title: PsExec Pipes Artifacts id: 9e77ed63-2ecf-4c7b-b09d-640834882028 status: experimental description: Detecting use PsExec via Pipe Creation/Access to pipes author: Nikita Nazarov, oscd.community date: 2020/05/10 references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view tags: - attack.lateral_movement - attack.t1021.002 logsource: product: windows service: sysmon definition: 'Note that you have to configure logging for PipeEvents in Symson config' detection: selection: EventID: - 17 - 18 PipeName|startswith: - 'psexec' - 'paexec' - 'remcom' - 'csexec' condition: selection falsepositives: - Legitimate Administrator activity level: medium