F005MEDIUMConfirmed maliciousvalidator: passed
PsExecSvc service persistence and lateral movement infrastructure
PsExecSvc service, PsExec.exe
Analyst narrative
Registry persistence (HKLM\System\ControlSet001\Services\PsExecSvc and ControlSet002\Services\PsExecSvc) indicates installation of PSEXESVC for remote code execution. Combined with amcache evidence showing PsExec.exe (SHA1: 2013247c1481bb44bbebbb927a153b42e73b499f) executed from staging directory c:\windows\temp\perfmon\PsExec.exe, this represents both persistence (TA0003) and lateral movement infrastructure (TA0008).
Claims asserted
hashPsExec.exe
2013247c1481bb44bbebbb927a153b42e73b499fparse_registry_persistenceget_amcacheProof chain · 1 fact
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
•file execution factsha1:2013247c1481bb44bbebbb927a153b42e73b499fget_amcache›
file execution fact
sha1:2013247c1481bb44bbebbb927a153b42e73b499fget_amcache
Raw tool output · 3a50aa38d43a9b92c571c2602736480c34a30207
{"path": "C:\\Windows\\Temp\\perfmon\\PsExec.exe", "sha1": "2013247c1481bb44bbebbb927a153b42e73b499f", "first_run": "", "publisher": null, "file_size": null}Source tools
get_amcacheparse_registry_persistence