shimcache-flushed | SOC Hunt Feed

Hunt Hypothesis

Attackers may attempt to flush Shimcache to remove forensic artifacts and evade detection, indicating defense evasion tactics. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversarial activity and prevent persistence.

KQL Query

DeviceProcessEvents
| where FileName has "Rundll32.exe"
| where ((ProcessCommandLine has_any("ShimFlushCache","BaseFlushAppcompatCache"))
or (ProcessCommandLine has_any (@"#250",@"#46") and ProcessCommandLine has_any ("apphelp.dll","kernel32.dll"))) // checking for ordinals as well

Analytic Rule Definition

id: cd90d859-0d8f-458e-9d96-7f2945fe87a6
name: shimcache-flushed
description: |
  This query searches for attempts to flush Shimcache, which may indicate anti-forensic or defense evasion activity by an attacker.
  Author: Vaasudev_Kala
  Ref: https://blueteamops.medium.com/shimcache-flush-89daff28d15e
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Defense evasion
relevantTechniques:
  - T1112
query: |
  DeviceProcessEvents
  | where FileName has "Rundll32.exe"
  | where ((ProcessCommandLine has_any("ShimFlushCache","BaseFlushAppcompatCache"))
  or (ProcessCommandLine has_any (@"#250",@"#46") and ProcessCommandLine has_any ("apphelp.dll","kernel32.dll"))) // checking for ordinals as well

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Defense evasion
Technique: T1112 — T1112

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Defense evasion/shimcache-flushed.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task is configured to flush Shimcache as part of a system cleanup or update process.
Filter/Exclusion: Check for execution context (e.g., Task Scheduler or schtasks.exe) and filter by known maintenance tasks (e.g., Cleanup-System-Files or Windows Update).
Example Filter: process.parent.name == "schtasks.exe" and process.name == "cmd.exe" and process.args contains "Cleanup-System-Files"
Scenario: User-Initiated Shimcache Flush via PowerShell
Description: A user or administrator manually flushes Shimcache using PowerShell to resolve application compatibility issues.
Filter/Exclusion: Filter by user context (e.g., User or Administrator) and check for known PowerShell commands (e.g., Set-ShimCache).
Example Filter: process.name == "powershell.exe" and process.args contains "Set-ShimCache"
Scenario: Group Policy Object (GPO) Deployment
Description: A Group Policy update is deployed that includes a Shimcache flush as part of a policy change affecting application behavior.
Filter/Exclusion: Check for execution by gpupdate.exe or gpmc.msc and correlate with GPO changes.
Example Filter: process.name == "gpupdate.exe" or process.name == "gpmc.msc"
Scenario: Antivirus or Security Software Update
Description: An antivirus or endpoint protection software updates its cache, which includes flushing the Shimcache as part of its update process.
Filter/Exclusion: Filter by known security software processes (e.g., avgnt.exe, mcafee.exe, bitdefender.exe) and check for update-related activity.