Shimcache Flush!

A cleanup routine that can be performed by threat actors to flush the Shimcache to remove traces of their malicious activities.

Shimcache aka AppCompatCache is a high valued artefact used for forensic analysis during cyber breaches. It holds records to detect evidence of execution or even existence of PEs. Latest OSs can hold up to 1024 entries (older entries gets rolled over). The parser of my choice is https://github.com/EricZimmerman/AppCompatCacheParser.

Below are the commands which can be executed by threat actors on endpoints/servers to flush the cache. Note that changes to the cache is only written during reboot or shutdown of the OS (even if you run the following flush commands). Therefore, you will still be able to obtain forensic evidence via a memory dump. This will provide data prior to last reboot of the system.

Rundll32.exe apphelp.dll,ShimFlushCache - Works with Windows Vista onwards for endpoints and Windows Server 2008 onwards for servers.

Rundll32.exe kernel32.dll,BaseFlushAppcompatCache - Works with Windows XP onwards for endpoints and Windows Server 2003 onwards for servers.

How to detect this?
These command executions should not occur during BAU operations (I’ve only seen the 2nd command in use during IT troubleshooting, but it is a rare occurence). Endpoint Detection & Response agent telemetry OR command line process auditing ((https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing) will provide the visibility you need. These log sources must be ingested into the SIEM of your choice where you can perform real-time monitoring.