From b84afa7c76eda931230f18fdcad4d68fd80cd987 Mon Sep 17 00:00:00 2001
From: nish221b-bs <nishant.prasant@gmail.com>
Date: Wed, 19 Jun 2024 00:10:42 +0530
Subject: [PATCH] Update T1112.yaml (#2809)

Added new Atomic "Flush ShimCache"

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1112/T1112.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 74dde19b22..54151ddc19 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -1123,3 +1123,13 @@ atomic_tests:
        Invoke-CimMethod -ClassName StdRegProv -MethodName DeleteValue -Arguments @{hDefKey=[uint32]2147483650; sSubKeyName="Software\Policies\Microsoft\Windows NT\Terminal Services"; sValueName="Shadow"} -CimSession $s
     name: powershell
     elevation_required: true
+- name: Flush Shimcache 
+  description: |-
+    The ShimCache is a component in Windows operating systems that stores information about recently executed applications. It is used by the operating system to speed up the launching process of applications. The ShimCache is also used by IR teams and Forensic teams. Forensic investigators can use the ShimCache to determine which programs have been executed on a system, even if they have been deleted or their logs have been cleared.Reference : https://blueteamops.medium.com/shimcache-flush-89daff28d15e
+  supported_platforms:
+  - windows 
+  executor:
+    command: |-
+       Rundll32.exe apphelp.dll,ShimFlushCache
+    name: command_prompt
+    elevation_required: true