Full Report
Kaspersky experts share insights into how AmCache may prove useful during incident investigation, and provide a command line tool to extract data from this artifact.
Analysis Summary
# Tool/Technique: AmCache Artifact
## Overview
The AmCache artifact is a forensic artifact stored on Windows systems, primarily found in the `C:\Windows\System32\Amcache.hve` file (or similar paths depending on the Windows version or system state). It records information about executable files that have been run on the system, making it valuable for incident response and forensic analysis by revealing user activity, executed applications, and potentially malicious files.
## Technical Details
- Type: Artifact / Data Source (The article also discusses tools for extraction, but the focus here is the artifact itself)
- Platform: Windows (Various recent versions)
- Capabilities: Stores paths, file sizes, timestamps (like last modified, last accessed, creation), SHA1 hashes, and metadata about executables that have been executed, including optional application metadata.
- First Seen: The AmCache feature has been present in Windows for some time, gaining significant forensic interest as systems evolved.
## MITRE ATT&CK Mapping
Since AmCache is a data source often leveraged by defenders/forensics, it primarily relates to adversary actions that involve execution and evidence creation.
- **TA0001 - Initial Access** (If an adversary leverages an executed file that is recorded here)
- **TA0002 - Execution**
- **T1059 - Command and Scripting Interpreter** (If the executed item was a script, often indirectly)
- **T1204 - User Execution**
- **TA0005 - Defense Evasion**
- **TA0006 - Credential Access** (If credentials were related to an executed application)
- **TA0011 - Collection** (As the artifact itself is collected)
- **TA0012 - Discovery** (Identifying recently run files)
## Functionality
### Core Capabilities
- Records the path to an executable file.
- Stores the file size.
- Logs timestamps associated with the file's execution path (e.g., when it was first seen/run).
- Stores cryptographic hashes (specifically SHA1) of the collected executables.
### Advanced Features
- Can store application-specific metadata, potentially including installation path or deployment information.
- Provides evidence of execution even if the original file has been deleted (as long as the AmCache entry persists).
- The article specifically focuses on tools designed to extract and parse this data, turning raw registry hive data into human-readable forensic timelines.
## Indicators of Compromise
The focus is on the *artifact* content, not specific network/file IOCs from malware, but rather artifacts left by execution:
- File Hashes: **SHA1 hashes** of executables found within the AmCache entries.
- File Names: **Paths and filenames** of executables recorded in the artifact.
- Registry Keys: The artifact is stored in a registry hive structure, typically: `C:\Windows\System32\Amcache.hve` (or related transaction logs).
- Network Indicators: None directly associated with the artifact structure itself.
- Behavioral Indicators: Presence of entries for unauthorized or unknown executables.
## Associated Threat Actors
This artifact is not actor-specific; it is a native operating system feature leveraged by **All Threat Actors** who execute files on a Windows machine, as well as **Incident Responders and Forensic Investigators**.
## Detection Methods
Detection focuses on parsing and analyzing the artifact, not signatures against the artifact source file itself (which is a legitimate OS file).
- Signature-based detection: Not applicable for the artifact file itself unless modifications are detected.
- Behavioral detection: Monitoring tools attempting to read or copy the `Amcache.hve` file or its associated log files, especially by non-standard system processes.
- YARA rules: Rules can be developed to search for specific known-malicious SHA1 hashes stored within the parsed AmCache data structures.
## Mitigation Strategies
Since AmCache is a core OS feature, mitigation focuses on limiting what is executed or ensuring timely system hardening/event logging.
- Prevention measures: Strict application whitelisting to control which executables are allowed to run.
- Hardening recommendations: Regular forensic sweeps or memory captures can sometimes capture transient data otherwise logged to AmCache. Monitoring changes to the `Amcache.hve` file is critical.
## Related Tools/Techniques
- **Tools mentioned for extraction (Implied):** Various third-party forensic tools designed to parse the AmCache hive structure.
- Related Artifacts: Shimcache (AppCompatCache), Prefetch files, Shellbags, RecentFiles.