Question

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the password utilized during the PsExec activity. Enter it as your answer.

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 CommandLine="*PsExec*"
| rex field=CommandLine "(?i)(?:-p[:=]?\s*['\"]?(?<psexec_password>[^'\"\s]+)['\"]?)|(?:-password[:=]?\s*['\"]?(?<psexec_password2>[^'\"\s]+)['\"]?)"
| eval password=coalesce(psexec_password, psexec_password2)
| where isnotnull(password)
| table _time, Host, User, CommandLine, password
| dedup password
| sort 0 _time

• Description: PsExec was executed to establish remote execution on another host, typically by creating a temporary service and running a remote payload.

• Objective: Lateral movement and remote execution—gain control of additional hosts, execute post-exploitation tools, and potentially escalate privileges using compromised credentials.

• MITRE ATT&CK Technique: Remote Services—Windows Admin Shares / SMB / PsExec (T1021.006) (often combined with Valid Accounts (T1078) and Lateral Movement).