cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HKEY_USERS (NTUSER.DAT) Registry Query

Description: Looking for any PsExec Registry keys in an organization. 

What The Data Shows: We're trying to scope any users/systems that may have ran PsExec in a network. 

SQL: 

select filename, 
datetime(atime,"unixepoch","localtime") AS atime,
datetime(ctime,"unixepoch","localtime") AS ctime,
datetime(mtime,"unixepoch","localtime") AS mtime
from file
where path like "\Windows\prefetch\PSEXEC.exe%";

 

6 Comments
mrpeters22
Contributor II

i could be mistaken but I believe the osquery version utilized by LiveOps is on an older 3.x version of osquery 

creams
New Contributor II

Yeah, it's osquery v3.3.2 based on their link to the osquery table schema, which I've tested locally with the same results as the screenshot. I'm curious if anyone has had success in Live Query with similar queries. Thanks!

jnelson
Carbon Black Employee

@creams You could trying querying prefetch for the existence of psexec:

select filename,
    datetime(atime,"unixepoch","localtime") AS atime,
    datetime(ctime,"unixepoch","localtime") AS ctime,
    datetime(mtime,"unixepoch","localtime") AS mtime
from file
where path like "\Windows\prefetch\PSEXEC.exe%";

And yes, the current version in LiveQuery is 3.3.2, but will be updated shortly!

Community Manager
Community Manager
Status changed to: Under Review

@creams we updated your request to become an actual query. Can you let us know if the above works for you?

creams
New Contributor II

Good to go, thank you for the support!

Community Manager
Community Manager
Status changed to: Approved