PsExec execution detected
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects when the Windows utility PsExec was executed on a system. PsExec is commonly utilized for executing processes remotely on Windows machines, often as part of legitimate system administration activity. This could be evidence of unauthorized remote access by an attcker.
Strategy
Monitoring of Windows event logs where @evt.id is 7045 or 4697 and grouping by @Event.System.Computer, which detects service psexec service installation on a system./ logs where @evt.id is 5145 and grouping by @Event.System.Computer, where A network share object was checked to see whether client can be granted desired access by psexec.
Triage & Response
Verify if the exection of psexec on {{@@Event.System.Computer}} is expected. If the execution was not intended isolate the system.
