home.social

#amcache_evilhunter — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #amcache_evilhunter, aggregated by home.social.

  1. hasamba @[email protected] ·

    🛠️ Tool

    Opening: AmCache-EvilHunter is a command-line utility designed to parse offline Windows Amcache.hve registry hives and extract artifacts that indicate program execution and potentially suspicious executables. The tool targets forensic triage and incident-response workflows where rapid identification of executed binaries is required.

    Key Features:
    • Parse offline Amcache.hve and enumerate recorded executable artifacts
    • Filter records by date range and keyword search
    • Flag executables that match known suspicious patterns or lack a Publisher field
    • Integrate hash lookups with VirusTotal (VT_API_KEY) and Kaspersky OpenTIP (OPENTIP_API_KEY)
    • Export results to JSON or CSV for downstream analysis

    Technical Implementation:
    • The tool is implemented in Python 3.7+, relying on python-registry to read the Amcache hive and requests for API lookups.
    • Detection logic includes pattern matching on file paths, executable names, and metadata fields such as Publisher and Company.
    • Hash-based enrichment uses file SHA hashes extracted from Amcache records and submits them to configured external APIs, optionally filtering to only show files with detections.

    Use Cases:
    • Triage of a suspected host image to quickly identify recently executed binaries
    • Enrichment of forensic timelines with hash-based reputation data from VirusTotal and OpenTIP
    • Support for SOC workflows by exporting normalized CSV/JSON for SIEM ingestion or case management

    Installation / Setup:
    • Clone the repository and install Python dependencies from requirements.txt with pip3 install -r requirements.txt.
    • Configure VT_API_KEY and/or OPENTIP_API_KEY as environment variables to enable remote lookups.

    Limitations:
    • Accuracy depends on the completeness of the Amcache.hve file and the presence of stored hashes.
    • Remote API lookups are rate-limited and require valid keys; offline-only use still provides metadata-based detections.
    • Detection of “suspicious” files relies on pattern lists that may need tuning per environment.

    References:
    • Runtime requirements: Python 3.7+, requests, python-registry, rich

    🔹 amcache #amcache_evilhunter #forensics #incident_response #tool

    🔗 Source: github.com/cristianzsh/amcache

    #tool #incident_response #forensics #amcache_evilhunter