Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time


Purpose: Identify potential malware by finding "rare" binaries executed across endpoints.

Data Required: Windows Shimcache or Amcache entries

Collection Considerations: These are cache entries, not logs, so need to be collected directly from each endpoint, usually by an agent.

Analysis Techniques: Stack counting


Shimcache/Amcache records basic info about the last several (max 1024) executables that ran. If you collect this list frequently, you can use it to build a list of executable filenames and locations that run on each system. Shimcache is the older implementation. Starting with Windows 8 and Server 2012, it was replaced by Amcache. The format is very different, since Amcache has lots more info it can provide, but the intent is the same.

Stack count the filenames and/or directory paths to find rare files executed, rare locations from which files are executed. Assume rare files are more suspicious and investigate accordingly.

More info