Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

#Psexec Windows Events

Purpose: Find instances of psexec service (remote command execution) on Windows sytems by examining event logs pertaining to access control for remote shares.

Data Required: Windows Event Logs (ID 5145)

Collection Considerations: None

Analysis Techniques: Filtering

Description

Look for Windows Event ID 5145, A network share object was checked to see whether client can be granted desired access. Filter for events where the share is IPC$ and the service is PSEXECSVC-*. Cross reference by examining the 5145 events for access to the ADMIN$ share for tool/file copies and execution events.

Other Notes Psexec is one of the most common mechanisms for malicious lateral movement, but the tool is also occasionally used by legitimate system administrators.

Event 5145 may not be enabled by default, as it requires "Detailed File Auditing" (which can generate a lot of logs).

More Info