PSEXEC

security.evtx 4648 – Logon specifying alternate credentials Current logged-on User Name Alternate User Name Destination Host Name/IP Process Name

- NTUSER.DAT Software\SysInternals\PsExec\EulaAccepted ShimCache – SYSTEM psexec.exe BAM/DAM – SYSTEM – Last Time Executed p sexec.exe AmCache.hve – First Time Executed p sexec.exe

Prefetch – C:\Windows\Prefetch psexec.exe-{hash}.pf Possible references to other files accessed by psexec.exe, such as executables copied to target system with the “-c” option File Creation psexec.exe file downloaded and created on local host as the file is not native to Windo

• security.evtx 4648 Logon specifying alternate credentials Connecting User Name Process Name

New service creation configured in SYSTEM CurrentControlSet Services\PSEXESVC “-r” option can allow attacker to rename service

Prefetch – C:\Windows\Prefetch psexesvc.exe-{hash}.pf evil.exe-{hash}.pf

4624 Logon Type 3 (and Type 2 if “-u” Alternate Credentials are used) Source IP/Logon User Name

ShimCache – SYSTEM psexesvc.exe

File Creation User profile directory structure created unless “-e” option used psexesvc.exe will be placed in ADMIN$ (\Windows) by default, as well as other executables (evil.exe) pushed by PsExec

4672 Logon User Name Logon by a user with administrative rights Requirement for access default shares such as C$ and ADMIN$

AmCache.hve First Time Executed psexesvc.exe

5140 – Share Access ADMIN$ share used by PsExec

system.evtx 7045 Service Install