search

WxTcmd

How to use WxTCmd to parse the Windows Activities Cache in order to provide evidence of program execution during incident investigations.

WxTcmd is a tool used to parse the SQLite ActivitiesCache.db file to provide forensic evidence of execution and file interaction.

Tool Name
Version
MITRE ATT&CK Tactic
MITRE ATT&CK Technique

WxTCmdarrow-up-right

V0.6.0.0

Executionarrow-up-right

hashtag
Instructions

hashtag
Extracting the ActivitiesCache.db file to a CSV

The ActivitiesCache database is stored under the userprofile and can be copied from the directory C:\Users\%USERPROFILE%\AppData\Local\ConnectedDevicesPlatform\L.%USERPROFILE%\ActivitiesCache.db

WxTcmd.exe -f 'C:\Path\To\ActivitiesCache.db' --csv 'C:\Path\To\Output'

hashtag
Output

Two .csv files will be output to the location succeeding the --csv parameter;

  • Activity.csv

    • Contains verbose details for accessed files and program execution such as executable name, filepath, Explorer search terms, and timestamps including a duration count.

  • Activity_PackageIDs.csv

    • Contains a smaller subset of data and can provide full filepath for recently executed applications.

    WxTcmd Output
PreviousPeCmdNextAmcacheParser

Last updated