Skip to content

Commit

Permalink
Evidence of Execution
Browse files Browse the repository at this point in the history
  • Loading branch information
@FrostedDolphin
FrostedDolphin committed Sep 18, 2023
1 parent 200a518 commit 283ef3b
Show file tree
Hide file tree
Showing 2 changed files with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion _posts/2023-09-14-EvidenceOfExecution.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ Files referenced: 43

Below we can see the csv output when you run PECmd against an entire directory of prefetch files. There are two files that get created, the on labeled timeline is most interesting because we can not only see the prefetch file that were most interested in, but also all the other binaries that were run in proximity. This can give us clues to other lolbins (Live Off the Land Binaries) that are harder to detect malice from but easy to abuse. For example we might see a malicious setup file being run and be able to point out when it was run from its prefetch file, but until we pull this timeline, we might not know it had the capability of running wmic commands, or establishing persistence with reg.exe. This isn't the best picture of a timeline to showcase for malice but it give an example of what you would expect to see.

![PECmd for a single prefetch file](/assets/img/PFdirtimeline.png)
![PECmd for a single prefetch file](/assets/img/PFdir.png)
_Output of PECmd.exe on a directory_


Expand Down
Binary file added assets/img/PFdir.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 283ef3b

Please sign in to comment.