Hello Reader,
Tonight we returned to the test kitchen to try to solve the mystery of the Multiple mimikatz executables now showing up in the Syscache
Tonight we learned:
Tonight we returned to the test kitchen to try to solve the mystery of the Multiple mimikatz executables now showing up in the Syscache
Tonight we learned:
- Syscache does not appear to duplicate entries by hash
- We got some entries to appear without a hash
- We are giving the VM enough time to run its background processes to get the Syscache full written to with a new test tomorrow night
- The last write time does not appear to be updated when the program is executed again
- 64bit and 32bit executables are being recorded
You can watch the video here:
Also Read: Daily Blog #597
Post a Comment