AmCache.hve

WindowsExecution EvidenceDisk Image

Location

C:\Windows\appcompat\Programs\Amcache.hve

Description

Application compatibility cache hive tracking program execution with SHA1 hashes, file paths, publisher metadata, and first-execution timestamps.

Forensic Value

AmCache provides SHA1 hashes for executed binaries, enabling immediate VirusTotal lookups even after the attacker deletes the original file. First-execution timestamps establish when a tool was first introduced to the system. Entries persist across reboots and are harder to anti-forensic than Prefetch.

Tools Required

KAPEAmcacheParser (Eric Zimmerman)Registry Explorer (Eric Zimmerman)

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target Amcache

AmcacheParser

AmcacheParser.exe -f "C:\Windows\appcompat\Programs\Amcache.hve" --csv C:\output --csvf Amcache.csv

Registry Explorer

Open Amcache.hve in Registry Explorer and navigate to Root\InventoryApplicationFile

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1059T1204.002

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Used in Procedures

Scope a Supply-Chain Compromise

triage

Analyze the Supply-Chain Backdoor Payload

analyze

Analyze Mining Persistence and Secondary Tooling

analyze

Related Blockers

Compromised Vendor Artifact Provenance Lost

The compromised software was distributed through a legitimate channel (update server, package registry) but the vendor cannot or will not produce the exact pre-compromise build artifacts, build manifests, or signing-chain evidence needed to validate provenance. Without that baseline, it is difficult to definitively identify what was malicious versus legitimate in the distributed artifact.

Attack Delivered via Legitimately Signed Update

The malicious artifact carries a valid signature from the vendor's real signing key, so traditional allow-by-signature controls (Authenticode policy, Cosign verification, macOS notarization) do not flag it. Detection must pivot to behavioral indicators, reputation, and anomaly-based signals.

Mining Incident Treated as Low Priority by Stakeholders

Stakeholders frame unauthorized mining as "just a resource cost" and push for immediate process-kill and closure rather than a full investigation. This under-scoping routinely leaves the entry vector open and misses secondary compromise (webshells, backdoors, credential theft) the attacker installed alongside the miner.

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote