F037HIGHInconclusivevalidator: passed
PsExec service artifact in registry and amcache (Lateral Movement / Admin Tooling)
Service: PSEXESVC, Registry keys: HKLM/System/ControlSet*/Services/PSEXESVC
Analyst narrative
PSEXESVC.exe service registered in HKLM\System\ControlSet001\Services\PSEXESVC and ControlSet002 with ImagePath pointing to C:\Windows\PSEXESVC.exe. SHA1 hash e50d9e3bd91908e13a26b3e23edeaf577fb3a095 detected in amcache. Candidate cand-0009, cand-0097, cand-0098. Fact_ids: registry_persistence_fact-0000862, registry_persistence_fact-0000863, registry_persistence_fact-0000864, registry_persistence_fact-0000865, registry_persistence_fact-0002458.
Claims asserted
pathC:\Windows\PSEXESVC.exeparse_registry_persistenceget_amcache
Proof chain · 3 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
▷appcompatcache execution factappcompatcache:sysvol/windows/psexesvc.exerun_appcompatcacheparser›
appcompatcache execution fact
appcompatcache:sysvol/windows/psexesvc.exerun_appcompatcacheparser
Raw tool output · 258d3cee2da944bac847c7b578d5a57ba02ee4ba
{"ControlSet": "1", "CacheEntryPosition": "45", "Path": "SYSVOL\\Windows\\PSEXESVC.exe", "LastModifiedTimeUTC": "2018-09-04 22:51:49", "Executed": "Yes", "Duplicate": "False", "SourceFile": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM"}▷appcompatcache execution factappcompatcache:sysvol/windows/psexesvc.exerun_appcompatcacheparser›
appcompatcache execution fact
appcompatcache:sysvol/windows/psexesvc.exerun_appcompatcacheparser
Raw tool output · 2b7ea7ef1e3d51d87b4e15234a26862fbc0e5dc2
{"ControlSet": "2", "CacheEntryPosition": "45", "Path": "SYSVOL\\Windows\\PSEXESVC.exe", "LastModifiedTimeUTC": "2018-09-04 22:51:49", "Executed": "Yes", "Duplicate": "True", "SourceFile": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM"}•file execution factsha1:e50d9e3bd91908e13a26b3e23edeaf577fb3a095get_amcache›
file execution fact
sha1:e50d9e3bd91908e13a26b3e23edeaf577fb3a095get_amcache
Raw tool output · 819f7338c8913a495061f6bb9de3e98b373d6b4c
{"path": "C:\\Windows\\PSEXESVC.exe", "sha1": "e50d9e3bd91908e13a26b3e23edeaf577fb3a095", "first_run": "", "publisher": null, "file_size": null}Source tools
extract_mft_timelineget_amcacheparse_registry_persistencerun_appcompatcacheparser