PsExec execution detected

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detects when the Windows utility PsExec was executed on a system. PsExec is commonly utilized for executing processes remotely on Windows machines, often as part of legitimate system administration activity. This could be evidence of unauthorized remote access by an attcker.

Strategy

Monitoring of Windows event logs where @evt.id is 7045 or 4697 and grouping by @Event.System.Computer, which detects service psexec service installation on a system./ logs where @evt.id is 5145 and grouping by @Event.System.Computer, where A network share object was checked to see whether client can be granted desired access by psexec.

Triage & Response

Verify if the exection of psexec on {{@@Event.System.Computer}} is expected. If the execution was not intended isolate the system.

PREVIEWING: rtrieu/product-analytics-ui-changes