cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Access VMworld content on-demand if you missed the event. 70+ security focused sessions were offered -- access requires registration.

HKEY_USERS (NTUSER.DAT) Registry Query

Description: Looking for any PsExec Registry keys in an organization. 

What The Data Shows: We're trying to scope any users/systems that may have ran PsExec in a network. 

SQL: 

select filename, 
datetime(atime,"unixepoch","localtime") AS atime,
datetime(ctime,"unixepoch","localtime") AS ctime,
datetime(mtime,"unixepoch","localtime") AS mtime
from file
where path like "\Windows\prefetch\PSEXEC.exe%";

 

6 Comments
Contributor III

i could be mistaken but I believe the osquery version utilized by LiveOps is on an older 3.x version of osquery 

New Contributor II

Yeah, it's osquery v3.3.2 based on their link to the osquery table schema, which I've tested locally with the same results as the screenshot. I'm curious if anyone has had success in Live Query with similar queries. Thanks!

Carbon Black Employee

@creams You could trying querying prefetch for the existence of psexec:

select filename,
    datetime(atime,"unixepoch","localtime") AS atime,
    datetime(ctime,"unixepoch","localtime") AS ctime,
    datetime(mtime,"unixepoch","localtime") AS mtime
from file
where path like "\Windows\prefetch\PSEXEC.exe%";

And yes, the current version in LiveQuery is 3.3.2, but will be updated shortly!

Community Manager
Community Manager
Status changed to: Under Review

@creams we updated your request to become an actual query. Can you let us know if the above works for you?

New Contributor II

Good to go, thank you for the support!

Community Manager
Community Manager
Status changed to: Approved