← Back to Explore
sigmahighHunting
PSEXEC Remote Execution File Artefact
Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
Detection Query
selection:
TargetFilename|startswith: C:\Windows\PSEXEC-
TargetFilename|endswith: .key
condition: selection
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-01-21
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.lateral-movementattack.privilege-escalationattack.executionattack.persistenceattack.t1136.002attack.t1543.003attack.t1570attack.s0029
Raw Content
title: PSEXEC Remote Execution File Artefact
id: 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4
status: test
description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
references:
- https://aboutdfir.com/the-key-to-identify-psexec/
- https://twitter.com/davisrichardg/status/1616518800584704028
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-21
modified: 2023-02-23
tags:
- attack.lateral-movement
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1136.002
- attack.t1543.003
- attack.t1570
- attack.s0029
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Windows\PSEXEC-'
TargetFilename|endswith: '.key'
condition: selection
falsepositives:
- Unlikely
level: high