Evidence of Execution Forensics β SOCb Analyst Cheatsheet
Comprehensive Guide for Execution Analysis & Malware Detection
Quick Reference: Execution Artifacts Matrix
Prefetch
β YES
Last 8 runs
β YES
β
β
~30 days
Amcache
β Presence only
Install time
β
β
β YES
Persistent
ShimCache
β Presence only
Last modified
β
β
β
Until reboot
BAM/DAM
β YES
Last run
β
β
β
~7 days
UserAssist
β YES
Last run
β YES
β
β
Persistent
Jump Lists
β YES (indirect)
Multiple
β
β
β
Persistent
Investigation Priority Matrix
CRITICAL
Prefetch
Recent execution (30 days), frequency
Last 8 runs, run count, DLLs
~1024 file limit
CRITICAL
Amcache
SHA1 hashes, malware ID
Definitive file identification
Doesn't prove execution
HIGH
ShimCache
Historical presence
Files that existed (even deleted)
No execution proof (Win10+)
HIGH
BAM/DAM
Very recent (7 days)
Last execution per user
Single timestamp only
MEDIUM
UserAssist
GUI execution
Run count, focus time
GUI apps only
MEDIUM
Jump Lists
File associations
App-specific file access
Application-dependent
Critical Understanding: Execution vs. Presence
Proves Execution:
β Prefetch - Application ran
β BAM/DAM - Application ran (last time)
β UserAssist - GUI application ran
β Event 4688 - Process creation logged
Indicates Presence (NOT execution):
β Amcache - File existed on system
β ShimCache (Win10+) - File was checked for compatibility
β MFT - File existed on disk
This distinction is CRITICAL for court testimony and investigation accuracy!
SOC Investigation Workflows
Workflow 1: Malware Execution Detection (CRITICAL)
Scenario: Suspected malware on endpoint
Investigation Steps (Priority Order):
Step 1: Check Prefetch for Recent Execution
Location: C:\Windows\Prefetch\
Why First:
Proves execution
Shows frequency (run count)
Last 8 execution times
Shows loaded DLLs
Reveals file paths
Prefetch File Naming: EXECUTABLE-HASH.pf
Example:
MIMIKATZ.EXE-A3F8B2C9.pfHash based on executable path
Multiple prefetch = same name, different locations
PowerShell - Quick Prefetch Check:
<#
.SYNOPSIS
Quick prefetch analysis for recent executions
#>
param(
[int]$Days = 7
)
Write-Host "[+] Analyzing Prefetch for Recent Executions..." -ForegroundColor Cyan
$prefetchPath = "C:\Windows\Prefetch"
$cutoffDate = (Get-Date).AddDays(-$Days)
if (Test-Path $prefetchPath) {
# Check if prefetch is enabled
$prefetchStatus = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" -Name EnablePrefetcher
Write-Host "`n[*] Prefetch Status: $($prefetchStatus.EnablePrefetcher)" -ForegroundColor Yellow
switch ($prefetchStatus.EnablePrefetcher) {
0 { Write-Host " DISABLED" -ForegroundColor Red }
1 { Write-Host " Application Prefetch ENABLED" -ForegroundColor Green }
2 { Write-Host " Boot Prefetch ENABLED" -ForegroundColor Green }
3 { Write-Host " Application and Boot ENABLED" -ForegroundColor Green }
}
# Get recent prefetch files
$recentPrefetch = Get-ChildItem "$prefetchPath\*.pf" |
Where-Object { $_.LastWriteTime -gt $cutoffDate } |
Sort-Object LastWriteTime -Descending
if ($recentPrefetch) {
Write-Host "`n[*] Recent Prefetch Files (Last $Days days): $($recentPrefetch.Count)" -ForegroundColor Yellow
# Suspicious keywords
$suspiciousKeywords = @(
"*MIMIKATZ*", "*PROCDUMP*", "*PSEXEC*", "*COBALT*",
"*METERPRETER*", "*NETCAT*", "*NC64*", "*PWDUMP*",
"*GSECDUMP*", "*WCEAUX*", "*FGDUMP*", "*CACHEDUMP*"
)
Write-Host "`n--- SUSPICIOUS EXECUTABLES ---" -ForegroundColor Red
$foundSuspicious = $false
foreach ($keyword in $suspiciousKeywords) {
$matches = $recentPrefetch | Where-Object { $_.Name -like $keyword }
if ($matches) {
$foundSuspicious = $true
foreach ($match in $matches) {
Write-Host " [!] $($match.Name)" -ForegroundColor Red
Write-Host " Last Modified: $($match.LastWriteTime)" -ForegroundColor Yellow
}
}
}
if (-not $foundSuspicious) {
Write-Host " No known malware tools detected" -ForegroundColor Green
}
# Check for suspicious paths
Write-Host "`n--- EXECUTABLES FROM UNUSUAL LOCATIONS ---" -ForegroundColor Yellow
$unusualPaths = @("*TEMP*", "*APPDATA*", "*DOWNLOADS*", "*USERS\PUBLIC*", "*RECYCLE*")
# Note: Would need PECmd to parse internal path data
Write-Host " [!] Use PECmd for detailed path analysis" -ForegroundColor Cyan
# Show all recent
Write-Host "`n--- ALL RECENT PREFETCH FILES ---" -ForegroundColor Yellow
$recentPrefetch | Select-Object -First 20 | ForEach-Object {
Write-Host " $($_.LastWriteTime) | $($_.Name)" -ForegroundColor Gray
}
} else {
Write-Host "[!] No recent prefetch files found" -ForegroundColor Red
}
} else {
Write-Host "[!] Prefetch directory not found" -ForegroundColor Red
}
Write-Host "`n[!] For detailed analysis, use PECmd:" -ForegroundColor Cyan
Write-Host " PECmd.exe -d 'C:\Windows\Prefetch' --csv 'C:\Cases\Output' --csvf prefetch.csv -q`n" -ForegroundColor WhiteUsing PECmd (Zimmerman Tool) - REQUIRED for Full Analysis:
REM Single file analysis
PECmd.exe -f "C:\Windows\Prefetch\MIMIKATZ.EXE-A3F8B2C9.pf"
REM Entire directory to CSV
PECmd.exe -d "C:\Windows\Prefetch" --csv "C:\Cases\Output" --csvf prefetch.csv -q
REM Include Volume Shadow Copies
PECmd.exe -d "C:\Windows\Prefetch" --csv "C:\Cases\Output" --csvf prefetch.csv -q --vss
REM Highlight suspicious keywords (shows in red)
PECmd.exe -d "C:\Windows\Prefetch" --csv "C:\Cases\Output" --csvf prefetch.csv -q -k "mimikatz,procdump,psexec,temp,appdata"Critical Prefetch Metadata:
Executable- Program that ranRunCount- Times executedLastRun- Most recent executionPreviousRun0-7- Last 8 executions (Win10/11)FilesLoaded- DLLs and dependenciesDirectoriesLoaded- Directories accessedVolume Info- Drive serial numbers
Red Flags in Prefetch:
β Multiple prefetch files for same executable (different locations)
CMD.EXE-8E75B5BB.pf(normal: C:\Windows\System32)CMD.EXE-A3F8B2C9.pf(suspicious: C:\Users\Public)
β Known attack tools (mimikatz, procdump, psexec)
β Recently created during incident window
β High run count on suspicious files
β Unusual paths in FilesLoaded/DirectoriesLoaded
IMPORTANT EXCEPTIONS:
Normal to have multiple prefetch files:
- SVCHOST.EXE-*.pf (many instances with different args)
- DLLHOST.EXE-*.pf
- BACKGROUNDTASKHOST.EXE-*.pf
- RUNDLL32.EXE-*.pf
Hash calculated from: path + command line argumentsStep 2: Extract SHA1 Hashes from Amcache
Location: C:\Windows\AppCompat\Programs\Amcache.hve
Why Second:
SHA1 hash = definitive file identification
Survives file rename/deletion
Can match against VirusTotal/threat intel
Full path and metadata
CRITICAL UNDERSTANDING:
Amcache DOES NOT prove execution!
Amcache proves file EXISTENCE on system
Use for:
β File identification (SHA1)
β File metadata (size, timestamps, publisher)
β Proving file was present even if deleted
Do NOT use for:
β Proving file executed
β Execution timestampsUsing AmcacheParser (Zimmerman Tool):
REM Live system
AmcacheParser.exe -f "C:\Windows\AppCompat\Programs\Amcache.hve" --csv "C:\Cases\Output" --csvf amcache.csv -i
REM With known-bad hash list
AmcacheParser.exe -f "C:\Windows\AppCompat\Programs\Amcache.hve" -b "C:\Cases\bad_hashes.txt" --csv "C:\Cases\Output" --csvf amcache.csv
REM Offline analysis
AmcacheParser.exe -f "E:\Evidence\Amcache.hve" --csv "C:\Cases\Output" --csvf amcache.csv -iPowerShell - Check if Amcache Exists:
$amcachePath = "C:\Windows\AppCompat\Programs\Amcache.hve"
if (Test-Path $amcachePath) {
$file = Get-Item $amcachePath
Write-Host "[+] Amcache found" -ForegroundColor Green
Write-Host " Size: $([math]::Round($file.Length / 1MB, 2)) MB" -ForegroundColor Yellow
Write-Host " Last Modified: $($file.LastWriteTime)" -ForegroundColor Yellow
Write-Host "`n[!] Parse with AmcacheParser for SHA1 hashes" -ForegroundColor Cyan
} else {
Write-Host "[!] Amcache not found" -ForegroundColor Red
}Amcache Key Metadata:
SHA1- File hash (CRITICAL for identification)FullPath- Complete file pathFileSize- File size in bytesFileExtension- File typeLinkDate- Compilation timestampPublisher- Digital signature publisherBinaryType- 32-bit vs 64-bit
Investigation Workflow with SHA1:
1. Extract SHA1 from Amcache
2. Search SHA1 on VirusTotal
3. Check against threat intel feeds
4. Cross-reference with Prefetch
5. If malware: Find ALL instances via SHA1Example Analysis:
Amcache shows:
- SHA1: f3b25701fe362ec84616a93a45ce9994
VirusTotal result:
- 45/70 AV vendors detect as "Mimikatz"
Conclusion:
- File present on system
- Definitively identified as Mimikatz
- Check Prefetch for execution evidenceStep 3: Check ShimCache for Historical Presence
Location: C:\Windows\System32\config\SYSTEM Registry Key: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
Why Third:
Shows files that existed on system
Survives file deletion
Contains files that may have been present but removed
CRITICAL UNDERSTANDING:
Windows 10+ Behavior:
ShimCache DOES NOT prove execution!
Entry = File was checked for compatibility
Use for:
β Proving file existed
β Last modification time
β Detecting deleted executables
Do NOT use for:
β Proving execution (Win10+)
β Execution timestampsUsing AppCompatCacheParser (Zimmerman Tool):
REM Parse SYSTEM hive
AppCompatCacheParser.exe -f "C:\Windows\System32\config\SYSTEM" --csv "C:\Cases\Output" --csvf shimcache.csv
REM Offline analysis
AppCompatCacheParser.exe -f "E:\Evidence\SYSTEM" --csv "C:\Cases\Output" --csvf shimcache.csvShimCache Metadata:
Path- Full executable pathLastModified- File modification timeFileSize- File sizeExecuted- Execution flag (pre-Win10 only)
Red Flags in ShimCache:
β Executables that no longer exist on disk
β Modified system tools (unusual modification dates)
β Paths from temp/external media
β Known malware filenames
β Recent entries during incident window
Investigation Pattern:
ShimCache shows:
- C:\Users\Public\update.exe
- Last Modified: 2024-11-29 14:23
File check:
- File no longer exists on disk
- Not in Prefetch (may have been deleted)
- Found in Amcache with suspicious SHA1
Conclusion:
- File was present on system
- Likely deleted by attacker
- Amcache SHA1 identifies as malwareStep 4: Check BAM/DAM for Very Recent Activity
Location: SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{SID}
Why Fourth:
Very recent activity (last 7 days)
Last execution timestamp
Per-user attribution
PowerShell - Parse BAM:
<#
.SYNOPSIS
Parse BAM for recent execution (covered in previous document)
#>
$bamPath = "HKLM:\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings"
if (Test-Path $bamPath) {
Get-ChildItem $bamPath | ForEach-Object {
$sid = $_.PSChildName
Write-Host "`n[*] User SID: $sid" -ForegroundColor Yellow
Get-ItemProperty $_.PSPath | ForEach-Object {
$_.PSObject.Properties | Where-Object {
$_.Name -like "*\*"
} | ForEach-Object {
$exePath = $_.Name
$rawTime = $_.Value
if ($rawTime -and $rawTime.Length -ge 8) {
try {
$time = [DateTime]::FromFileTime([BitConverter]::ToInt64($rawTime, 0))
[PSCustomObject]@{
Executable = $exePath
LastExecuted = $time
SID = $sid
}
} catch {}
}
}
}
} | Sort-Object LastExecuted -Descending | Format-Table -AutoSize
}Step 5: Check UserAssist for GUI Application Execution
Location: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Why Fifth:
Proves GUI application execution
Run count available
Focus time (time in foreground)
IMPORTANT: Values are ROT-13 encoded
PowerShell - Decode ROT-13:
<#
.SYNOPSIS
Decode UserAssist entries (ROT-13)
#>
function Decode-ROT13 {
param([string]$Text)
$result = ""
foreach ($char in $Text.ToCharArray()) {
if ($char -match '[A-Ma-m]') {
$result += [char]([int]$char + 13)
} elseif ($char -match '[N-Zn-z]') {
$result += [char]([int]$char - 13)
} else {
$result += $char
}
}
return $result
}
Write-Host "[+] Parsing UserAssist..." -ForegroundColor Cyan
$userAssistPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist"
Get-ChildItem $userAssistPath | ForEach-Object {
$guid = $_.PSChildName
Write-Host "`n[*] GUID: $guid" -ForegroundColor Yellow
$countPath = Join-Path $_.PSPath "Count"
if (Test-Path $countPath) {
Get-Item $countPath | ForEach-Object {
$_.Property | ForEach-Object {
$encoded = $_
$decoded = Decode-ROT13 $encoded
if ($decoded -notlike "UEME_*") {
Write-Host " $decoded" -ForegroundColor Cyan
}
}
}
}
}UserAssist GUIDs:
CEBFF5CD- Executable file executionF4E57C4B- Shortcut file execution
UserAssist Metadata:
Binary value contains:
- Last execution time
- Number of executions
- Focus count (times in foreground)
- Focus time (total time in foreground)Complete Execution Analysis Script
<#
.SYNOPSIS
Comprehensive execution artifact analysis
.DESCRIPTION
Analyzes multiple execution artifacts for malware detection
#>
param(
[string]$OutputPath = "C:\Cases\ExecutionAnalysis",
[int]$Days = 7
)
# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force | Out-Null
Write-Host "`nββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ" -ForegroundColor Cyan
Write-Host "β EXECUTION ARTIFACT ANALYSIS β" -ForegroundColor Cyan
Write-Host "ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ" -ForegroundColor Cyan
Write-Host "Computer: $env:COMPUTERNAME" -ForegroundColor Yellow
Write-Host "Analysis Period: Last $Days days" -ForegroundColor Yellow
Write-Host "Output: $OutputPath`n" -ForegroundColor Yellow
$cutoffDate = (Get-Date).AddDays(-$Days)
# ============================================================================
# 1. PREFETCH ANALYSIS
# ============================================================================
Write-Host "[1/6] Analyzing Prefetch..." -ForegroundColor Yellow
$prefetchOutput = "$OutputPath\01_Prefetch_Analysis.txt"
"=" * 80 | Out-File $prefetchOutput
"PREFETCH ANALYSIS - $(Get-Date)" | Out-File $prefetchOutput -Append
"=" * 80 | Out-File $prefetchOutput -Append
$prefetchPath = "C:\Windows\Prefetch"
if (Test-Path $prefetchPath) {
# Check status
$prefetchStatus = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" -Name EnablePrefetcher
"`nPrefetch Status: $($prefetchStatus.EnablePrefetcher)" | Out-File $prefetchOutput -Append
# Get recent files
$recentPrefetch = Get-ChildItem "$prefetchPath\*.pf" |
Where-Object { $_.LastWriteTime -gt $cutoffDate } |
Sort-Object LastWriteTime -Descending
"`nRecent Prefetch Files: $($recentPrefetch.Count)" | Out-File $prefetchOutput -Append
# Suspicious keywords
$suspiciousKeywords = @(
"*MIMIKATZ*", "*PROCDUMP*", "*PSEXEC*", "*COBALT*",
"*METERPRETER*", "*NETCAT*", "*PWDUMP*", "*WCEAUX*"
)
"`n--- SUSPICIOUS EXECUTABLES ---" | Out-File $prefetchOutput -Append
$foundSuspicious = $false
foreach ($keyword in $suspiciousKeywords) {
$matches = $recentPrefetch | Where-Object { $_.Name -like $keyword }
if ($matches) {
$foundSuspicious = $true
foreach ($match in $matches) {
"[!] $($match.Name) - $($match.LastWriteTime)" | Out-File $prefetchOutput -Append
}
}
}
if (-not $foundSuspicious) {
"No suspicious prefetch files detected" | Out-File $prefetchOutput -Append
}
"`n--- ALL RECENT PREFETCH (Last $Days days) ---" | Out-File $prefetchOutput -Append
$recentPrefetch | ForEach-Object {
"$($_.LastWriteTime) | $($_.Name)" | Out-File $prefetchOutput -Append
}
Write-Host " [β] Prefetch analysis complete" -ForegroundColor Green
} else {
"[!] Prefetch directory not found" | Out-File $prefetchOutput
Write-Host " [!] Prefetch not available" -ForegroundColor Red
}
# ============================================================================
# 2. AMCACHE CHECK
# ============================================================================
Write-Host "[2/6] Checking Amcache..." -ForegroundColor Yellow
$amcacheOutput = "$OutputPath\02_Amcache_Check.txt"
"=" * 80 | Out-File $amcacheOutput
"AMCACHE CHECK - $(Get-Date)" | Out-File $amcacheOutput -Append
"=" * 80 | Out-File $amcacheOutput -Append
$amcachePath = "C:\Windows\AppCompat\Programs\Amcache.hve"
if (Test-Path $amcachePath) {
$file = Get-Item $amcachePath
"`nAmcache found:" | Out-File $amcacheOutput -Append
" Size: $([math]::Round($file.Length / 1MB, 2)) MB" | Out-File $amcacheOutput -Append
" Last Modified: $($file.LastWriteTime)" | Out-File $amcacheOutput -Append
"`n[!] Parse with AmcacheParser for SHA1 hashes:" | Out-File $amcacheOutput -Append
" AmcacheParser.exe -f '$amcachePath' --csv '$OutputPath' --csvf amcache.csv -i" | Out-File $amcacheOutput -Append
Write-Host " [β] Amcache found" -ForegroundColor Green
} else {
"[!] Amcache not found" | Out-File $amcacheOutput
Write-Host " [!] Amcache not found" -ForegroundColor Red
}
# ============================================================================
# 3. BAM/DAM ANALYSIS
# ============================================================================
Write-Host "[3/6] Analyzing BAM/DAM..." -ForegroundColor Yellow
$bamOutput = "$OutputPath\03_BAM_Execution.txt"
"=" * 80 | Out-File $bamOutput
"BAM/DAM EXECUTION ANALYSIS - $(Get-Date)" | Out-File $bamOutput -Append
"=" * 80 | Out-File $bamOutput -Append
$bamPath = "HKLM:\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings"
if (Test-Path $bamPath) {
Get-ChildItem $bamPath | ForEach-Object {
$sid = $_.PSChildName
"`n--- User SID: $sid ---" | Out-File $bamOutput -Append
Get-ItemProperty $_.PSPath | ForEach-Object {
$_.PSObject.Properties | Where-Object {
$_.Name -like "*\*"
} | ForEach-Object {
$exePath = $_.Name
$rawTime = $_.Value
if ($rawTime -and $rawTime.Length -ge 8) {
try {
$time = [DateTime]::FromFileTime([BitConverter]::ToInt64($rawTime, 0))
"$time | $exePath" | Out-File $bamOutput -Append
} catch {}
}
}
}
}
Write-Host " [β] BAM/DAM analysis complete" -ForegroundColor Green
} else {
"[!] BAM not found (may not be available on this OS version)" | Out-File $bamOutput
Write-Host " [!] BAM not available" -ForegroundColor Gray
}
# ============================================================================
# 4. USERASSIST ANALYSIS
# ============================================================================
Write-Host "[4/6] Analyzing UserAssist..." -ForegroundColor Yellow
$userAssistOutput = "$OutputPath\04_UserAssist.txt"
"=" * 80 | Out-File $userAssistOutput
"USERASSIST ANALYSIS - $(Get-Date)" | Out-File $userAssistOutput -Append
"=" * 80 | Out-File $userAssistOutput -Append
"`n[!] Values are ROT-13 encoded" | Out-File $userAssistOutput -Append
# ROT-13 decoder
function Decode-ROT13 {
param([string]$Text)
$result = ""
foreach ($char in $Text.ToCharArray()) {
if ($char -match '[A-Ma-m]') {
$result += [char]([int]$char + 13)
} elseif ($char -match '[N-Zn-z]') {
$result += [char]([int]$char - 13)
} else {
$result += $char
}
}
return $result
}
$userAssistPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist"
if (Test-Path $userAssistPath) {
Get-ChildItem $userAssistPath | ForEach-Object {
$guid = $_.PSChildName
"`n--- GUID: $guid ---" | Out-File $userAssistOutput -Append
$countPath = Join-Path $_.PSPath "Count"
if (Test-Path $countPath) {
Get-Item $countPath | ForEach-Object {
$_.Property | ForEach-Object {
$encoded = $_
$decoded = Decode-ROT13 $encoded
if ($decoded -notlike "UEME_*") {
" $decoded" | Out-File $userAssistOutput -Append
}
}
}
}
}
Write-Host " [β] UserAssist analysis complete" -ForegroundColor Green
} else {
"[!] UserAssist not found" | Out-File $userAssistOutput
Write-Host " [!] UserAssist not found" -ForegroundColor Red
}
# ============================================================================
# 5. JUMP LIST CHECK
# ============================================================================
Write-Host "[5/6] Checking Jump Lists..." -ForegroundColor Yellow
$jumpListOutput = "$OutputPath\05_Jump_Lists.txt"
"=" * 80 | Out-File $jumpListOutput
"JUMP LIST ANALYSIS - $(Get-Date)" | Out-File $jumpListOutput -Append
"=" * 80 | Out-File $jumpListOutput -Append
$autoDestPath = "$env:APPDATA\Microsoft\Windows\Recent\AutomaticDestinations"
$customDestPath = "$env:APPDATA\Microsoft\Windows\Recent\CustomDestinations"
if (Test-Path $autoDestPath) {
$autoJumpLists = Get-ChildItem $autoDestPath -ErrorAction SilentlyContinue
"`nAutomatic Destinations: $($autoJumpLists.Count) files" | Out-File $jumpListOutput -Append
if ($autoJumpLists) {
"`nRecent Jump Lists:" | Out-File $jumpListOutput -Append
$autoJumpLists | Sort-Object LastWriteTime -Descending | Select-Object -First 20 | ForEach-Object {
" $($_.LastWriteTime) | $($_.Name)" | Out-File $jumpListOutput -Append
}
}
}
if (Test-Path $customDestPath) {
$customJumpLists = Get-ChildItem $customDestPath -ErrorAction SilentlyContinue
"`nCustom Destinations: $($customJumpLists.Count) files" | Out-File $jumpListOutput -Append
}
"`n[!] Parse with JLECmd for detailed analysis:" | Out-File $jumpListOutput -Append
" JLECmd.exe -d '$autoDestPath' --csv '$OutputPath' --csvf jumplists.csv -q" | Out-File $jumpListOutput -Append
Write-Host " [β] Jump List check complete" -ForegroundColor Green
# ============================================================================
# 6. SUSPICIOUS INDICATOR SUMMARY
# ============================================================================
Write-Host "[6/6] Generating Suspicious Indicator Summary..." -ForegroundColor Yellow
$suspiciousOutput = "$OutputPath\06_Suspicious_Indicators.txt"
"=" * 80 | Out-File $suspiciousOutput
"SUSPICIOUS INDICATOR SUMMARY - $(Get-Date)" | Out-File $suspiciousOutput -Append
"=" * 80 | Out-File $suspiciousOutput -Append
# Known attack tools
$attackTools = @(
"mimikatz", "procdump", "psexec", "cobalt", "beacon",
"meterpreter", "netcat", "nc64", "pwdump", "gsecdump",
"wceaux", "fgdump", "cachedump", "metasploit", "empire"
)
"`n[*] Scanning for known attack tools..." | Out-File $suspiciousOutput -Append
$toolsFound = $false
if (Test-Path $prefetchPath) {
$allPrefetch = Get-ChildItem "$prefetchPath\*.pf"
foreach ($tool in $attackTools) {
$matches = $allPrefetch | Where-Object { $_.Name -like "*$tool*" }
if ($matches) {
$toolsFound = $true
"`n[!] FOUND: $tool" | Out-File $suspiciousOutput -Append
foreach ($match in $matches) {
" $($match.Name) - $($match.LastWriteTime)" | Out-File $suspiciousOutput -Append
}
}
}
}
if (-not $toolsFound) {
"`n[+] No known attack tools detected in Prefetch" | Out-File $suspiciousOutput -Append
}
Write-Host " [β] Suspicious indicator summary complete" -ForegroundColor Green
# ============================================================================
# GENERATE SUMMARY
# ============================================================================
$summaryOutput = "$OutputPath\00_INVESTIGATION_SUMMARY.txt"
@"
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β EXECUTION ARTIFACT ANALYSIS SUMMARY β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Investigation Date: $(Get-Date)
Computer: $env:COMPUTERNAME
Analysis Period: Last $Days days
Analyst: $env:USERNAME
ARTIFACTS ANALYZED:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
[β] Prefetch (Proves execution, run count, last 8 runs)
[β] Amcache (SHA1 hashes, file metadata - presence only)
[β] BAM/DAM (Last execution per user - last 7 days)
[β] UserAssist (GUI execution, run count)
[β] Jump Lists (Application file access)
OUTPUT FILES:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
01_Prefetch_Analysis.txt β Recent executions and suspicious tools
02_Amcache_Check.txt β SHA1 hash availability
03_BAM_Execution.txt β Very recent execution (7 days)
04_UserAssist.txt β GUI application usage
05_Jump_Lists.txt β Application file associations
06_Suspicious_Indicators.txt β Known attack tool detection
CRITICAL NEXT STEPS:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1. Parse Prefetch with PECmd for full timeline:
PECmd.exe -d "C:\Windows\Prefetch" --csv "$OutputPath" --csvf prefetch.csv -q -k "mimikatz,psexec,procdump,temp,appdata"
2. Parse Amcache for SHA1 hashes:
AmcacheParser.exe -f "C:\Windows\AppCompat\Programs\Amcache.hve" --csv "$OutputPath" --csvf amcache.csv -i
3. Parse ShimCache for historical presence:
AppCompatCacheParser.exe -f "C:\Windows\System32\config\SYSTEM" --csv "$OutputPath" --csvf shimcache.csv
4. Parse Jump Lists for file access:
JLECmd.exe -d "$env:APPDATA\Microsoft\Windows\Recent\AutomaticDestinations" --csv "$OutputPath" --csvf jumplists.csv -q
5. Check suspicious SHA1 hashes on VirusTotal
6. Build complete execution timeline using TimelineExplorer
KEY INVESTIGATION PRINCIPLES:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
PROVES EXECUTION:
β Prefetch (definitive proof)
β BAM/DAM (last execution)
β UserAssist (GUI apps)
β Event 4688 (process creation)
PROVES PRESENCE (NOT EXECUTION):
β Amcache (Win7+)
β ShimCache (Win10+)
β MFT
CRITICAL UNDERSTANDING:
β Multiple prefetch files for same executable = different locations
β Prefetch .pf creation β successful execution (may have crashed)
β Amcache SHA1 is CRITICAL for malware identification
β ShimCache (Win10+) does NOT prove execution
β Always correlate multiple artifacts
DETECTION PATTERNS:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Prefetch from temp/appdata directories
β Known attack tools (mimikatz, procdump, psexec)
β Multiple prefetch for standard Windows tools (cmd.exe, powershell.exe)
β Execution during off-hours or incident window
β SHA1 hashes matching known malware
TOOLS REQUIRED:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PECmd.exe (Prefetch parser)
β AmcacheParser.exe (Amcache parser)
β AppCompatCacheParser.exe (ShimCache parser)
β JLECmd.exe (Jump List parser)
β TimelineExplorer.exe (Timeline analysis)
Download: https://ericzimmerman.github.io/
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
"@ | Out-File $summaryOutput
Write-Host "`nββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ" -ForegroundColor Green
Write-Host "β ANALYSIS COMPLETE β" -ForegroundColor Green
Write-Host "ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ" -ForegroundColor Green
Write-Host "`nResults: $OutputPath" -ForegroundColor Cyan
Write-Host "Review: 00_INVESTIGATION_SUMMARY.txt`n" -ForegroundColor Yellow
Write-Host "[!] CRITICAL: Parse artifacts with Zimmerman Tools for full analysis" -ForegroundColor Red
Write-Host " PECmd.exe -d 'C:\Windows\Prefetch' --csv '$OutputPath' --csvf prefetch.csv -q`n" -ForegroundColor WhiteWorkflow 2: Persistence Mechanism Detection
Scenario: Detect malware persistence mechanisms
AutoStart Extension Points (ASEP)
Critical Locations:
Registry Run Keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunWinlogon:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellStartup Folder:
%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\StartupPowerShell - Check All ASEP Locations:
<#
.SYNOPSIS
Check all AutoStart Extension Points for persistence
#>
Write-Host "[+] Checking AutoStart Extension Points..." -ForegroundColor Cyan
# Run Keys
Write-Host "`n--- HKLM Run Keys ---" -ForegroundColor Yellow
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue |
Select-Object * -ExcludeProperty PS* | Format-List
Write-Host "`n--- HKCU Run Keys ---" -ForegroundColor Yellow
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue |
Select-Object * -ExcludeProperty PS* | Format-List
# Winlogon
Write-Host "`n--- Winlogon ---" -ForegroundColor Yellow
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" |
Select-Object Shell, Userinit | Format-List
# Startup folder
Write-Host "`n--- Startup Folder ---" -ForegroundColor Yellow
$startupPath = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
if (Test-Path $startupPath) {
Get-ChildItem $startupPath | Select-Object Name, LastWriteTime
}
Write-Host "`n[!] For comprehensive ASEP analysis, use Autoruns or RECmd" -ForegroundColor CyanUsing Autoruns (Sysinternals):
autorunsc64.exe -accepteula -a * -s -h -c > autoruns_output.csv
Flags:
-a * : Show all startup locations
-s : Verify digital signatures
-h : Show file hashes
-c : Output as CSVWorkflow 3: File System Artifacts
Master File Table ($MFT)
Location: Root of NTFS volume (hidden system file)
Forensic Value:
Every file/folder on NTFS volume
Timestamps (MACB - Modified, Accessed, Changed, Born)
File size, attributes
Deleted file records (may persist)
Using MFTECmd (Zimmerman Tool):
REM Parse MFT
MFTECmd.exe -f "C:\$MFT" --csv "C:\Cases\Output" --csvf mft.csv
REM Filter for executables
MFTECmd.exe -f "C:\$MFT" --csv "C:\Cases\Output" --csvf mft_exe.csv --deUSN Journal ($J)
Location: $Extend\$UsnJrnl:$J
Forensic Value:
File system change journal
Records create, delete, rename operations
Timestamps for file activity
Shows files that were deleted
Using MFTECmd:
REM Parse USN Journal
MFTECmd.exe -f "C:\$Extend\$UsnJrnl:$J" --csv "C:\Cases\Output" --csvf usnjrnl.csv$LogFile
Location: Root of NTFS volume
Forensic Value:
NTFS transaction log
File operations (create, delete, modify, rename)
Even more detailed than USN Journal
Using LogFileParser:
LogFileParser.exe -f "C:\$LogFile" --csv "C:\Cases\Output"Workflow 4: Alternate Data Streams (ADS)
Description: Hidden data streams attached to files (NTFS only)
Malware Use Cases:
Hide malicious code in legitimate files
Store hacking tools invisibly
Evade antivirus detection
PowerShell - Find ADS:
<#
.SYNOPSIS
Detect Alternate Data Streams
#>
param(
[string]$Path = "C:\Users",
[string]$OutputPath = "C:\Cases\ADS_Detection.txt"
)
Write-Host "[+] Scanning for Alternate Data Streams..." -ForegroundColor Cyan
$adsFiles = Get-ChildItem $Path -Recurse -ErrorAction SilentlyContinue |
Get-Item -Stream * -ErrorAction SilentlyContinue |
Where-Object { $_.Stream -ne ':$DATA' } |
Select-Object PSPath, Stream, Length
if ($adsFiles) {
Write-Host "[!] Found $($adsFiles.Count) files with ADS" -ForegroundColor Red
$adsFiles | Out-File $OutputPath
$adsFiles | Format-Table -AutoSize
Write-Host "`n[*] Results saved to: $OutputPath" -ForegroundColor Yellow
} else {
Write-Host "[+] No ADS detected" -ForegroundColor Green
}Manual ADS Commands:
REM List ADS on file
dir /r file.txt
REM View ADS content
more < file.txt:hidden_stream
REM Extract ADS
type file.txt:hidden_stream > extracted.exe
REM Delete ADS
more < nul > file.txt:hidden_streamZone.Identifier ADS:
Files downloaded from internet get Zone.Identifier ADS
Contains URL source and zone information
Check with:
more < file.exe:Zone.IdentifierInvestigation Checklists
Malware Execution Investigation
[ ] Check Prefetch for known malware tools
[ ] Look for multiple prefetch files for standard tools (cmd.exe, etc.)
[ ] Extract SHA1 hashes from Amcache
[ ] Search SHA1 on VirusTotal
[ ] Check ShimCache for deleted executables
[ ] Review BAM/DAM for recent execution
[ ] Parse UserAssist for GUI application usage
[ ] Check for executables in suspicious paths
[ ] Build execution timeline with all artifacts
[ ] Cross-reference with network/file access artifacts
Persistence Investigation
[ ] Check all Run/RunOnce keys (HKLM and HKCU)
[ ] Verify Winlogon Shell and Userinit values
[ ] Check Startup folder for suspicious items
[ ] Review Services for malicious entries
[ ] Check Scheduled Tasks
[ ] Look for DLL hijacking indicators
[ ] Scan for ADS on system files
[ ] Use Autoruns for comprehensive ASEP check
[ ] Document all persistence mechanisms found
Timeline Construction
[ ] Parse Prefetch to CSV
[ ] Parse Amcache to CSV
[ ] Parse ShimCache to CSV
[ ] Parse BAM/DAM to CSV
[ ] Parse Jump Lists to CSV
[ ] Merge all CSVs in TimelineExplorer
[ ] Sort by timestamp
[ ] Filter by incident window
[ ] Correlate execution with file/network activity
[ ] Document complete attack timeline
Critical Detection Patterns
Suspicious Prefetch Patterns
RED FLAGS:
β MIMIKATZ.EXE-*.pf
β PROCDUMP.EXE-*.pf or PROCDUMP64.EXE-*.pf
β PSEXEC.EXE-*.pf (lateral movement)
β Multiple CMD.EXE-*.pf (different hashes)
β Multiple POWERSHELL.EXE-*.pf (different hashes)
β Files from C:\Users\Public, C:\Temp, %APPDATA%Suspicious Amcache Indicators
RED FLAGS:
β No digital signature (unsigned executables)
β SHA1 matches known malware
β Publisher: (blank) or suspicious
β Executables from temp directories
β Recently installed during incident windowSuspicious ShimCache Indicators
RED FLAGS:
β Executables that no longer exist
β Modified system tools
β Files from external media
β Malware-named files (even if deleted)Real Investigation Scenario
Case Study: Mimikatz Execution Detection
Evidence Chain:
1. Prefetch Analysis:
Found: MIMIKATZ.EXE-A3F8B2C9.pf
Location: C:\Users\Public\mimikatz.exe (from FilesLoaded)
Run Count: 3
Last Run: 2024-11-29 14:23:45
Previous Runs: 14:15:30, 14:10:22
DLLs Loaded: cryptdll.dll, samlib.dll (credential access indicators)2. Amcache Analysis:
Found: C:\Users\Public\mimikatz.exe
SHA1: f3b25701fe362ec84616a93a45ce9994
File Size: 1,256,960 bytes
Publisher: (none)
Compilation Date: 2024-01-153. VirusTotal Check:
SHA1: f3b25701fe362ec84616a93a45ce9994
Detection: 45/70 AV vendors
Name: Mimikatz credential dumper4. ShimCache Analysis:
Found: C:\Users\Public\mimikatz.exe
Last Modified: 2024-11-29 14:10:00
Note: File no longer exists on disk (attacker deleted it)5. BAM Analysis:
User SID: S-1-5-21-....-1001 (Bob's account)
Last Execution: 2024-11-29 14:23:45
Path: C:\Users\Public\mimikatz.exe6. Timeline:
14:10:00 - File created (ShimCache last modified)
14:10:22 - First execution (Prefetch)
14:15:30 - Second execution (Prefetch)
14:23:45 - Third execution (Prefetch, BAM)
14:25:00 - File deleted (no longer on disk)Conclusion:
Mimikatz definitively executed 3 times
Used by Bob's account
Credential dumping activity
Attacker attempted cleanup (file deleted)
Evidence survived via Prefetch, Amcache, ShimCache
Summary: Key Takeaways
Most Critical Artifacts (Top 3)
Prefetch - Proves execution, run count, timeline
Amcache - SHA1 hashes for definitive identification
ShimCache - Historical presence even if deleted
Execution Proof Hierarchy
Definitive Proof:
β Prefetch file exists
β Event 4688 logged
β UserAssist entry (GUI apps)
Strong Indicator:
β BAM/DAM entry (very recent)
β Jump List entry (application used file)
Presence Only (NOT execution):
β Amcache entry (Win7+)
β ShimCache entry (Win10+)
β MFT record
Critical Commands
REM Prefetch analysis
PECmd.exe -d "C:\Windows\Prefetch" --csv "C:\Output" --csvf prefetch.csv -q
REM Amcache SHA1 extraction
AmcacheParser.exe -f "C:\Windows\AppCompat\Programs\Amcache.hve" --csv "C:\Output" --csvf amcache.csv -i
REM ShimCache historical analysis
AppCompatCacheParser.exe -f "C:\Windows\System32\config\SYSTEM" --csv "C:\Output" --csvf shimcache.csv
REM Jump List analysis
JLECmd.exe -d "C:\Users" --csv "C:\Output" --csvf jumplists.csv -q
REM ASEP comprehensive check
autorunsc64.exe -accepteula -a * -s -h -c > autoruns.csvKey Principle
Execution artifact analysis requires correlation of multiple sources. Prefetch proves execution, Amcache provides SHA1 for identification, ShimCache shows historical presence. Always validate findings across artifacts - a single artifact is never sufficient for conclusive determination.
Target Audience: SOC analysts, incident responders, malware analysts Tools Required: Zimmerman Tools (PECmd, AmcacheParser, AppCompatCacheParser, JLECmd), Autoruns Usage: Malware detection, execution timeline, persistence hunting
Remember: Prefetch = execution proof. Amcache = SHA1 identification. ShimCache = historical presence. Multiple prefetch files for standard tools (cmd.exe, powershell.exe) = potential attacker activity. Always correlate artifacts!
Last updated