top of page
Nov 23, 20225 min read

Something about win Artifacts


Almost 2 years ago I obtained my GCFA certification, where I tested my knowledge about incident response, threat hunting and forensic analysis. Thanks to that, I had the opportunity to generate some useful cheat sheets that I never shared until now.

Below I'll share notes on some of my favorite Windows artifacts. Note: As this is my first blog post, the information will be constantly changing as I always learn new things during research that can be useful in artifact analysis or in-depth analysis. Feel free to share this information or reference the blog wherever you see fit :)


Table of Content

  1. Win Event Logs

  2. Shimcache

  3. Amcache

  4. Prefetch/Superfetch


 

Win Event Logs

Path Vista/2008 and better: %SystemRoot%\system32\config\SYSTEM Path WinXP or less: %SystemRoot%\System32\Config Event logs are one of the most powerful artifacts you can find on Windows devices. Its contain a lot of information related to objects, accounts, connections and others. Unfortunately these are not always configured to save all the information we need in an investigation, but they still provide interesting information for analysis. Since this is a very broad and complex subject, I will describe here only the most important things to keep in mind. Eventually I will make a entry just for this artifact, describing my analysis methodology.

Common useful EVTX files

In the order in which they are analyzed on a compromised machine:

  • Security.evtx

  • Windows PowerShell.evtx (Operational/Admin)

  • Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

  • Aplication.evtx

  • System.evtx

  • Others

Note: if sysmon log exist and it is configured, I always give it priority

Logon Types

  • 2- Logon via console (keyboard, server kvm, or virtual client)

  • 3- network logon

  • 4- Btach Logon – Often used by Scheduled Tasks

  • 5- Windows service Logon

  • 7- Credential used to lock or unlock screen; RDP session reconnect

  • 8- Network Logon Sending credentials in cleartext

  • 9- Different credentials used than logged on user – Runas/Netonly

  • 10- Remote interactive logon (RDP)

  • 11- Cached credentials used to log on

  • 12- Cached Remote interactive (similar type 10)

  • 13- Cached unlock (similar to type 7)

Tools and Utilities

  • Event log explorer: https://eventlogxp.com/

  • ChainSaw: https://github.com/WithSecureLabs/chainsaw

  • APT-Hunter: https://github.com/ahmedkhlief/APT-Hunter

  • WELA: https://github.com/Yamato-Security/WELA

Event Log explorer tool view

Commands
# Get security evtx on csv format
PS:\> Get-EventLog -LogName security | Export-Csv "C:\temp\security-Logs.csv" -NoTypeInformation -UseCulture

# o maybe
PS:\> Get-EventLog -LogName *

Links

  • https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/

Note: It is always preferable to perform a manual analysis of the windows logs. If you are unable to identify anything relevant, use automated tools in order to see any behavior that you may have overlooked..


 

Shimcache

Path: C:\windows\system32\config\SYSTEM An artifact that allows applications running with other parameters to be executed on modern windows. The shimcache allows you to specify what characteristics you have about an executed file. When an application is shimmed, you can see if it was executed and with what parameters. Some features of the shimcache are:

  • you can have applications in shimcache that have not been executed. Therefore, applications are stored in shimcache when binaries enter the system.

  • the "last modified" field of shimcache, gives clues where it came from, not where it was executed.

  • on windows 7, the path is C:\windows "appcompat" programs "shimcache.hve

  • shimcache does not track runtime in binaries.

  • if an executable is modified or renamed, it will be shimcached again and a new entry will be created. This new entry will have the same modification time as the old binary. Note that with this you can corroborate timestomping in case you find that the binary has a timestamp $SI less than the one registered in the shimcache.

  • In windows 7 the "last time of execution" is not stored in shimcache.

Tools and Utilities

  1. Appcompatprocessor.py

  2. RegRipper

  3. ShimcacheParser

  4. appcompatcacheparser


appcompatcacheparser tool view

Let's remember that to parse the shimcache events we need the SYSTEM Hive usually found in C:\windows\system32\config.

Commands
PS:\> python .\ShimCacheParser.py -i C:\path\to\SYSTEM -o shimcache_parse.csv

Links

  • https://www.mandiant.com/resources/blog/caching-out-the-val

  • https://lifars.com/wp-content/uploads/2017/03/Technical_tool_Amcache_Shimcache.pdf


 

Amcache

Path: C:\Windows\AppCompat\Programs\Amcache

The Amcache.hve file is a log file that stores information about executed applications. If an attacker removes your tools from the system and deletes the prefetches, the AppCompatCache entries provide clues to the existence of those tools. Some interesting things about amcache are:


  • Registry that stores information of the executed applications (most of them).

  • It has features such as: path of execution, first run, time of deletion, and first installation.

  • Using the Amcache.hve in combination with information from the prefetch and Iconcache.db, you can map over time the usage of the Applications.

  • The "Last write time" parameter for an amcache entry indicates the first time an application was launched on a system.

  • The GUID that appears in the parse using prefetch_parser.exe, is from the volume, not the user.

  • Amcache.hveRootFile{Volume GUID}#######

  • Entry for every executable run, full path information, File's

  • $StandardInfo Last Modification Time, and Disk volume the executable was run from

  • First Run Time = Last Modification Time of Key

  • SHA1 hash of executable also contained in the key

Tools

  • Appcompatprocessor.py

  • RegRipper

  • AmcacheParser.exe


results of amcacheparser tool. Extra, it also parse shimcache

Commands
PS:\> .\AmcacheParser.exe -f "C:\windows\appcompat\programs\Amcache.hve" 
-i --csv C:\evidence--csvf amcache_results.csv

From my experience working on Special ops team of Dreamlab, I have been able to identify several new malware samples analyzing this artifact. Amcacheparser provides a series of CSV documents that have pretty good information about binaries that have been touch the system.


 

Prefetch/Superfetch


Path: C:\Windows\prefetch\*


Prefetch: Prefetch is a process in which the operating system loads pieces of data and code from disk into memory before they are needed. There is a directory in C:\windows prefetch which is filled with .pf files 10 seconds after the applications run on the system. This directory supports 128 files in Windows 7 and in Windows 8 or higher up to 1024 files in rotation.


  • Date Created -> First execution of binary minus 10 seconds in .pf file

  • Date MOdified -> Last execution of the binary minus 10 seconds in the .pf file


¿Why would there be more than one executable with pf file?


  • because a binary is executed from different paths.

  • Because there are two binaries with the same name in different locations (path).

  • Because a 32-bit binary runs in WOW64 and then runs in 64-bit mode.

Tools

  • PECmd.exe



Enable Prefetch
PS:\> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnablePrefetcher /t REG_DWORD /d 3 /f

PS:\> reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Prefetcher" /v MaxPrefetchFiles /t REG_DWORD /d 8192 /f

PS:\> Enable-MMAgent -OperationAPIPS:\> net start sysmain

Commands
PS:\> PECmd.exe -d"C:\Windows\Prefetch"--csv example_fetch.csv -q#se creara un directorio


Superfetch: SuperFetch is a performance enhancement introduced in windows vista to reduce the time necessary to launch applications. SuperFetch works with the memory manager service in Windows to analyze memory usage patterns over time to determine the optimal memory content for a given user for a date or time of day. This differs from the Prefetch technique used in Microsoft Windows XP, which preloads data into memory without analyzing usage patterns.


  • Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

  • Value: EnableSuperfetch


Tools

  • SuperfetchTree



Superfetch is not one of the artifacts I use the most, but it is always good to know the difference with prefetch.


 

I hope this small guide can be useful when solving small forensics inside Windows machines. This kind of artifacts keep valuable information, so they should not be underestimated. If you have any questions or want to talk more about artifacts in windows, do not hesitate to stop by my social networks :).

Tags:

93 views

Recent Posts

See All

Find me

  • Discordia
  • LinkedIn
  • Twitter
bottom of page