Lateral Movement - Remote Execution Flashcards
Learn where to look for remote execution
(PsExec) Which event logs would you investigate further on an attacker computer?
1.) Security.evtx 4648
(PsExec) Which registry hive and artefacts would you investigate further on the attacker computer?
- ) NTUSER.dat (Software\SysInternals\PsExec\EulaAccepted)
a) Shimcache - SYSTEM psexec.exe
b) BAM/DAM - System psexec.exe
c) AmCache.hve - psexec.exe
(PsExec) Which file system artefacts would you investigate further on the attacker computer?
1.) Prefetch - C:\Windows\Prefetch\psexec.exe
(PsExec) Which event logs would you investigate further on the victim computer?
- ) Security.evtx 4624 (Logon type 3), 4672, 5140
2. ) System.evtx 7045
(PsExec) Which registry artefacts would you investigate further on the victim computer?
- ) system\CurrentControlSet\Services\PSEXESVC
- ) ShimCache - SYSTEM psexesvc.exe
3) AmCache.hve - psexesvc.exe
(PsExec) Which file system artefacts would you investigate further the victim computer?
1.) Prefetch - C:\Windows\Prefetch\psexesvc.exe
(Scheduled Tasks at.exe) Which events logs would you investigate further on the attacker computer?
1.) Security.evtx - 4648
(Scheduled Tasks at.exe) Which registry artefacts would you investigate further on the attacker computer?
- ) ShimCache SYSTEM at.exe / schtasks.exe
- ) BAM / DAM SYSTEM at.exe / schtasks.exe
- ) AmCache.hve at.exe / schtasks.exe
(Scheduled Tasks at.exe) Which file system artefacts would you investigate further on the attacker computer?
Prefetch - C:\Windows\Prefetch\ at.exe, schtasks.exe
(Scheduled Tasks at.exe) Which event logs would you investigate further on the victim computer?
- ) Security.evtx 4624 (logon type3), 4672, 4698, 4702, 4699, 4700
- ) MicrosoftWindowsTaskSchedulerMaintenance.evtx 106,140,141,200
(Scheduled Tasks at.exe) Which registry artefacts would you investigate further on the victim computer?
1.) Software - Microsoft\Windows\NT\CurrentVersion\Schedule\TaskCache\Tasks
Microsoft\Windows\CurrentVersion\Schedule\TaskCache\Tree
2.) Shimcache SYSTEM evil.exe
3.) AmCache.hve evil.exe
(Scheduled Tasks at.exe) Which file system artefacts would you investigate further on the victim computer?
- ) File Creation
- ) Job Files created C:\Windows\Tasks
- ) Prefetch C:\Windows\Prefetch\evil.exe
(Services sc.exe) Which event logs would you investigate further on the attacker computer?
None
(Services sc.exe) Which registry artefacts would you investigate further on the attacker computer?
- ) ShimCache SYSTEM sc.exe
- ) BAM / DAM SYSTEM sc.exe
- ) AmCache.hve sc.exe
(Services sc.exe) Which file system artefacts would you investigate further on the attacker computer?
1.) Prefetch - C:\Windows\Prefetch\sc.exe