What is LinkDate in Amcache? (glossary)
LinkDate is the PE TimeDateStamp. The linker writes it into the binary at build time. Amcache reads it back from the PE header at inventory time. That is the whole story.
It is not a host-side timestamp. The host has nothing to do with this value. It travels with the binary. An attacker can set it to whatever they want, leave it at zero, or pick a date in 2007 to make the file look like an old, established piece of software. Plenty do.
The contrast with KeyLastWriteTimestamp#
| KeyLastWriteTimestamp | LinkDate | |
|---|---|---|
| Source | Registry metadata, written by appraiser | PE header, written by linker |
| Attacker controls it? | No | Yes |
| Answers | When did Amcache record this? | When was the binary built? |
| Good for | Host-side first-seen approximations | Build-campaign clustering |
| Resolution | Seconds | Seconds |
Confusing these two is the single most common Amcache mistake. The fix is to never, ever, use LinkDate to argue about when a binary appeared on a host. See Amcache timestamps explained for the long-form version.
What it is actually good for#
Build clustering#
Sort unsigned PEs by LinkDate. Look for 3-10 binaries stamped within the same day or hour. That is one attacker compiling their kit in one sitting and dropping it across one or more hosts. Strong campaign signal.
Import-Csv .\HOST_amcache_UnassociatedFileEntries.csv |
Where-Object { $_.IsPeFile -eq 'True' -and -not $_.Publisher } |
Sort-Object LinkDate |
Select LinkDate, Hash, FullPathBYOVD detection#
Drivers in DriverBinaries.csv with DriverTimeStamp from years ago but KeyLastWriteTimestamp from this week are the classic BYOVD shape. See the BYOVD glossary.
Build-process drift#
"Our CI builds always linkstamp Mondays at 03:00. This one is Tuesday at 14:00." Useful for catching when an internal build pipeline got nudged or compromised.
What it is not good for#
- First-seen-on-host time. Use
KeyLastWriteTimestamp. - Order of arrival. Two binaries with the same
LinkDatecan have arrived months apart. - Cryptographic identity. Many unrelated binaries share
LinkDatevalues, especially zero.
Related terms#
Related posts
- What is KeyLastWriteTimestamp in Amcache? (glossary)
The registry write time of the Amcache key. Closest thing to 'when the appraiser recorded this'. The single field new analysts most often confuse with LinkDate.
- What is Amcache ProgramId? (glossary)
ProgramId is the 44-character application-identity hash Amcache stores. Stable across hosts for the same install. Catches re-compiles and renames where Hash misses.
- What is Root\InventoryApplicationFile? (glossary)
The principal Amcache key. One sub-key per PE the appraiser inventoried, with hash, path, publisher, link date, and a registry write time. Where 90% of analyst time goes.
- What is Amcache FileId? (glossary)
FileId is '0000' plus the SHA-1 of the first 31 MiB of the file. Strip the prefix before you hit VirusTotal or you will silently get back nothing.