PsExec execution detected

windows

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1569-system-services

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detects when the Windows utility PsExec was executed on a system. PsExec is commonly utilized for executing processes remotely on Windows machines, often as part of legitimate system administration activity. This could be evidence of unauthorized remote access by an attcker.

Strategy

Monitoring of Windows event logs where @evt.id is 7045 or 4697 and grouping by @Event.System.Computer, which detects service psexec service installation on a system./ logs where @evt.id is 5145 and grouping by @Event.System.Computer, where A network share object was checked to see whether client can be granted desired access by psexec.

Triage & Response

Verify if the exection of psexec on {{@@Event.System.Computer}} is expected. If the execution was not intended isolate the system.

PREVIEWING: rtrieu/product-analytics-ui-changes