EvidenceOfExecution
Compoundv1.1
Author: Eric Zimmerman
description
Evidence of execution related files
includes (5)
paths
11 pathsfrom 5 targets
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: EvidenceOfExecution
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# 1. Amcache
Collect-Artifact -SourceDir "C:\Windows\AppCompat\Programs" -FileMask "Amcache.hve" -FolderName "Amcache"
# 2. Amcache
Collect-Artifact -SourceDir "C:\Windows.old\Windows\AppCompat\Programs" -FileMask "Amcache.hve" -FolderName "Amcache"
# 3. Amcache transaction files
Collect-Artifact -SourceDir "C:\Windows\AppCompat\Programs" -FileMask "Amcache.hve.LOG*" -FolderName "Amcache_transaction_files"
# 4. Amcache transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\AppCompat\Programs" -FileMask "Amcache.hve.LOG*" -FolderName "Amcache_transaction_files"
# 5. AppCompat PCA Folder
Collect-Artifact -SourceDir "C:\Windows\appcompat\pca" -FolderName "AppCompat_PCA_Folder"
# 6. Prefetch
Collect-Artifact -SourceDir "C:\Windows\prefetch" -FileMask "*.pf" -FolderName "Prefetch"
# 7. Prefetch
Collect-Artifact -SourceDir "C:\Windows.old\Windows\prefetch" -FileMask "*.pf" -FolderName "Prefetch"
# 8. RecentFileCache
Collect-Artifact -SourceDir "C:\Windows\AppCompat\Programs" -FileMask "RecentFileCache.bcf" -FolderName "RecentFileCache"
# 9. RecentFileCache
Collect-Artifact -SourceDir "C:\Windows.old\Windows\AppCompat\Programs" -FileMask "RecentFileCache.bcf" -FolderName "RecentFileCache"
# 10. Syscache
Collect-Artifact -SourceDir "C:\System Volume Information" -FileMask "Syscache.hve" -FolderName "Syscache"
# 11. Syscache transaction files
Collect-Artifact -SourceDir "C:\System Volume Information" -FileMask "Syscache.hve.LOG*" -FolderName "Syscache_transaction_files"
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
Note: This is a compound target that references 5 other targets. The KAPE command resolves them natively; the PowerShell/Batch/WSL scripts flatten every referenced path into explicit copy commands.
› cyberchef recipes
Open in CyberChef to decode values extracted from this artifact.
notes
ShimCache is not included in this Compound Target, as that would require pulling the entire SYSTEM Registry Hive. To ensure the ShimCache is pulled and parsed, use RegistryHivesSystem.tkape and parse with AppCompatCacheParser.mkape