Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
35 lines (24 sloc) 1.17 KB

#Psexec Windows Events

Purpose: Find instances of psexec service (remote command execution) on Windows sytems by examining event logs pertaining to access control for remote shares.

Data Required: Windows Event Logs (ID 5145)

Collection Considerations: None

Analysis Techniques: Filtering


Look for Windows Event ID 5145, A network share object was checked to see whether client can be granted desired access. Filter for events where the share is IPC$ and the service is PSEXECSVC-*. Cross reference by examining the 5145 events for access to the ADMIN$ share for tool/file copies and execution events.

Other Notes Psexec is one of the most common mechanisms for malicious lateral movement, but the tool is also occasionally used by legitimate system administrators.

Event 5145 may not be enabled by default, as it requires "Detailed File Auditing" (which can generate a lot of logs).

More Info