Permalink
Switch branches/tags
Nothing to show
Find file Copy path
f1cab65 Aug 3, 2016
1 contributor

Users who have contributed to this file

36 lines (24 sloc) 1.17 KB

#Psexec Windows Events

Purpose: Find instances of psexec service (remote command execution) on Windows sytems by examining event logs pertaining to access control for remote shares.

Data Required: Windows Event Logs (ID 5145)

Collection Considerations: None

Analysis Techniques: Filtering

Description

Look for Windows Event ID 5145, A network share object was checked to see whether client can be granted desired access. Filter for events where the share is IPC$ and the service is PSEXECSVC-*. Cross reference by examining the 5145 events for access to the ADMIN$ share for tool/file copies and execution events.

Other Notes Psexec is one of the most common mechanisms for malicious lateral movement, but the tool is also occasionally used by legitimate system administrators.

Event 5145 may not be enabled by default, as it requires "Detailed File Auditing" (which can generate a lot of logs).

More Info