Detect Psexec With Accepteula Flag

Description

This search looks for events where PsExec.exe is run with the accepteula flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument accepteula within the command line.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Malware

Alert Volume

This search looks for events where `PsExec.exe` is run with the `accepteula` flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument `accepteula` within the command line.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Lateral Movement

MITRE ATT&CK Techniques

Remote Services

SMB/Windows Admin Shares

MITRE Threat Groups

APT3
APT32
APT39
Blue Mockingbird
Chimera
Deep Panda
FIN8
Ke3chang
Lazarus Group
Orangeworm
Threat Group-1314
Turla
Wizard Spider

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Detect Psexec With Accepteula Flag Help

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

   Search

Open in Search