Closed umairqamar closed 1 year ago
Hey, @umairqamar, this looks really good! Could I possibly also trouble you for a file write event screenshot?
Hey @mttaggart I can not find FileWrite events related to this in my logs, the .key file was only seen in event id 5145.
@umairqamar Without a file write, I don't know that I am comfortable with this description. I feel like we don't have the full story on this one. I'm closing this for now, but please feel free to reopen later with more evidence!
The .key file is written on target system in root of Windows directory. The file is created and gets deleted subsequently, you can look the file createtion and deletion in USN journal. This behaviour is mentioned here:
https://aboutdfir.com/the-key-to-identify-psexec/ https://youtu.be/oVM1nQhDZQc?t=946