EvidenceOfExecution

CompoundCompoundv1.1

Author: Eric Zimmerman

description

Evidence of execution related files

includes (5)

Amcache 4 paths →

AppCompatPCA 1 paths →

Prefetch 2 paths →

RecentFileCache 2 paths →

Syscache 2 paths →

paths

11 pathsfrom 5 targets

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Collection Script
# Target: EvidenceOfExecution (Compound Target)
# Use KAPE for compound target collection:
# kape.exe --tsource C: --tdest D:\Evidence --target EvidenceOfExecution

Write-Host "For compound targets, use KAPE directly for best results." -ForegroundColor Yellow

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

Note: This is a compound target that references 5 other targets. KAPE will automatically collect all referenced artifacts.

› cyberchef recipes

Windows FILETIME
Convert Windows FILETIME to readable date
open in cyberchef(opens in new tab)

Open in CyberChef to decode values extracted from this artifact.

references

ShimCache is not included in this Compound Target, as that would require pulling the entire SYSTEM Registry Hive. To ensure the ShimCache is pulled and parsed, use RegistryHivesSystem.tkape and parse with AppCompatCacheParser.mkape

// description

// includes (5)

// paths

// collection commands

// references

description

includes (5)

paths

collection commands

references