#Psexec Windows Events

Purpose: Find instances of psexec service (remote command execution) on Windows sytems by examining event logs pertaining to access control for remote shares.

Data Required: Windows Event Logs (ID 5145)

Collection Considerations: None

Analysis Techniques: Filtering

Description

Look for Windows Event ID 5145, A network share object was checked to see whether client can be granted desired access. Filter for events where the share is IPC$ and the service is PSEXECSVC-*. Cross reference by examining the 5145 events for access to the ADMIN$ share for tool/file copies and execution events.

Other Notes Psexec is one of the most common mechanisms for malicious lateral movement, but the tool is also occasionally used by legitimate system administrators.

Event 5145 may not be enabled by default, as it requires "Detailed File Auditing" (which can generate a lot of logs).

More Info

Tweet #1 by @jackcr
Tweet #2 by @jackcr
Tweet by @JPoForenso

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!