You can use Prefetch which is the most reliable source. However, if the program is NOT there, it doesn’t mean it wasn’t executed.
Another artefact of use is AmCache. What’s great about it is that it stores hashes among all. Although it’s not proof of the program being executed, it can show the PRESENCE of files (exe and drivers) on the system.
It is ok to collect artefacts like that manually, but it’s better to do so at scale. Some tools were designed to process these artefacts and put everything in an SQL database.
AppCompatProcessor.py GitHub - parses both 🏺
ShimCache and 🏺
AppCompatCache. This tool has some modules to improve the investigation process (search using
stack etc.). One of particular interest is
tcorr, which performs temporal correlation of execution (files that are usually executed closer in time).
leven finds files that are slightly different in names from known executables, and
rndsearch - attempts to identify randomly named files.
Services are managed by SCM (Service Control Manager). The same process triggers Security (4697) and System (7034, 7035, 7036, 7040 and 7045) events.
4697) - service was installed
7034- service crashed
7035- SCM has sent a start/stop request
7036- the service was started/stopped
7040- start type was changed for a service
7045- the service was installed
❗️PsExec process creates a new service when executed and deletes it afterwards, expect
7045EID. ❗️Services are usually executing within a service account, user account running a service is something worth looking into.