Daily Blog #598: Forensic Lunch Test Kitchen 1/15/19 Syscache Mimikatz Server 2008 R2
Hello Reader,
Tonight we returned to the test kitchen to try to solve the mystery of the Multiple mimikatz executables now showing up in the Syscache
Tonight we learned:
Tonight we returned to the test kitchen to try to solve the mystery of the Multiple mimikatz executables now showing up in the Syscache
Tonight we learned:
- Syscache does not appear to duplicate entries by hash
- We got some entries to appear without a hash
- We are giving the VM enough time to run its background processes to get the Syscache full written to with a new test tomorrow night
- The last write time does not appear to be updated when the program is executed again
- 64bit and 32bit executables are being recorded
You can watch the video here:
Daily Blog #598: Forensic Lunch Test Kitchen 1/15/19 Syscache Mimikatz Server 2008 R2
Reviewed by David Cowen
on
January 15, 2019
Rating:
Reviewed by David Cowen
on
January 15, 2019
Rating:
No comments: