F040MEDIUMInconclusivevalidator: passed

Multiple DISMHOST.exe executions from temporary directories (Lateral Movement / Living off the Land)

DISMHOST.exe executed from multiple %TEMP% subdirectories

Analyst narrative

AppCompatCache records show DISMHOST.exe (Windows deployment tool) executed from multiple temporary staging directories with timestamps indicating repeated execution. Candidates cand-0029 through cand-0037. Fact_ids: appcompatcache_execution_fact-0000161 and 27 additional entries.

Claims asserted

pathC:\Windows\Temp\fe042787-1eaa-421b-abb7-e6bafde1a715\dismhost.exerun_appcompatcacheparser

Proof chain · 2 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

▷

appcompatcache execution factappcompatcache:sysvol/windows/temp/fe042787-1eaa-421b-abb7-e6bafde1a715/dismhost.exe

run_appcompatcacheparser

›

Raw tool output · f2c7fcee95fa6bf27388ec1aea5871806e72ae63

{"ControlSet": "1", "CacheEntryPosition": "161", "Path": "SYSVOL\\Windows\\Temp\\FE042787-1EAA-421B-ABB7-E6BAFDE1A715\\DismHost.exe", "LastModifiedTimeUTC": "2013-08-22 13:25:38", "Executed": "Yes", "Duplicate": "False", "SourceFile": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM"}

▷

appcompatcache execution factappcompatcache:sysvol/windows/temp/fe042787-1eaa-421b-abb7-e6bafde1a715/dismhost.exe

run_appcompatcacheparser

›

Raw tool output · f85a8ef8f4b752a6faee425794e0c1453c4e9759

{"ControlSet": "2", "CacheEntryPosition": "161", "Path": "SYSVOL\\Windows\\Temp\\FE042787-1EAA-421B-ABB7-E6BAFDE1A715\\DismHost.exe", "LastModifiedTimeUTC": "2013-08-22 13:25:38", "Executed": "Yes", "Duplicate": "True", "SourceFile": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM"}

Source tools

extract_mft_timelineparse_event_logsrun_appcompatcacheparser