title: PsExec Pipes Artifacts
id: 9e77ed63-2ecf-4c7b-b09d-640834882028
status: experimental
description: Detecting use PsExec via Pipe Creation/Access to pipes
author: Nikita Nazarov, oscd.community
date: 2020/05/10
references:
    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
tags:
    - attack.lateral_movement
    - attack.t1021.002
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for PipeEvents in Symson config'
detection:
    selection:
        PipeName|startswith:
            - 'psexec'
            - 'paexec'
            - 'remcom'
            - 'csexec'
    condition: selection
falsepositives:
    - Legitimate Administrator activity
level: medium