Sunday, June 3, 2018

Daily Blog #382: Sunday Funday 6/3/18

Hello Reader,
         It's been awhile since we've talked. It's been a couple years since I managed to complete Zeltser challenge writing a blog post a day for a year and in that time the blog has gotten pretty silent but our work hasn't stopped. What stopped was a requirement to keep sharing and posting, instead I fell into my old habits of wanting the perfect example/infrastructure setup before I posted it. So to correct this and to force myself to put our research out there I'm resuming the Zeltser challenge and what better way to do that then with a Sunday Funday forensic contest.

You'll notice that I'm now going to letting these contests run for a week rather than a day. With Phil Moore's this week in forensics posts I don't see a need for Saturday reading posts anymore on my blog, so instead it will be Sunday Funday contests with Solution Saturdays where the winner will be posted.  Hopefully this will get more people playing.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 6/8/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post



The Challenge:
One of the things I've noticed when people talk about psexec execution is the prefetch file it creates when running psexecsvc. There are many more artifacts that we've seen in our research so now it's time for you to show all of us what you know. 

List out with a description:
1. Every location where psexecsvc would be logged as executed on Windows 10 with the most current update
2. Every location where psexecsvc would be logged as existing on Windows 10 with the most current update
3. Every location that would be created and or modified based on psexecsvc executing 

No comments:

Post a Comment