PsExec execution detected

windows

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1569-system-services

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects when the Windows utility PsExec was executed on a system. PsExec is commonly utilized for executing processes remotely on Windows machines, often as part of legitimate system administration activity. This could be evidence of unauthorized remote access by an attcker.

Strategy

Monitoring of Windows event logs where @evt.id is 7045 or 4697 and grouping by @Event.System.Computer, which detects service psexec service installation on a system./ logs where @evt.id is 5145 and grouping by @Event.System.Computer, where A network share object was checked to see whether client can be granted desired access by psexec.

Triage & Response

Verify if the exection of psexec on {{@@Event.System.Computer}} is expected. If the execution was not intended isolate the system.