ShimCache/ AppCompatCache

The Windows Shimcache was created by Microsoft beginning in Windows XP to track compatibility issues with executed programs. The Cache stores various file metadata depending on the operating system, such as:

• File Full Path

• File Size (only Windows XP)

• Last Execution Time (only Windows XP)

• $Standard_Information (SI) Last Modified time

• ShimCache Last Updated time

• Insert Flag - May indicate that application was executed - use as interesting data point but can't confirm execution. *many tools use it as execution point*

ShimCache is written on system shutdown (or reboot in Windows 10+). Windows 7+ stores 1024 records

HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompanyCache\AppCompatCache
^ volatile key - look at 'SYSTEM\Select\Current' in offline system

Parse:

Eric Zimmermans tool AppCompatCacheParser:

AppCompatCache.exe -f .\SYSTEM --csv C:\Temp\

appcompatprocessor.py looks into Shimcache and Amcache

# install
sudo apt install python2
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py
sudo python2 get-pip.py


# import collected Amcache.hve and SYSTEM registry hives (can be multiple)
AppCompatProcessor.py ./database.db load /cases/precooked/appcompat/SRL_Shim_Amcache.zi

# search the DB
AppCompatProcessor.py ./database.db search
# Stack can be used to perform LFO (least frequency occurances)
AppCompatProcessor.py ./database.db stack "FilePath" "FileName LIKE '%svchost.exe'"
AppCompatProcessor.py ./database.db stack "FileName" "FilePath LIKE '%update'"
# Temporal Execution Correlation - look for similarity between malicious files
AppCompatProcessor.py ./database.db tcorr "edgeupdater.exe"
# Stack / Count file LFO (least frequency occurances)
AppCompatProcessor.py ./database.db stack "FileName" "length(filename)<8"
# Search for filename
AppCompatProcessor.py ./database.db fsearch FileName -f "arh.exe"