F047HIGHSynthesisvalidator: passed
Multiple suspicious lolbin executions via AppCompatCache (Living off the Land / Defense Evasion)
AppCompatCache: Multiple lolbin executions
Analyst narrative
AppCompatCache records (shimcache) document execution of multiple living-off-the-land binaries: cmd.exe, powershell.exe, rundll32.exe, regsvcs.exe, wmic.exe, schtasks.exe, sc.exe, vssadmin.exe, cscript.exe, and wsmprovhost.exe. Candidates cand-0054 through cand-0068. All marked with Executed=Yes flag. Fact_ids: appcompatcache_execution_fact-0000005 through appcompatcache_execution_fact-0000206.
Claims asserted
pathC:\Windows\System32\cmd.exerun_appcompatcacheparser
user_accountspsql
Proof chain · 3 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
▷appcompatcache execution factappcompatcache:sysvol/windows/system32/cmd.exerun_appcompatcacheparser›
appcompatcache execution fact
appcompatcache:sysvol/windows/system32/cmd.exerun_appcompatcacheparser
Raw tool output · 35acd1d08498b2161c70578913c69ec99b4dc9a8
{"ControlSet": "1", "CacheEntryPosition": "6", "Path": "SYSVOL\\Windows\\System32\\cmd.exe", "LastModifiedTimeUTC": "2014-10-29 01:28:18", "Executed": "Yes", "Duplicate": "False", "SourceFile": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM"}▷appcompatcache execution factappcompatcache:sysvol/windows/system32/cmd.exerun_appcompatcacheparser›
appcompatcache execution fact
appcompatcache:sysvol/windows/system32/cmd.exerun_appcompatcacheparser
Raw tool output · 6a0c3783fbc59aa6b33b49998428fc94be67c125
{"ControlSet": "2", "CacheEntryPosition": "6", "Path": "SYSVOL\\Windows\\System32\\cmd.exe", "LastModifiedTimeUTC": "2014-10-29 01:28:18", "Executed": "Yes", "Duplicate": "True", "SourceFile": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM"}⌘registry persistence factreg:hklm/software/microsoft/windows nt/currentversion/image file execution options/sethc.exeparse_registry_persistence›
registry persistence fact
reg:hklm/software/microsoft/windows nt/currentversion/image file execution options/sethc.exeparse_registry_persistence
Raw tool output · d9ff23e61d2fe1edadc6b97e096d01abcf1b5ac1
{"tool": "parse_registry_persistence", "source_hive": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SOFTWARE", "hive_type": "SOFTWARE", "registry_path": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe", "value_name": "Debugger", "value_data": "C:\\Windows\\System32\\cmd.exe", "value_type": "REG_SZ", "value_data_truncated": false, "is_default": false, "persistence_type": "ifeo", "control_set": null, "is_active_controlset": null, "user_profile": null, "last_write_time": "2018-09-04T22:56:12.793392+00:00", "evidence_type": "registry_persiSource tools
extract_mft_timelineparse_event_logsparse_registry_persistenceparse_scheduled_tasks_diskparse_userassistrun_appcompatcacheparservol_cmdlinevol_dlllistvol_filescanvol_getsidsvol_handlesvol_privilegesvol_psscanvol_pstreevol_psxview