F009HIGHSuspiciousvalidator: passed

PsExecSvc service registered (Lateral Movement / Persistence)

PSEXESVC service persistence via registry ImagePath

Analyst narrative

Registry persistence facts show PSEXESVC service ImagePath under ControlSet001 and ControlSet002. PSEXESVC.exe present at C:\Windows\PSEXESVC.exe (sha1 e50d9e3bd91908e13a26b3e23edeaf577fb3a095). Candidates cand-0009/cand-0097/cand-0098.

Claims asserted

hashPSEXESVC.exee50d9e3bd91908e13a26b3e23edeaf577fb3a095get_amcacheparse_event_logs

pathC:\Windows\PSEXESVC.exeget_amcacheparse_event_logs

Proof chain · 3 facts

Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.

▷

appcompatcache execution factappcompatcache:sysvol/windows/psexesvc.exe

run_appcompatcacheparser

›

Raw tool output · 258d3cee2da944bac847c7b578d5a57ba02ee4ba

{"ControlSet": "1", "CacheEntryPosition": "45", "Path": "SYSVOL\\Windows\\PSEXESVC.exe", "LastModifiedTimeUTC": "2018-09-04 22:51:49", "Executed": "Yes", "Duplicate": "False", "SourceFile": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM"}

▷

appcompatcache execution factappcompatcache:sysvol/windows/psexesvc.exe

run_appcompatcacheparser

›

Raw tool output · 2b7ea7ef1e3d51d87b4e15234a26862fbc0e5dc2

{"ControlSet": "2", "CacheEntryPosition": "45", "Path": "SYSVOL\\Windows\\PSEXESVC.exe", "LastModifiedTimeUTC": "2018-09-04 22:51:49", "Executed": "Yes", "Duplicate": "True", "SourceFile": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM"}

•

file execution factsha1:e50d9e3bd91908e13a26b3e23edeaf577fb3a095

get_amcache

›

Raw tool output · 819f7338c8913a495061f6bb9de3e98b373d6b4c

{"path": "C:\\Windows\\PSEXESVC.exe", "sha1": "e50d9e3bd91908e13a26b3e23edeaf577fb3a095", "first_run": "", "publisher": null, "file_size": null}

Source tools

extract_mft_timelineget_amcacheparse_event_logsparse_registry_persistencerun_appcompatcacheparser