Daily Blog #388: Solution Saturday 6/9/18 - Winning Answer for Psexec Challenge

Hello Reader,
           It's Saturday and based on the new blog schedule that means it's Solution Saturday where we reveal the winner of the week's Sunday Funday contest. I wanted to try this new format to give people more time to participate in the challenges and while I saw alot of people viewing and discussing the challenge I actually only received one entry! So that means Phill Moore automatically won this week regardless of what he sent in.

As a reminder here was this weeks Challenge:

The Challenge:

One of the things I've noticed when people talk about psexec execution is the prefetch file it creates when running psexecsvc. There are many more artifacts that we've seen in our research so now it's time for you to show all of us what you know. 

List out with a description:
1. Every location where psexecsvc would be logged as executed on Windows 10 with the most current update
2. Every location where psexecsvc would be logged as existing on Windows 10 with the most current update
3. Every location that would be created and or modified based on psexecsvc executing 

Here is the winning submission from Phil Moore:

1. Event logs
Registry - services

2. Mft, logfile, usnjrnl

3. I don't know 

Done with no testing, entirely guess work. 

As you can see sometimes just submitting can lead to winning and in Phill's case it won him a $100 amazon giftcard. 

I'll be exploring the full answer in the blog as the daily blogging continues so make sure to keep reading and get ready for tomorrow's Sunday Funday when a new challenge will be posted!

Post a Comment