Detecting PsExec Usage

Ғылым және технология

In this episode, we're going to look at a variety of methods you can use to determine whether or not a system was the recipient of a PsExec connection. While you may already be familiar with some of these detections, there's a good chance you haven't seen them all!
** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
📖 Chapters
00:00 - Intro
03:03 - Demo 1
05:09 - Event Log Analysis 1
09:01 - Demo 2
09:56 - Event Log Analysis 2
10:56 - Shimcache Analysis
15:46 - The Key to Identify PsExec
17:55 - Prefetch Analysis
21:38 - Recap
🛠 Resources
The Key to Identify PsExec:
aboutdfir.com/the-key-to-iden...
Prefetch Deep Dive:
• Prefetch Deep Dive
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics

Пікірлер: 20

@KenPryor11 ай бұрын
Very useful information! I've been working and studying to get back into forensics after a few years away and your videos are very helpful.
@tg794311 ай бұрын
Awesome as always!
@user-wc1ze6mz7q11 ай бұрын
Thanks for the quality videos)
@prabhatjoshi60211 ай бұрын
Good content. Thanks a lot for this.
@cybersamurai999 ай бұрын
fantastic info thank you!
@ciaobello126110 ай бұрын
very nice Tutorial..thanks for it👍👍
@ciaobello1261
10 ай бұрын
what I also wondering, do you have also a tutorial which discuss topic's like forensic analysis on multiple hosts? as example if have 20 host to analyse.. Do you have a tool which helps you to collect and then analyse the artefacts?
@13Cubed
10 ай бұрын
Check out the Introduction to Kansa episode -- that might be of interest. Also perhaps Introduction to KAPE. If helpful, a full episode guide is available at 13cubed.com/episodes.
@ciaobello1261
10 ай бұрын
@@13Cubed thanks a lot for xour advice
@CatSmiling10 ай бұрын
superb
@havyj13 ай бұрын
Awesome clip I was having trouble understanding the whole psexec thing, your video cleared so much things up, but I have a question you need target system credentials or some sort of hash to use psexec against it right?
@13Cubed
3 ай бұрын
I'm not sure I understand the question. Are you asking what credentials you would need to use PsExec against a target system? Local admin rights would typically be required.
@havyj1
3 ай бұрын
@@13Cubed in an Active Directory environment, most of the users are standard users with non-admin privileges, you have to access some kind of privileged account, in a p2p scenario what you said makes scenes but what if you compromise a system which doesn’t have admin privileges
@13Cubed
3 ай бұрын
You have to elevate your permissions. PsExec works by installing a service on the target system to facilitate execution of the commands, and that requires admin privileges.
@SkipToPlay11 ай бұрын
Thank you! I would also be interested in a video about CrackMapExec / Impacked
@13Cubed
11 ай бұрын
Impacket has been done -- check out kzread.info/dash/bejne/h4Gjyc-eY9WqgqQ.html (and the two cheat sheets).
@SkipToPlay
11 ай бұрын
@@13Cubed That's right, I even commented there. I think I need to rewatch a few videos. :D ty!
@vidyasagar28511 ай бұрын
And please make the font bigger, on mobile devices it is too small.
@errolgannon315211 ай бұрын
You tutorials are excellent, but please turn off that annoying background music.. It's very distracting.
@13Cubed
11 ай бұрын
Lol ok, noted. First complaint I've received :)