KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Attempts To Modify Amcachehve Or SYSTEM File

Query

**Detect Attempts to modify Amcache.hve or SYSTEM files**

**Description:**  Amcache.hve is a Windows registry file that logs details about executed programs, including file paths, hashes, timestamps, and metadata. It helps reconstruct what was run on a system—even if the original file is gone. 
On the other hand, Shimcache is a memory-resident registry artifact that records executables seen or run by the system. It stores file paths and last modified timestamps, making it useful for tracking historical program execution—even after deletion.
Attackers aware of forensic techniques could try to delete or alter these files to remove the evidences of their attacks:

Deleting or wiping Amcache.hve
Overwriting or tampering with the SYSTEM hive to destroy Shimcache
Using tools like SDelete, cipher /w:, or direct registry access to tamper logs

That’s why it’s critical to monitor for these kinds of actions in Defender XDR or Microsoft Sentinel environments using KQL.

```
DeviceFileEvents 
| where (FileName contains "SYSTEM" and FolderPath contains "C:\\Windows\\System32\\config\\") or (FileName has "Amcache.hve")
| project Timestamp, DeviceName,DeviceId, FileName, FolderPath, ActionType, InitiatingProcessFileName, ReportId
```

Explanation

This KQL query is designed to detect any attempts to modify critical Windows registry files, specifically the "Amcache.hve" and "SYSTEM" files, which are important for forensic investigations. Here's a simple breakdown of what the query does:

  1. Data Source: It looks at events related to file activities on devices, specifically focusing on file operations.

  2. Target Files: The query filters for events involving:

    • The "SYSTEM" file located in the "C:\Windows\System32\config" directory.
    • The "Amcache.hve" file, regardless of its location.

  3. Purpose: These files are crucial for tracking program execution and system changes. Attackers might try to modify or delete these files to cover their tracks.

  4. Output: The query retrieves and displays specific details about any detected file events, including:

    • The time the event occurred (Timestamp).
    • The name of the device where the event took place (DeviceName).
    • The unique identifier for the device (DeviceId).
    • The name of the file involved (FileName).
    • The path to the file (FolderPath).
    • The type of action performed on the file (ActionType).
    • The name of the process that initiated the action (InitiatingProcessFileName).
    • A report identifier for further investigation (ReportId).

This query is useful for security monitoring in environments like Microsoft Defender XDR or Microsoft Sentinel, helping to identify and respond to potential tampering with forensic evidence.

Details

Sergio Albea profile picture

Sergio Albea

Released: July 29, 2025

Tables

DeviceFileEvents

Keywords

DeviceFileEventsTimestampDeviceNameDeviceIdFileNameFolderPathActionTypeInitiatingProcessFileNameReportId

Operators

DeviceFileEventswherecontainsandorhasproject

Actions