PsExec Detection

bundle

#1

####Bundle Details & Download

https://www.extrahop.com/customers/community/bundles/changhwanoh/psexec-detection/

####Description

PsExec is a Microsoft Sysinternals utility that system administrators often run remote commands over. However, PsExec (and the Metasploit module of the same name) can also be exploited by attackers to compromise Windows machines through running commands and launching processes without needing specific software installed on the targeted machine. This bundle detects both legitimate and malicious PsExec usage.


#2

I’m not finding any psexec requests with this dashboard, malicious or not. The triggers are enabled.
what are we missing?


#3

Trigger for this is not capturing psexec event. I tried debugging the trigger code, and see that it does gets into the part where (CIFS.method == "SMB2_WRITE) is checked. But after that it is not able to parse the dce/rpc, and the message shows as “failed to parse dce/rpc”. Any help/pointer to fix this would be highly appreciated. Thx


#4

I get the error in my trigger log:

: Line 78: Uncaught Error: Not enough buffered data to unpack.