To Understand Amcache.Hive check out below article:
------------------------------------------------------------------------------------------------------------
Introduction
When conducting digital forensics, understanding the execution history of a system is crucial. Windows operating systems maintain execution artifacts that provide insight into which programs and binaries were executed, making them valuable for forensic investigations.
Two of the most powerful tools for analyzing execution artifacts are AmcacheParser and appcompatprocessor.py.
------------------------------------------------------------------------------------------------------------
AmcacheParser: Understanding Execution Artifacts
What is AmcacheParser?
AmcacheParser is a tool developed by Eric Zimmerman that parses the Amcache.hve registry hive, a critical artifact in Windows forensic analysis. This hive stores execution details about applications and drivers, making it a rich source of evidence for identifying malware, persistence mechanisms, and general system activity.
Key Features and Data Extracted
By default, AmcacheParser focuses on unassociated file entries but can be expanded to include full details of all program-related entries using the -i switch. The tool extracts various data points, including:
SHA-1 hash of the executed file
Full file path
File size
File version number
File description and publisher
Last modified date
Compilation timestamp
Language ID
Command:
E:\Scripted ForensicTools\Zimmerman tools\Get-ZimmermanTools\net6> .\AmcacheParser.exe -i -f C:\Windows\appcompat\Programs\Amcache.hve --csv "E:\Output for testing\Website investigation\Amcache.hiv"Practical Usage in Incident Response
AmcacheParser outputs multiple .csv files, categorized based on their source keys in the Amcache.hve registry file.
Microsoft frequently updates Amcache, adding new keys and values, which AmcacheParser is designed to parse.
The most critical output files include:
Amcache_ProgramEntries.csv – Contains metadata on installed applications (from InventoryApplication key).
Amcache_UnassociatedFileEntries.csv – Lists executables that do not belong to a known installed program, a crucial file for finding standalone malware, credential dumpers, or reconnaissance tools.
Amcache_DriverBinaries.csv – Contains information about installed drivers, helping investigators identify malicious kernel drivers.
How AmcacheParser Helps in Threat Hunting
AmcacheParser allows analysts to apply allowlisting and blocklisting based on SHA-1 hashes. This feature is extremely useful in threat hunting across multiple systems, enabling the quick identification of malicious files by comparing them against known-bad hash lists.
For example, if an organization is investigating a ransomware attack, running AmcacheParser across affected systems can reveal:
Unknown executables appearing shortly before encryption starts
Execution paths that indicate lateral movement
Suspicious programs launched from unconventional directories like
C:\Users\Public\ or C:\ProgramData\------------------------------------------------------------------------------------------------------------
appcompatprocessor.py: Automating Execution Analysis
What is appcompatprocessor.py?
Developed by Matias Bevilacqua, appcompatprocessor.py is a Python-based tool designed to parse and analyze execution artifacts from AppCompatCache (ShimCache) and Amcache.
Unlike standalone parsing tools, appcompatprocessor.py integrates these data sources into a SQLite database, allowing for efficient and powerful queries.
Why AppCompatCache and Amcache Matter?
Both artifacts provide a record of program executions but differ in their capabilities:
AppCompatCache (ShimCache): Primarily tracks file executions, even if they have since been deleted. However, it does not store execution timestamps.
Amcache: Contains richer metadata, including SHA-1 hashes, timestamps, and file paths.
By combining both sources, appcompatprocessor.py enables forensic analysts to get a comprehensive timeline of executed files, even if malware has attempted to clean up traces.
Key Features of appcompatprocessor.py
Once data is ingested into SQLite, analysts can leverage various analysis modules to detect anomalies and malicious activity. Some of the most powerful modules include:
1. Search Modules
search: Performs regular expression searches within the database. Prebuilt regex patterns can detect suspicious patterns (e.g., execution from network shares, encoded scripts, or known hacking tools).
fsearch: Searches specific fields like FileName, FilePath, LastModified, or ExecutionFlag.
2. Anomaly Detection Modules
filehitcount: Counts occurrences of each executable, highlighting unusual or rarely executed binaries.
tcorr: Temporal correlation of executions, helping identify which processes frequently run together (e.g., rundll32.exe executing shortly after a suspicious binary).
reconscan: Detects reconnaissance tools running in close sequence, assigning a likelihood score to identify probing activity.
leven: Identifies slight variations in file names that might indicate masquerading techniques (e.g., lssass.exe instead of lsass.exe).
stack: Performs least frequency of occurrence analysis, helping isolate rare but potentially malicious binaries.
3. Randomized File Name Detection
rndsearch: Identifies randomly named executables that could indicate malware execution.
-----------------------------------------------------------------------------------------------------------
Case Study: Investigating a Potential Malware Execution
A security operations center (SOC) detects suspicious behavior on a Windows endpoint. An unusual svchost.exe process is found running from C:\ProgramData\, which is an uncommon location for a system process.
Investigation Steps Using These Tools
Run AmcacheParser to extract execution history:
AmcacheParser.exe -f C:\Windows\appcompat\Programs\Amcache.hve -i -o output_folder
The results in Amcache_UnassociatedFileEntries.csv show svchost.exe executing from an unusual location.
SHA-1 hash lookup confirms the file is unknown and possibly malicious.
Use appcompatprocessor.py to correlate ShimCache and Amcache data:
python3 appcompatprocessor.py -o analysis.db -a amcache -s SYSTEM -A Amcache.hve
Running stack on FilePath highlights C:\ProgramData\svchost.exe as a rare occurrence.
tcorr shows it was executed right before cmd.exe, indicating potential scripting activity.
reconscan detects use of ipconfig, whoami, and nltest, suggesting reconnaissance activity.
Pivot and Expand the Investigation
Running fsearch for C:\ProgramData in the database finds another suspicious file, svc.bat, confirming a script-based attack.
search module detects sdelete.exe, a known anti-forensic tool, suggesting the attacker attempted to delete traces.
-------------------------------------------------------------------------------------------------------------
Conclusion
By using AmcacheParser and appcompatprocessor.py together, the SOC team quickly identified:
A rogue executable masquerading as a system process
Correlation between execution times and malicious commands
Attempts to delete forensic evidence
This investigation underscores why these tools are invaluable for security analysts and incident responders.
-------------------------------------------------------------------------------------------------------------
Final Thoughts
Understanding AmcacheParser and appcompatprocessor.py is essential for anyone in digital forensics, SOC teams, and incident response. These tools provide deep visibility into program executions, helping analysts detect malware, track adversaries, and correlate execution artifacts.
Master these tools, and you'll have a significant edge in forensic investigations and threat hunting. 🚀
--------------------------------------------Dean------------------------------------------
コメント