Psexec

PSEXEC Forensics

Notes from the DFSP episode on PSEXEC Forensics

Source system artifacts

• psexec.exe

• EULA in Registry, software hive

• Shim cache (only written on shutdown. Can use memory to capture)

• AMCACHE

• Prefetch

• MFT File creation date

Destination system artifacts

• psexecsvc.exe (though using psexec -r will change the service name)

• Event logs:

  • System Event ID 7045 (new service)

  • Security Event ID 4264 (logon)

  • Security Event ID 4672 (elevation of logon)

  • Security Event ID 4697 (service installed)

  • Security Event ID 5140 (access to a share)

• All child processes are run in session 0

• Named pipes and hidden admin shares used for communication

• Shim cache (only written on shutdown. Can capture memory to analyze)

• AMCACHE

• System hive > CurrentControlSet > Services

• Prefetch

• MFT File creation date

References

• DFSP - PSEXEC Forensics episode

PSEXEC ForensicsNetwork Security Ninja