Querries Windows prefetch for evidence of psexec.exe executions
select filename,
datetime(atime,"unixepoch","localtime") AS atime,
datetime(ctime,"unixepoch","localtime") AS ctime,
datetime(mtime,"unixepoch","localtime") AS mtime
from file
where path like "\Windows\prefetch\PSEXEC.exe%";
Yeah, it's osquery v3.3.2 based on their link to the osquery table schema, which I've tested locally with the same results as the screenshot. I'm curious if anyone has had success in Live Query with similar queries. Thanks!
@creams You could trying querying prefetch for the existence of psexec:
select filename, datetime(atime,"unixepoch","localtime") AS atime, datetime(ctime,"unixepoch","localtime") AS ctime, datetime(mtime,"unixepoch","localtime") AS mtime
from file
where path like "\Windows\prefetch\PSEXEC.exe%";
And yes, the current version in LiveQuery is 3.3.2, but will be updated shortly!