Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
An attacker must acquire admin credentials, lowering the likelihood of this technique. If the attacker is able to launch a service, the impact depends on which devices are compromised and the details of the newly configured service.
The system might change the risk score for this detection.
Kill Chain
Risk Score
56
After an attacker with admin credentials remotely launches a service on a device, the effects can range from minor configuration changes to remote command execution (RCE). One tool, PsExec, has been associated with known lateral movement techniques. PsExec, which is part of the Windows Sysinternals utilities, enables administrators to run remote commands by copying an executable file to the remote ADMIN$ share and then creating a temporary service to run that executable file.
System administrators might often remotely launch services on a device. This legitimate activity can appear similar to lateral movement activity.
Require User Account Control (UAC) approvals for any PsExec operations by enabling FilterAdministratorToken (Admin Approval Mode for the built-in Administrator account) in the Windows registry
Disable the ability to download software utility tools such as AppLocker, unless required
Reduce the number of users that have administrator privileges
Implement network segmentation, security zones, and firewall policies that limit how devices can communicate
