• Sethc / utilman hijack (crude & AV products now stopping) • Remote PowerShell session (elegant) • SysInternals psexec (old fashioned but not WinRM dependent) • Process Tree • Look at creation times, command lines, parent processes & durations • Filter out unwanted & noise, e.g. other sessions (but not session zero) @guyrleech
Yes, really • 494 on my Win10 21H2 laptop with 1284 providers & 161 containing events • Search them all during the logon period • PowerShell to the rescue (again) • Process Creation/Termination auditing + command line • Another reason not to use clear text passwords on command lines • Push into csv or grid view for further filtering/saving @guyrleech
• Download from script library • Needs logon and process creation/termination auditing in place • Just need to pass domain\user • Splits out phases including group policy, logon script & printer mappings @guyrleech
users (or if app version changes) • Controlled via HKLM\Software\Microsoft\Active Setup (& Wow6432node) • Runs command in “StubPath” value • Copies keys run to HKCU • Can disable by removing some or all HKLM keys • DO NOT USE! AVOID! DELETE KEYS! • And now we have AppX logon “stuff” @guyrleech
guyrleech
ryysud
__allllllllez__
manarobot
oztick139
mitsuzono
smt7174
yamahiro
riyaamemiya
konifar
yu4u
egmc
ktc_wada
chrislema
soudai
panda_program
quramy
colly
maltzj
carmenintech
tammielis
sachag
mojombo
marktimemedia
malarkey
