This artifact collects AMCache entries with a SHA1 hash to enable threat detection.
AmCache is an artifact which stores metadata related to PE execution and program installation on Windows 7 and Server 2008 R2 and above. This artifact includes EntryName, EntryPath and SHA1 as great data points for IOC collection. Secondary datapoints include publisher/company, BinaryType and OriginalFileName.
Available filters include:
NOTE:
name: Windows.Detection.Amcache
author: Matt Green - @mgreen27
description: |
This artifact collects AMCache entries with a SHA1 hash to enable threat
detection.
AmCache is an artifact which stores metadata related to PE execution and
program installation on Windows 7 and Server 2008 R2 and above. This artifact
includes EntryName, EntryPath and SHA1 as great data points for IOC collection.
Secondary datapoints include publisher/company, BinaryType and OriginalFileName.
Available filters include:
- SHA1regex - regex entries to filter by SHA1.
- PathRegex - filter on path if available.
- NameRegex - filter on EntryName OR OriginalFileName.
NOTE:
- Secondary fields are not consistent across AMCache types and some legacy
versions do not return these fields.
- Some enrichment has occured but any secondary fields should be treated as
guidance only.
- This artifact collects only entries with a SHA1, for complete AMCache
analysis please download raw artifact sets.
reference:
- https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf
parameters:
- name: AMCacheGlob
default: "%SYSTEMROOT%/appcompat/Programs/Amcache.hve"
description: AMCache hive path
- name: KeyPathGlob
default: /Root/{Inventory, File}*/**
type: hidden
description: Registry key path glob
- name: SHA1Regex
default: .
description: Regex of SHA1s to filter
type: regex
- name: PathRegex
description: Regex of recorded path.
type: regex
- name: NameRegex
description: Regex of entry / binary name
type: regex
sources:
- query: |
LET files <= SELECT OSPath
FROM glob(globs=expand(path=AMCacheGlob))
SELECT * FROM foreach(row=files,
query={
SELECT
Key.OSPath.DelegatePath As HivePath,
Key.OSPath.Path as EntryKey,
Key.ModTime as KeyMTime,
-- Key is like \Root\InventoryDriverBinary\"c:/windows/system32/drivers/1394ohci.sys"
Key.OSPath.Components[1] as EntryType,
if(condition=get(member="FileId"),
then=strip(string=FileId, prefix='0000'),
else=if(condition=get(member="101"),
then=strip(string=`101`, prefix='0000'),
else=if(condition=get(member="DriverId"),
then=strip(string=DriverId, prefix='0000')))) as SHA1,
if(condition=get(member="Name"),
then=Name,
else=if(condition=get(member="FriendlyName"),
then=FriendlyName,
else=if(condition=get(member="15"),
then=split(string=str(str=`15`), sep='\\\\')[-1],
else=if(condition=get(member="DriverName"),
then=DriverName)))) as EntryName,
if(condition=get(member="LowerCaseLongPath"),
then=LowerCaseLongPath,
else=if(condition=get(member="15"),
then=`15`,
else=if(condition=get(member="AddinCLSID"),
then=AddinCLSID))) as EntryPath,
if(condition=get(member="Publisher"),
then=Publisher,
else=if(condition=get(member="Provider"),
then=Provider,
else=if(condition=get(member="DriverCompany"),
then=DriverCompany))) as Publisher,
get(member="OriginalFileName") AS OriginalFileName,
if(condition=get(member="BinaryType"),
then=BinaryType,
else=if(condition=get(member="AddInType"),
then=AddinType + ' ' + OfficeArchitecture,
else=if(condition=Key.OSPath.Path =~ 'InventoryDevicePnp',
then='DevicePnp',
else=if(condition=Key.OSPath.Path =~ 'InventoryDriverBinary',
then='DriverBinary')))) as BinaryType
FROM read_reg_key(
globs=KeyPathGlob,
root=pathspec(DelegatePath=OSPath),
accessor='raw_reg')
WHERE SHA1
AND SHA1 =~ SHA1Regex
AND if(condition= NameRegex,
then= EntryName =~ NameRegex OR OriginalFileName =~ NameRegex,
else= True)
AND if(condition= PathRegex,
then= EntryPath =~ PathRegex,
else= True)
})