So i'm working on some project to find malware in my network.Trying to automate autoruns(sysinternals) in order to find anomalies or changes in startup on workstations.to do so i want to make daily reports for multiple workstations each day and check for changes for previous reports(finding differences). So i need couple of advices: 1.Should i remote execute the script with psexec(sysinternals)? it seems way to risky with high priviliged account .. is there any other way? 2.Any working software for finding diffrence in report(xml, csv, or just text)(easy to use-free and windows) I have already tried to make it using c but it is too much effort.should i write it in python or other language like c#...
Asked
Active
Viewed 417 times
1 Answers
0
I would use silentrunners.org to create daily snapshots. Then you could compare those and should something change flag that system for further review. Windows has FC which Compares two files or sets of files and displays the differences between them
FC [/A] [/C] [/L] [/LBn] [/N] [/OFF[LINE]] [/T] [/U] [/W] [/nnnn]
[drive1:][path1]filename1 [drive2:][path2]filename2
FC /B [drive1:][path1]filename1 [drive2:][path2]filename2
user4317867
- 2,397
- 4
- 31
- 57
-
can i run it remotely ? – Chechik Dec 11 '14 at 11:39
-
Of course, use `psexec -s` to run the `CSCRIPT.EXE -nologo slientrunners.vbs` as a system account on the remote machine. Then direct the output to some network location to use FC to compare the resulant files. – user4317867 Dec 11 '14 at 22:16
-
isn't a bit risky to use psexec ? it has my priviliged credintals on the memory on each workstation i will run it againt... i thought using wmi may be a bit more secure ? what do u think ? – Chechik Dec 14 '14 at 12:15
-
PSEXEC can be run under the System account but you are correct PSEXEC will send the password in clear text. – user4317867 Dec 15 '14 at 23:31