Windows
You can use Prefetch which is the most reliable source. However, if the program is NOT there, it doesn’t mean it wasn’t executed.
Another artefact of use is AmCache. What’s great about it is that it stores hashes among all. Although it’s not proof of the program being executed, it can show the PRESENCE of files (exe and drivers) on the system.
ShimCache
It is ok to collect artefacts like that manually, but it’s better to do so at scale. Some tools were designed to process these artefacts and put everything in an SQL database.
π οΈ AppCompatProcessor.py GitHub - parses both πΊ ShimCache and πΊ AppCompatCache. This tool has some modules to improve the investigation process (search using regex, reconscan, filehitcount, stack etc.). One of particular interest is tcorr, which performs temporal correlation of execution (files that are usually executed closer in time). leven finds files that are slightly different in names from known executables, and rndsearch - attempts to identify randomly named files.
Event Logs
Services
Services are managed by SCM (Service Control Manager). The same process triggers Security (4697) and System (7034, 7035, 7036, 7040 and 7045) events.
- π‘οΈ
Security(4697) - service was installed - βοΈ
System7034- service crashed7035- SCM has sent a start/stop request7036- the service was started/stopped7040- start type was changed for a service7045- the service was installed
βοΈPsExec process creates a new service when executed and deletes it afterwards, expect
4697and7045EID. βοΈServices are usually executing within a service account, user account running a service is something worth looking into.