Andrew Baker
09/29/2021, 8:40 PMpuffycid
09/29/2021, 11:18 PMshimcache
table (shimcache is also sometimes called appcompat/application compatibility cache/appcompatcache) on windows
so something like select * from shimcache
it returns forensic data showing evidence of likely file execution, in addition to the last modified timestamp of the file, order of execution, full file path
the data is pretty valuable and is very helpful imo
order of execution can show the order in which files were executed
An extremely basic example below (read bottom to top), shimcache shows cmd.exe executed followed by some basic recon commands, procdump (commonly used to dump credentials), file compression, potential exfil via ftp
ftp.exe
zip.exe
procdump.exe
net.exe
whoami.exe
ipconfig.exe
cmd.exe
u can also combine it with the file
and hash
table to see if the executed file is on disk still or if its been deleted
u could also query shimcache across 1,000 systems and do frequency analysis to see the most common files that are executed and look for outliers
ex: powershell.exe executed on 600 systems vs procdump.exe executed on 4 systems
since powershell.exe was executed on 600 systems it could be normal/legit vs procdump.exe was only on 4 systems which could be suspicious
again its pretty simple but it has lots of uses imofritz
09/30/2021, 6:10 PMAndrew Baker
09/30/2021, 8:47 PM