New Sunday – new Funday! This week’s Sunday Funday presented the following challenge to solve:
What are all the methods of execution you can find that are not recorded in the Amcache hive?
All testing have been done on Windows 10 (Version 1803, OS Build 17134.523). For testing I used netscan.exe (x64), it’s available here, it was renamed according to its persistence mechanism/location. For parsing Amcache.hve both AmcacheParser by Eric Zimmerman and RegRipper by Harlan Carvey were used.
I started from running files without double-clicking. To do it, I used a number of persistence mechanisms. Here are the results:
Image File Execution Options Injection (T1183):
c:\users\user\desktop\imagefileexecutionoptionsinjection.exe
Shortcut modification (T1023):
c:\users\user\desktop\lnk.exe
Logon Scripts (T1037):
c:\users\user\desktop\logonscript.exe
Registry Run Keys / Startup Folder (T1060):
c:\users\user\desktop\run.exe
c:\users\user\desktop\shortcut.exe (a shortcut to the file in the Startup folder)
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\startup.exe
Scheduled Task (T1053):
c:\users\user\desktop\task.exe
As you can see, every mechanism created evidence of execution in the Amcache.hve.
Let’s go further. I tried to run executables with cmd and PowerShell. Both finished with the same results – records in the amcache:
c:\users\user\desktop\cmdrun.exe
c:\users\user\desktop\powershellrun.exe
Next I dropped files to a number of different locations, every execution created amcache artifact as well:
c:\c.exe
c:\users\user\3d objects\3d objects.exe
c:\users\user\pictures\camera roll\camera roll.exe
c:\users\user\documents\documents.exe
c:\users\user\downloads\downloads.exe
c:\users\user\music\music.exe
c:\perflogs\perflogs.exe
c:\users\user\pictures\pictures.exe
c:\program files (x86)\program files 86.exe
c:\program files\program files.exe
c:\programdata\programdata.exe
c:\users\public\public.exe
c:\samples\samples.exe
c:\users\user\pictures\saved pictures\saved pictures.exe
c:\scripts\scripts.exe
c:\windows\system32\system32.exe
c:\windows\syswow64\syswow64.exe
c:\users\users.exe
c:\users\user\user_root.exe
c:\windows\windows.exe
c:\users\user\documents\new folder\new_folder.exe
c:\users\user\documents\new folder\new folder\new_folder_2.exe
c:\users\user\documents\new folder\new folder\new folder\new_folder_3.exe
I remembered that if you download an exacutable with IE or Edge it allows you to choose, if you want to run or download it. So I pasted a link to an exacutable previously uploaded to SendSpace and chose to run it. Again, I got an amcache record:
c:\users\user\appdata\local\packages\microsoft.microsoftedge_8wekyb3d8bbwe\tempstate\downloads\internet (1).exe
I have an internal RAID as D:\ drive. So I decided to run an executable from it and not my C:\ drive, and got an amcache record again:
d:\d.exe
I ran an executable and deleted it after running. Again, I got a record in the amcache:
c:\users\user\desktop\deleted.exe
Ok, now what? Let’s try to run it from external and network drives! I ran an executable from a flash drive (M:\ drive) and… no amcache records!
Next I ran an executable from an external USB drive (F:\ drive) and… no amcache records again!
Finally, a network drive (Z:\ drive). A-a-and… no amcache records!
So, it seems you can find only executables ran from internal drives. This is it. Anyway, it requires more testing I think.
