[Osquery_manager] AppCompatCache artifact saved query

[tomsonpl]

AppCompatCache Artifact

The AppCompatCache (ShimCache) is a Windows forensic artifact that maintains a record of program execution history. This query extracts ShimCache entries to identify recently executed programs, providing critical visibility into execution patterns, suspicious program locations, and code signing status for threat detection and incident response investigations.

Read: https://p.elstc.co/paste/u51PK8CZ#P5lLF72f+bM4vFxzenX22CD6ShzNYcgdD8pDh0YY8nR

Core Forensic Artifacts Coverage Table

#	Artifact	✓	OS	Query	File	Description
1	AppCompatCache (ShimCache)	✅	Windows	appcompatcache_shimcache _windows_elastic	4a7c3e8f	Extracts ShimCache entries tracking program execution history with risk scoring based on location, code signing, and recency

---

Queries by Platform

---

🪟 Windows - AppCompatCache Execution Tracking with Risk Scoring

Description

Extracts Application Compatibility Cache (ShimCache) entries to track program execution history on Windows systems. The ShimCache records metadata about executables that have been launched, providing forensic evidence of program execution even when programs are no longer running or have been deleted from disk.

Results

Risk Scoring Methodology:

• CRITICAL (70-100): Unsigned executables from suspicious locations (Temp, AppData) with recent modification times indicating active threats
• HIGH (50-69): Executables from user-writable directories (Downloads, Public folders) with questionable signatures
• MEDIUM (30-49): Unsigned executables from non-standard system locations that may warrant investigation
• LOW (0-29): Signed executables from standard system locations following normal execution patterns

Detection Focus:

• Recently executed programs based on entry order (lower entry numbers = more recent)
• Executables from suspicious locations (Temp folders, AppData, Downloads)
• Unsigned or untrusted executables indicating potential malware
• Modification timestamps for timeline analysis and correlation
• Execution flags (Windows 7/8) indicating confirmed execution
• Code signing status to identify untrusted binaries
• Coverage for MITRE ATT&CK T1204 (User Execution), T1059 (Command and Scripting Interpreter), T1218 (System Binary Proxy Execution)

Result

Query returns up to 500 ShimCache entries sorted by risk score and entry order, with each entry including file path, modification time, execution flag, file hashes (MD5/SHA256), code signature details, and computed risk assessment.

Platform

windows

Interval

7200 seconds (2 hours)

Query ID

appcompatcache_shimcache_windows_elastic

ECS Field Mappings

• event.category → ["process"]
• event.type → ["info"]
• file.path → path
• file.mtime → modified_time
• file.hash.md5 → md5
• file.hash.sha256 → sha256
• file.code_signature.subject_name → subject_name
• file.code_signature.status → signature_status
• event.risk_score → risk_score
• event.severity → risk_level
• tags → ["execution_tracking", "appcompatcache", "shimcache", "forensics", "code_signing", "risk_scoring", "windows"]

SQL Query

SELECT
  s.entry,
  s.path,
  s.modified_time,
  s.execution_flag,
  h.md5,
  h.sha256,
  a.subject_name,
  a.result AS signature_status,
  -- Risk Score Calculation (0-100)
  (
    -- Location-based risk (5-40 points)
    CASE
      WHEN s.path LIKE '%\\Temp\\%' OR s.path LIKE '%\\AppData\\Local\\Temp\\%' THEN 40
      WHEN s.path LIKE '%\\AppData\\%' OR s.path LIKE '%\\Users\\Public\\%' THEN 35
      WHEN s.path LIKE '%\\Downloads\\%' THEN 30
      WHEN s.path NOT LIKE 'C:\\Windows\\System32\\%'
        AND s.path NOT LIKE 'C:\\Windows\\SysWOW64\\%'
        AND s.path NOT LIKE 'C:\\Program Files%' THEN 25
      ELSE 5
    END
    +
    -- Signature-based risk (0-30 points)
    CASE
      WHEN a.result IS NULL OR a.result != 'trusted' THEN 30
      ELSE 0
    END
    +
    -- Recency-based risk (0-15 points)
    CASE
      WHEN s.entry <= 50 THEN 15
      WHEN s.entry <= 100 THEN 10
      WHEN s.entry <= 200 THEN 5
      ELSE 0
    END
  ) AS risk_score,
  -- Risk Level Categorization
  CASE
    WHEN (
      CASE
        WHEN s.path LIKE '%\\Temp\\%' OR s.path LIKE '%\\AppData\\Local\\Temp\\%' THEN 40
        WHEN s.path LIKE '%\\AppData\\%' OR s.path LIKE '%\\Users\\Public\\%' THEN 35
        WHEN s.path LIKE '%\\Downloads\\%' THEN 30
        WHEN s.path NOT LIKE 'C:\\Windows\\System32\\%'
          AND s.path NOT LIKE 'C:\\Windows\\SysWOW64\\%'
          AND s.path NOT LIKE 'C:\\Program Files%' THEN 25
        ELSE 5
      END
      +
      CASE
        WHEN a.result IS NULL OR a.result != 'trusted' THEN 30
        ELSE 0
      END
      +
      CASE
        WHEN s.entry <= 50 THEN 15
        WHEN s.entry <= 100 THEN 10
        WHEN s.entry <= 200 THEN 5
        ELSE 0
      END
    ) >= 70 THEN 'CRITICAL'
    WHEN (
      CASE
        WHEN s.path LIKE '%\\Temp\\%' OR s.path LIKE '%\\AppData\\Local\\Temp\\%' THEN 40
        WHEN s.path LIKE '%\\AppData\\%' OR s.path LIKE '%\\Users\\Public\\%' THEN 35
        WHEN s.path LIKE '%\\Downloads\\%' THEN 30
        WHEN s.path NOT LIKE 'C:\\Windows\\System32\\%'
          AND s.path NOT LIKE 'C:\\Windows\\SysWOW64\\%'
          AND s.path NOT LIKE 'C:\\Program Files%' THEN 25
        ELSE 5
      END
      +
      CASE
        WHEN a.result IS NULL OR a.result != 'trusted' THEN 30
        ELSE 0
      END
      +
      CASE
        WHEN s.entry <= 50 THEN 15
        WHEN s.entry <= 100 THEN 10
        WHEN s.entry <= 200 THEN 5
        ELSE 0
      END
    ) >= 50 THEN 'HIGH'
    WHEN (
      CASE
        WHEN s.path LIKE '%\\Temp\\%' OR s.path LIKE '%\\AppData\\Local\\Temp\\%' THEN 40
        WHEN s.path LIKE '%\\AppData\\%' OR s.path LIKE '%\\Users\\Public\\%' THEN 35
        WHEN s.path LIKE '%\\Downloads\\%' THEN 30
        WHEN s.path NOT LIKE 'C:\\Windows\\System32\\%'
          AND s.path NOT LIKE 'C:\\Windows\\SysWOW64\\%'
          AND s.path NOT LIKE 'C:\\Program Files%' THEN 25
        ELSE 5
      END
      +
      CASE
        WHEN a.result IS NULL OR a.result != 'trusted' THEN 30
        ELSE 0
      END
      +
      CASE
        WHEN s.entry <= 50 THEN 15
        WHEN s.entry <= 100 THEN 10
        WHEN s.entry <= 200 THEN 5
        ELSE 0
      END
    ) >= 30 THEN 'MEDIUM'
    ELSE 'LOW'
  END AS risk_level
FROM shimcache s
LEFT JOIN hash h
  ON h.path = s.path
LEFT JOIN authenticode a
  ON a.path = s.path
WHERE
  s.path NOT LIKE 'C:\\Windows\\WinSxS\\%'
  AND s.path NOT LIKE 'C:\\Windows\\servicing\\%'
  AND s.path NOT LIKE '%\\WindowsApps\\%'
ORDER BY
  risk_score DESC,
  s.entry ASC
LIMIT 500;

---

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: bd9aede

cc @tomsonpl