The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Evidence of psexec.exe execution

Querries Windows prefetch for evidence of psexec.exe executions

select filename, 
datetime(atime,"unixepoch","localtime") AS atime,
datetime(ctime,"unixepoch","localtime") AS ctime,
datetime(mtime,"unixepoch","localtime") AS mtime
from file
where path like "\Windows\prefetch\PSEXEC.exe%";

 

6 Comments
mrpeters22
Contributor III

i could be mistaken but I believe the osquery version utilized by LiveOps is on an older 3.x version of osquery 

creams
New Contributor II

Yeah, it's osquery v3.3.2 based on their link to the osquery table schema, which I've tested locally with the same results as the screenshot. I'm curious if anyone has had success in Live Query with similar queries. Thanks!

jnelson
Carbon Black Employee

@creams You could trying querying prefetch for the existence of psexec:

select filename,
    datetime(atime,"unixepoch","localtime") AS atime,
    datetime(ctime,"unixepoch","localtime") AS ctime,
    datetime(mtime,"unixepoch","localtime") AS mtime
from file
where path like "\Windows\prefetch\PSEXEC.exe%";

And yes, the current version in LiveQuery is 3.3.2, but will be updated shortly!

esullivan
Community Manager
Community Manager
Status changed to: Under Review

@creams we updated your request to become an actual query. Can you let us know if the above works for you?

creams
New Contributor II

Good to go, thank you for the support!

esullivan
Community Manager
Community Manager
Status changed to: Approved