Friday, January 11, 2019

Daily Blog #594: Forensic Lunch Test Kitchen 1/11/19 Server 2008 R2 Syscache Mimikatz

Hello Reader,
  Tonight on request from a viewer we are looking to see what Mimikatz leaves behind in the Syscache hive on Windows Server 2008 R2.

Here is what we learned:

  • The Syscache hive did not appear to log the 64 bit mimikatz executable from the first execution
  • It did log the 32 bit mimikatz executable on first execution
  • It did log the 64 bit mimikatz executable on the desktop
  • It did not appear to log the 64 bit mimikatz executable in the documents directory
  • The sha-1 16 bit hashes were correctly searched by Virustotal identifying mimikatz

We are going to leave the VM running over the weekend to see if the other 64 bit executables show up, see you next week. In the mean time tomorrow come back to see this weeks Sunday Funday winner with the new contest posted this Sunday.

You can watch the video here:

No comments:

Post a Comment