ShimCache Flush

calendar Oct 23, 2025 · attack.persistence attack.defense-evasion attack.t1112  ·
Share on: linkedin copy

Detects actions that clear the local ShimCache and remove forensic evidence

Sigma rule (View on GitHub)

 1title: ShimCache Flush
 2id: b0524451-19af-4efa-a46f-562a977f792e
 3status: stable
 4description: Detects actions that clear the local ShimCache and remove forensic evidence
 5references:
 6    - https://medium.com/@blueteamops/shimcache-flush-89daff28d15e
 7author: Florian Roth (Nextron Systems)
 8date: 2021-02-01
 9tags:
10    - attack.persistence
11    - attack.defense-evasion
12    - attack.t1112
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection1a:
18        CommandLine|contains|all:
19            - 'rundll32'
20            - 'apphelp.dll'
21    selection1b:
22        CommandLine|contains:
23            - 'ShimFlushCache'
24            - '#250'
25    selection2a:
26        CommandLine|contains|all:
27            - 'rundll32'
28            - 'kernel32.dll'
29    selection2b:
30        CommandLine|contains:
31            - 'BaseFlushAppcompatCache'
32            - '#46'
33    condition: ( selection1a and selection1b ) or ( selection2a and selection2b )
34fields:
35    - Image
36    - CommandLine
37    - ParentCommandLine
38falsepositives:
39    - Unknown
40level: high

References

  • Shimcache Flush!

    A cleanup routine that can be performed by threat actors to flush the Shimcache to remove traces of their malicious activities.


    Read More

Related rules

to-top