Description: Looking for any PsExec Registry keys in an organization.
What The Data Shows: We're trying to scope any users/systems that may have ran PsExec in a network.
SQL:
select filename,
datetime(atime,"unixepoch","localtime") AS atime,
datetime(ctime,"unixepoch","localtime") AS ctime,
datetime(mtime,"unixepoch","localtime") AS mtime
from file
where path like "\Windows\prefetch\PSEXEC.exe%";