5. SHIMcache

The SHIM Cache or AppCompatCache (Application Compatibility Cache) is a special Registry cache containing valuable information, because the cache tracks metadata for binary files that were executed.

It includes the full path to the executable file image and a timestamp, which could be the date of the last execution or the creation time stamp of the file, depending on the Windows version.

In cases where the executed file is still present on disk, THOR calculates hashes and includes them in the log message (message enrichment). If you can't find a hash in the log line, this means that THOR wasn't able to find the file on disk anymore.

5.1. References

5.2. Samples

Aug 26 13:10:21 SRV2345/10.2.0.22
THOR: Warning: MODULE: SHIMCache
MESSAGE: Suspicious file name in Shim Cache Entry detected
ELEMENT: SYSVOL\Temp\1.exe
PATTERN: \ [01]\.exe AND \[A-Za-z0-9]\.(exe|com|dll|bat|scr|vbs)$ AND \[Tt]emp\[0-9a-zA-Z]\.(exe|dll)
SCORE: 60
DESC: Typical attacker scheme
FILE: SYSVOL\Temp\1.exe
DATE: 02/21/17 15:44:32
TYPE: system
HIVEFILE: None
EXTRAS: N/A N/A True
MD5: -
SHA1: -
SHA256: -

Aug 26 12:02:59 SRV1123.internal.net/10.0.0.112
THOR: Warning: MODULE: SHIMCache
MESSAGE: Suspicious file name in Shim Cache Entry detected
ELEMENT: D:\Temp\test\ client.exe
PATTERN: \client.exe
SCORE: 60
DESC: Typical Malware Names
FILE: D:\Temp\test\ client.exe
DATE: 01/23/17 08:03:37
TYPE: system
HIVEFILE: None
EXTRAS: N/A N/A False
MD5: 099120aca1c34e7a529b3b390cfdbc1e
SHA1: 4ece72b9fa13019a4ce8b4229ca7b6aee09d6982
SHA256: c3c336a23021b68b026bdf1642b220d88037039aa6d7f8e7d4d576cc38063088

5.3. Typical False Positives

  • Legitimate software that uses strange executable locations

  • THOR's own scans if administrators chose a suspicious working directory (e.g. C:\Temp\, C:\thor\)

5.4. Attribute Evaluation

Attribute

Question

Answer

Indication

Weight

ELEMENT

See chapter File Path Checks

MD5/SHA1/SHA256

Is the hash field empty (this means: File was not found during the scan)

Yes

MD5/SHA1/SHA256

See chapter Hash Checks for generic checks on hashes