internals
        • Sysvol
        • Attributes
      • Secure AD
        • Logs
        • Credentials
          • Restricted Admin Mode
          • LAPS
      • Attacks
        • Vulnerabilities
          • ViewState
          • ProxyShell
          • OWASSRF
        • Credential Theft
          • DCSync
        • ADCS
      • MSSQL
        • Admin
        • Attacks
    • MISC
      • Offensive Tool Analysis
      • Investigating Specific Activity
        • User Account Deleted
      • Dumping Domain Hashes with IFM Images
      • Lateral Movement
      • Advanced Obfuscation
      • SCCM
      • Malware Traffic
  • Linux
    • Forensics
      • Cron Jobs
      • File System Types and Timestamps
      • LD_PRELOAD
      • Linux Auditing Logs
      • example page
      • Process Accounting (pacct)
      • mlocate.db
    • SSH
    • Linux WebShells
    • Directories of Interest
    • Internals
      • Logs
      • File Descriptors
      • GTFOBins
  • Enterprise Architecture
    • CI/CD Pipline
      • Jenkins
    • Citrix
      • XenApp
      • Pentesting Guide
      • Forensics
    • Web Applications
      • JWT: JSON Web Tokens
      • Apache
        • CGI-Bins
      • ColdFusion
        • Attacking ColdFusion
    • The Cloud
      • AWS
        • Cases
        • Misconfigurations
        • Attacking AWS
          • SES
          • Privilege Escalation
        • Fundementals
          • Hierarchy
          • Roles
          • Security Services
          • IAM
            • Keys
          • CloudTrail
          • Services
            • S3
            • SES
      • Azure
        • Hunting
        • Admin
        • Securing Azure
          • CA Policies
        • CheatSheet
        • Detections
        • Forensics
        • Attacking Azure
          • Persistence
            • Cloud VMs
            • Applications
            • SSPR/MFA
          • Credential Theft
            • Golden SAML Theft
            • Attacking key vaults
            • Skeleton Keys (PTA Abuse)
            • Family of Client IDs
            • Token Theft
          • Initial Access
            • Subdomain Takeover
            • Authenticated Recon
            • Unauthenticated Recon
            • Password Spraying M365
            • Password Spraying OWA
            • OAuth 2.0 Abuse
            • Device code authentication abuse
            • M365 Business Email Compromise
          • Page 6
          • Test Page
        • Fundementals
          • Security/Service Principals
          • Tokens
          • Hierarchy
          • Roles
          • Architecture
          • Conditional Access
        • Logging
          • Audit Logs
      • M365
        • Forensics
          • Tokens
        • Business Email Compromise
        • Hardening
      • Cloud Labs
    • vSphere
      • Forensics
      • Hardening
      • Admin
    • Containers
      • Troubleshooting
      • Linxserver.io
      • Container Forensics
        • Docker Logs
      • Kubernetes
    • Troubleshooting
      • Cheatsheet
  • Mac
    • Forensics
      • Page 3
  • Attacker Information
    • Adversary Operations
      • c99 Webshell
      • Page 2
    • Actor Playbooks
      • TA Infrastructure
    • Abused Domains
  • IR Playbook
    • Activity from Unmanaged Host
    • Recommendations
  • Reverse Engineering
    • Python - Pyinstaller
Powered by GitBook
On this page
  • Parsing Data
  • Considerations
  • Legitimate Execution
  • Psexec Considerations
  • Network Shimcache
  • Anti Forensics
  1. Windows
  2. Forensics
  3. Evidence of Execution

Shimcache

Used to prove file existence and possibly what the TA saw in explorer.

PreviousPrefetchNextRecentApps

Last updated 1 year ago

File Location:

  • HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache

The cache stores various file metadata depending on the operating system, such as:

  • File Full Path

  • File Size

  • $Standard_Information (SI) Last Modified time

  • Shimcache Last Updated time

  • Process Execution Flag

Shimcache is a list of file metadata from executables that were recently executed, and thus examined for shimming, or executables examined for “the need to shim” but not executed.

Parsing Data

AppCompatCacheParser -f F:\Tools\investigate\logs\SYSTEM --csv F:\Tools\investigate\logs --csvf reboot.csv 

Considerations

  • HKLM\SYSTEM\Select - Determine what ControlSet is in use with the 'current' value.

  • 1024 Per ControlSet

  • Renaming or moving the file will cause it to be re-shimmed.

  • Executing the PE in a command line will cause it to be shimmed (if it wasn't already shimmed).

  • Tracks execution on ALL drives (C:\ D:\ etc).

  • Can no longer be used as evidence of execution on Windows 10/11.

  • Only flushed to the registry on reboot or shutdown.

  • Showing the file partially in explorer will still result in it being added to Shimcache.

Legitimate Execution

Each time an application with unique metadata is executed, a corresponding Shimcache entry will be created. In other words, new entries are created when an existing file’s metadata has changed and is re-executed.

Psexec Considerations

Psexec modifies the $DATA attribute of the file every time it runs. Finding multiple Shimcache entries with different modified timestamps are an indication that psexec executed at those specified times.

Last Modified
Path
File Size

02/01/03 07:55:11

C:\WINNT\system32\Malware.exe

185552

10/08/13 20:02:05

C:\WINNT\PSEXESVC.EXE

53248

03/18/10 18:16:49

C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\ngen.exe

150856

…

…

…

12/10/10 22:39:02

d:\MSSQL.1\MSSQL\Binn\DatabaseMail90.exe

16224

07/25/08 16:17:35

C:\WINDOWS\Microsoft.Net\Framework\v2.0.50727\ngen.exe

100856

09/15/03 19:41:35

C:\WINNT\system32\Malware.exe

185552

10/11/12 11:22:23

C:\WINNT\PSEXESVC.EXE

53248

Network Shimcache

Can be used as evidence of the file existing on a network share. This indicates that the user either navigated to the share using explorer.exe or that the malware executed on the share resulting in the p.exe executable being shimmed. Best paired with shellbags to determine which is true.

Anti Forensics

  • Can compare timestamp in shimcache to original binary to compare timestamps. This can be used as evidence of TimeStomping.

  • Renaming a file will re-shim the binary, but the modification timestamp will not change. Because renaming to does not change contents of file.

  • File deletion will NOT delete Shimcache entries.

Amcache and Shimcache in forensic analysisAndrea Fortuna
ShimCache
Demystifying Shims - or - Using the App Compat Toolkit to make your old stuff work with your new stuffTECHCOMMUNITY.MICROSOFT.COM
Logo
Caching Out: The Value of Shimcache for Investigators | MandiantMandiant
Logo
Digital Forensics – ShimCache ArtifactsCount Upon Security
Windows Wednesday: Application Compatibility CacheMedium
Logo
Logo
ControlSet001 is in use.
Partial view of 27.exe
27.exe is at the top of the Shimcache entry position.
Rename Evidence (close modification timestamp)
Entries after file deletion.
Logo