Query Exchange

creams · ‎12-13-2019

Description: Looking for any PsExec Registry keys in an organization.

What The Data Shows: We're trying to scope any users/systems that may have ran PsExec in a network.

SQL:

select filename, 

         datetime(atime,"unixepoch","localtime") AS atime,  

         datetime(ctime,"unixepoch","localtime") AS ctime,  

         datetime(mtime,"unixepoch","localtime") AS mtime  

from file  

where path like "\Windows\prefetch\PSEXEC.exe%";

mrpeters22 · ‎12-13-2019

i could be mistaken but I believe the osquery version utilized by LiveOps is on an older 3.x version of osquery

creams · ‎12-13-2019

Yeah, it's osquery v3.3.2 based on their link to the osquery table schema, which I've tested locally with the same results as the screenshot. I'm curious if anyone has had success in Live Query with similar queries. Thanks!

jnelson · ‎12-16-2019

@creams You could trying querying prefetch for the existence of psexec:

select filename,
    datetime(atime,"unixepoch","localtime") AS atime,
    datetime(ctime,"unixepoch","localtime") AS ctime,
    datetime(mtime,"unixepoch","localtime") AS mtime 

from file 

where path like "\Windows\prefetch\PSEXEC.exe%";

And yes, the current version in LiveQuery is 3.3.2, but will be updated shortly!

esullivan · ‎12-16-2019

@creams we updated your request to become an actual query. Can you let us know if the above works for you?

creams · ‎12-18-2019

Good to go, thank you for the support!

esullivan · ‎12-20-2019

Query Exchange

HKEY_USERS (NTUSER.DAT) Registry Query