Get information from the system’s amcache.
The Amcache.hve file is a registry file that stores the information of executed applications. Amcache.hve records the recent processes that were run and lists the path of the files that’s executed which can then be used to find the executed program.
This artifact works on Windows 10 1607 version.
name: Windows.System.Amcache
description: |
Get information from the system's amcache.
The Amcache.hve file is a registry file that stores the information
of executed applications. Amcache.hve records the recent processes
that were run and lists the path of the files that’s executed which
can then be used to find the executed program.
This artifact works on Windows 10 1607 version.
reference:
- https://www.andreafortuna.org/cybersecurity/amcache-and-shimcache-in-forensic-analysis/
- https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf
parameters:
- name: amCacheGlob
default: "%SYSTEMROOT%/appcompat/Programs/Amcache.hve"
- name: amCacheRegPath
default: /Root/InventoryApplicationFile/*
- name: NTFS_CACHE_SIZE
type: int
default: 1000
precondition: |
SELECT OS From info() where OS = 'windows'
sources:
- name: InventoryApplicationFile
query: |
LET X = scope()
SELECT FileId,
Key.OSPath.Path as Key,
Key.OSPath.DelegatePath AS Hive,
Key.Mtime as LastModified,
X.LowerCaseLongPath as Binary,
X.Name AS Name,
X.Size AS Size,
X.ProductName AS ProductName,
X.Publisher AS Publisher,
X.Version AS Version,
X.BinFileVersion AS BinFileVersion
FROM foreach(
row={
SELECT OSPath from glob(globs=expand(path=amCacheGlob))
WHERE log(message="Processing "+OSPath)
}, query={
SELECT * from read_reg_key(
globs=amCacheRegPath,
root=pathspec(DelegatePath=OSPath),
accessor='raw_reg'
)
})
- name: File
query: |
SELECT * FROM foreach(
row={
SELECT OSPath from glob(globs=expand(path=amCacheGlob))
}, query={
SELECT get(item=scope(), member="100") As ProductId,
get(item=scope(), member="101") As SHA1,
get(item=scope(), member="15") As OSPath,
Key.Mtime as LastModifiedKey
FROM read_reg_key(
root=pathspec(DelegatePath=OSPath),
globs='/Root/File/*/*',
accessor='raw_reg'
)
})
reports:
- type: CLIENT
template: |
{{define "recent_executions"}}
LET recent_executions <= SELECT LastModified, Name, count(items=Name) As Count,
int(int=_LastModified/3600) AS Hour
FROM source(source="InventoryApplicationFile")
GROUP BY Hour
LIMIT 500
{{ end }}
{{ define "timeline" }}
SELECT LastModified,
format(format="%s (%d)", args=[Name, Count]) As TotalCount
FROM recent_executions
{{ end }}
The AMCache file
================
{{ .Description }}
## Execution clusters
The AMCache artifact only shows us the time of first execution
of a binary. We get an idea when it was installed. Typically
execution artifacts are clustered in time - if an attacker
copies a bunch of new tools they will all start running at about
the same time.
The below timeline shows a summary of execution clusters. The
binaries are grouped in an hour interval. The label is the first
binary name and the total number of binaries within that hour.
> For clarity we hide the names of all other binaries, and just
show the total count.
{{ Query "recent_executions" "timeline" | Timeline }}
Here is the same data in tabular form.
{{ Query "timeline" | Table }}