Protecting the Evidence in Real-Time with KQL Queries

A few weeks ago, I published a post titled Detecting Ransomware Final Stage Activities with KQL Queries where I shared different phases and detections during the last phase of a ransomware attack. Every time I read it, I realize just how broad and complex this topic truly is. As I dive deeper into the techniques attackers use to remove traces of their activity, I’ve been reading and researching about two valuable Windows forensic cases:

• Amcache.hve
• Shimcache

Both serve as execution footprints, helping incident responders reconstruct attacker activity even when traditional logs are missing or wiped.

On the other hand, I also recall that in older versions of Windows (prior to Windows 10), when performing disk clean-up or analyzing system resource usage, there were always some files occupying space and memory — often related to RegBack. However, starting in Windows 10, version 1803 (including Windows server above WS2K16), Windows no longer automatically backs up the system registry to the RegBack so the backups are disabled by default.

Why? Microsoft cites performance optimization and disk space savings as the primary reasons and to recover a system with a corrupt registry hive, they recommend to use a system restore point. While this may benefit most users, in environments with critical services or sensitive data running in some of these versions, it might be worth reconsidering. Enabling RegBack could serve as a valuable secondary recovery option, even if it comes at a minor cost in performance or storage.

And of course, experienced attackers know to check whether RegBack is enabled — so monitoring for attempts to modify the corresponding registry keys can help us generate early alerts and detect potential tampering.

️ Amcache

Amcache.hve is a Windows registry file that logs details about executed programs, including file paths, hashes, timestamps, and metadata. It helps reconstruct what was run on a system — even if the original file is gone. Located by default at C:\Windows\AppCompat\Programs\Amcache.hve, it records:

• Paths of executed binaries
• File hashes
• Timestamps
• Volume and device details

Ideal for: Timeline reconstruction, detecting execution of unsigned binaries, correlating files dropped during early-stage access.

Shimcache (AppCompatCache)

Shimcache is a memory-resident registry artifact that records executables seen or run by the system. It stores file paths and last modified timestamps, making it useful for tracking historical program execution — even after deletion. Located by default at C:\Windows\System32\config\SYSTEM it records:

• File paths of programs that were executed or simply viewed
• Timestamps (last modified, not execution)
• Visibility into historical program usage — even after uninstallation or renaming

Ideal for: Long-term persistence analysis and program history across reboots.

Removing the Evidence

Attackers aware of forensic techniques could try to delete or alter these files to remove the evidences of their attacks:

• Deleting or wiping Amcache.hve
• Overwriting or tampering with the SYSTEM hive to destroy Shimcache
• Using tools like SDelete, cipher /w:, or direct registry access to tamper logs

That’s why it’s critical to monitor for these kinds of actions in Defender XDR or Microsoft Sentinel environments using KQL.

KQL: Detect Attempts to modify Amcache.hve or SYSTEM files

DeviceFileEvents 
| where (FileName contains “SYSTEM” and FolderPath contains “C:\Windows\System32\config\”) or (FileName has “Amcache.hve”)
| project Timestamp, DeviceName,DeviceId, FileName, FolderPath, ActionType, InitiatingProcessFileName, ReportId

KQL: Detect Execution Forensic tools

There are helpful tools, like the ones created by Eric Zimmerman , that let you extract the content of files like Amcache and Shimcache without changing or deleting them. This is very useful for forensic analysis and other investigations because it allows you to read these files without turning off the computer. Normally, these files can’t be accessed while the system is running, since they’re used by the operating system.

However, these same tools can also be used by attackers who have access to the computer, to gather information about programs, processes, and other activity. The following detection can help identify if these tools have been used:

DeviceProcessEvents
 | where FileName in (“AppCompatCacheParser.exe”, “AmcacheParser.exe”) | project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath, ProcessCommandLine

RegBack

As mentioned earlier, RegBack is disabled by default in Windows 10 and later. However, if you want to enable automatic registry backups again, you can do it manually with a few simple steps:

1. Open Registry Editor (regedit.exe)
2. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager
3. Create a new DWORD (32-bit) value named: EnablePeriodicBackup
4. Set the value to 1
5. Reboot the system

Or directly by command line:

reg add “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager” /v EnableRootAutoRepair /t REG_DWORD /d 1 /f

So the detection to verify if someone has disabled or modified the mentioned value would be:

DeviceProcessEvents
| where FileName == “reg.exe” and ProcessCommandLine contains “SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager”

Conclusion

Hackers often try to hide their tracks by deleting important system records like Amcache, Shimcache, or turning off features like RegBack. These records help us understand what really happened during an attack. Even though newer versions of Windows don’t keep these backups by default, enabling them can give us another way to recover or investigate.

By keeping an eye on changes to these files and settings, we can spot early signs of ransomware or other threats , respond faster and catch them!

Protecting the Evidence in Real-Time with KQL Queries was originally published in Detect FYI on Medium, where people are continuing the conversation by highlighting and responding to this story.

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

Article Link: Protecting the Evidence in Real-Time with KQL Queries | by Sergio Albea | Jul, 2025 | Detect FYI

1 post - 1 participant

Read full topic

Malware Analysis, News and Indicators - Latest topics