SANS Digital Forensics and Incident Response Blog: Author - Mike Pilkington

Protecting Privileged Domain Accounts: Safeguarding Password Hashes

Have you ever made a connection to a potentially compromised remote machine using a privileged domain account and wondered if there was any chance that your privileged credentials could be revealed in some way to the attacker? I have. After wondering and worrying about it, the curiosity (and paranoia) finally got to me and so … Continue reading Protecting Privileged Domain Accounts: Safeguarding Password Hashes

WMIC for incident response

Earlier this week, I posted about using psexec during incident response. I mentioned at the end of that post that I've been using WMIC in place of psexec and that I'd have more on that later. This post, is a follow up to the psexec post.


Prompted by the excellent work of Ed Skoudis and his part in the Command Line Kung Fu blog, as well as a really nice webcast he did a few years ago titled Essential Windows Command-Line Kung Fu for Info Sec Pros and an Internet Storm Center article from the same year, I've come to rely on WMIC for a large number of IR tasks. It provides much of the functionality of PsExec, as well as a lot of


Protecting Admin Passwords During Remote Response and Forensics


PsExec has been a great tool for remotely executing processes on a Windows machine. It has been around for years and is one of many useful tools from Mark Russinovich (formerly of SysInternals, now with Microsoft). As described on PsExec's webpage, "PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software."

That said, there is a significant drawback to PsExec's default behavior, as described in the last sentence of the description on PsExec's webpage: "Note that the password is transmitted in clear text to the remote system."

This is something that needs to be seriously considered and accounted for when using PsExec. Corporate incident responders typically have domain administrator rights for response purposes. The idea of