Tuesday, January 15, 2019

Daily Blog #598: Forensic Lunch Test Kitchen 1/15/19 Syscache Mimikatz Server 2008 R2

Hello Reader,
       Tonight we returned to the test kitchen to try to solve the mystery of the Multiple mimikatz executables now showing up in the Syscache

Tonight we learned:

  • Syscache does not appear to duplicate entries by hash
  • We got some entries to appear without a hash
  • We are giving the VM enough time to run its background processes to get the Syscache full written to with a new test tomorrow night
  • The last write time does not appear to be updated when the program is executed again
  • 64bit and 32bit executables are being recorded
You can watch the video here:

No comments:

Post a Comment