Detecting PsExec Usage
Ғылым және технология
In this episode, we're going to look at a variety of methods you can use to determine whether or not a system was the recipient of a PsExec connection. While you may already be familiar with some of these detections, there's a good chance you haven't seen them all!
** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
📖 Chapters
00:00 - Intro
03:03 - Demo 1
05:09 - Event Log Analysis 1
09:01 - Demo 2
09:56 - Event Log Analysis 2
10:56 - Shimcache Analysis
15:46 - The Key to Identify PsExec
17:55 - Prefetch Analysis
21:38 - Recap
🛠 Resources
The Key to Identify PsExec:
aboutdfir.com/the-key-to-iden...
Prefetch Deep Dive:
• Prefetch Deep Dive
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics
Пікірлер: 20
Very useful information! I've been working and studying to get back into forensics after a few years away and your videos are very helpful.
Awesome as always!
Thanks for the quality videos)
Good content. Thanks a lot for this.
fantastic info thank you!
very nice Tutorial..thanks for it👍👍
@ciaobello1261
10 ай бұрын
what I also wondering, do you have also a tutorial which discuss topic's like forensic analysis on multiple hosts? as example if have 20 host to analyse.. Do you have a tool which helps you to collect and then analyse the artefacts?
@13Cubed
10 ай бұрын
Check out the Introduction to Kansa episode -- that might be of interest. Also perhaps Introduction to KAPE. If helpful, a full episode guide is available at 13cubed.com/episodes.
@ciaobello1261
10 ай бұрын
@@13Cubed thanks a lot for xour advice
superb
Awesome clip I was having trouble understanding the whole psexec thing, your video cleared so much things up, but I have a question you need target system credentials or some sort of hash to use psexec against it right?
@13Cubed
3 ай бұрын
I'm not sure I understand the question. Are you asking what credentials you would need to use PsExec against a target system? Local admin rights would typically be required.
@havyj1
3 ай бұрын
@@13Cubed in an Active Directory environment, most of the users are standard users with non-admin privileges, you have to access some kind of privileged account, in a p2p scenario what you said makes scenes but what if you compromise a system which doesn’t have admin privileges
@13Cubed
3 ай бұрын
You have to elevate your permissions. PsExec works by installing a service on the target system to facilitate execution of the commands, and that requires admin privileges.
Thank you! I would also be interested in a video about CrackMapExec / Impacked
@13Cubed
11 ай бұрын
Impacket has been done -- check out kzread.info/dash/bejne/h4Gjyc-eY9WqgqQ.html (and the two cheat sheets).
@SkipToPlay
11 ай бұрын
@@13Cubed That's right, I even commented there. I think I need to rewatch a few videos. :D ty!
And please make the font bigger, on mobile devices it is too small.
You tutorials are excellent, but please turn off that annoying background music.. It's very distracting.
@13Cubed
11 ай бұрын
Lol ok, noted. First complaint I've received :)