Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / DFI / ARTEFACT / WINDOWS / EXECUTION

ShimCache

.\AppCompatCacheParser.exe -f SYSTEM --csv out.csv

(Requires SYSTEM hive — ShimCache lives in:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache)

Hunt

  • Recently executed binaries
  • Suspicious execution paths
  • Execution without Prefetch
  • Evidence of deleted binaries
  • Lateral movement tools
  • LOLBIN execution from unusual directories

Red Flags

  • Execution from:
    • C:\Users<user>\AppData\
    • C:\Users<user>\Downloads\
    • C:\Windows\Temp\
    • C:\ProgramData\
  • Renamed system binaries
  • Tools like:
    • mimikatz.exe
    • rclone.exe
    • psexec.exe
    • net.exe in odd paths
  • No corresponding Prefetch (possible deletion or disabled prefetch)

Correlate

  • Prefetch (execution confirmation)
  • Amcache (program metadata + first run time)
  • MFT (file existence + timestamps)
  • USN Journal (rename/delete activity)
  • Sysmon ID 1 (if logging present)