darkcybe
  • 👋whoami
  • Security Operations
    • 💉Threat Mangement
      • Identify
        • Developing a Security Program
        • Governance, Risk, and Compliance (GRC)
        • Security Architecture
      • Protect
        • Vulnerability Mangement
        • Identity and Access Management (IAM)
        • Zero Trust
    • 👩‍💻Threat Detection
      • Detect
        • Continuous Monitoring & Security Operations Center (SOC)
        • Cyber Threat Intelligence (CTI)
    • 🚒Threat Response
      • Respond
        • Digital Forensics and Incident Response (DFIR)
      • Recover
  • Offensive Security Operations
    • 🎯Penetration Testing
      • Techniques
        • MITRE ATT&CK
          • Reconnaissance
          • Resource Development
            • T1608 - Stage Capabilities
              • Staging Malware and Tools on Kali Linux
          • Initial Access
          • Execution
          • Persistence
          • Privilege Escalation
          • Defense Evasion
          • Credential Access
          • Discovery
          • Lateral Movement
          • Collection
          • Command and Control
          • Exfiltration
          • Impact
        • CAPEC
          • 100 - Overflow Buffers
          • 66 - SQL Injection
          • 94 - Adversary-in-the-Middle (AiTM)
          • 252 - PHP Local File Inclusion (LFI)
          • 560 - Use of Known Domain Credentials
          • 644 - Use of Captured Hashes (Pass-the-Hash (PtH))
          • 633 - Token Impersonation
        • Technology Focused
          • Cloud
            • Amazon Web Services (AWS)
            • Google Cloud Platform (GCP)
          • Network Protocols and Services
            • Port 20/21 - FTP
            • Port 22 - SSH
            • Port 23 - Telnet
            • Port 25 - SMTP
            • Port 53 - DNS
            • Port 80 - HTTP
            • Port 110/995 - POP3
            • Port 135/593 - MSRPC
            • Port 137-139 - NetBIOS
            • Port 143/993 - IMAP
            • Port 443 - HTTPS
            • Port 445 - SMB
            • Port 3389 - RDP
            • Port 5355 - LLMNR
            • ARP
            • Databases
              • Port 1433/1434 - MSSQL
              • Port 3306 - MySQL/MariaDB
            • DHCP
          • Web
            • PHP
          • Windows
            • Active Directory
          • Wireless
          • Linux
      • Offensive Security Tools
    • 🚩Capture The Flag (CTF)
  • Guides
    • 🔍DFIR
      • Evidence Artifacts
        • Event Logs
        • Windows
          • Evidence of...
            • Account Usage
            • File Download
            • Program Execution
            • External Device Activity
            • File and Folder Interaction
            • Lateral Movement
            • Network and Browser History
      • DFIR Tools
        • Malware and File Analysis
          • Sigcheck
          • DensityScout
        • Memory Forensics
          • Volatility
        • Program Execution
          • PeCmd
          • WxTcmd
          • AmcacheParser
          • JumpListExplorer (JLE)
          • AppCompatCacheParser
          • SrumECmd
        • DFIR Toolkits
          • Registry Explorer
          • Incident Timelines
      • Theat Analysis
        • Analysis
          • iOS Popup Scam
        • Emulation
    • 🥷Ethical Hacking
      • Exploitation
      • Post-Exploitation
      • Reporting and Documentation
    • ⛳CTF Walkthroughs
      • 📦Hack The Box (HTB)
        • 🚶HTB Walkthroughs
    • 👷‍♀️Security Engineering
      • Building a Cybersecurity Home Lab
        • Step 1: Lab Design and Architecture
        • Step 2: Installing and Configuring VMware ESXi 8
        • Step 3: Installing the OPNsense Firewall
        • Step 4: Configuring OPNsense Firewall Rules
  • General Resources
    • 🐳Deep Dives
      • Public Key Infrastructure (PKI)
    • 🐍Programming
      • Python
    • 🏋️Training
      • 🗓️Study Methodology
    • 🥠Semi-Pro Tips
      • Linux
      • Windows
      • Resources
Powered by GitBook
On this page
  • Instructions
  • Parsing the ShimCache (AppCompatCache) on a Live System
  • Parsing the ShimCache (AppCompatCache) from a Forensic Copy
  • Sources
  1. Guides
  2. DFIR
  3. DFIR Tools
  4. Program Execution

AppCompatCacheParser

How to use AppCompatCacheParser to parse the Windows ShimCache or AppCompatCache registry in order to provide evidence of program execution during incident investigations.

PreviousJumpListExplorer (JLE)NextSrumECmd

Last updated 1 year ago

AppCompatCacheParser is a command line tool developed by Eric Zimmerman, to process the ShimCache (AppCompatCache) on Windows operating systems, identifying items such as:

  • Executable filepaths

  • Timestamp of last execution

Results can output the hive entries files into .csv for further analysis. Further Information the ShimCache can be found on

Tool Name
Version
MITRE ATT&CK Tactic
MITRE ATT&CK Technique

V1.5

Instructions

Parsing the ShimCache (AppCompatCache) on a Live System

appcompatcacheparser.exe --csvf %OUTPUT_FILENAME%.csv --csv %OUTPUT_DIRECTORY%

Parsing the ShimCache (AppCompatCache) from a Forensic Copy

appcompatcacheparser.exe -f /PATH/TO/SYSTEM hive --csvf %OUTPUT_FILENAME%.csv --csv %OUTPUT_DIRECTORY%

Interesting Fields

  • Path: Full filepath of executable

  • LastModifiedTimeUTC: Timestamp in UTC of last modification

  • Executed: Execution flag (applications can be shimmed without being executed)

Output

Sources

🔍
Darkcybe - Evidence of Execution
Eric Zimmerman
AppCompatCacheParser
Execution
AppCompat Cache Parser