My anti-virus (Crowdstrike) is flagging PSExec commands from my audit server (which only has Netwrix Auditor on it and was created in the last 3 months) and my primary domain controller. When I review Netwrix Auditor documentation/forums, I read that NA doesn’t use Powershell, but I want to confirm this before I start going into a deeper security dive.
Auditor is configured to do Active Directory auditing, including:
Group Policy changes
AD Object changes
Password expiration monitoring
Netwrix Auditor version currently deployed is 10.8 (build 15019)
Thank you for joining the Netwrix Community and for your thoughtful question. I am a Senior Technical Support Engineer here at Netwrix, and I’m happy to clarify this for you.
To start, PsExec is a remote execution utility developed by SysInternals (later acquired by Microsoft). None of the components that make up Netwrix Auditor — past or present — include or depend on PsExec in any way.
Additionally, the components you listed — Active Directory Auditing (ADA), Group Policy Auditing (GPA), and Password Expiration Notifier (PEN) — do not use PowerShell. Some other collectors within Auditor may use PowerShell in specific scenarios, but these three do not. Instead, they rely primarily on LDAP and RPC communication when querying domain controllers and group policy information.
While we are not specialists in CrowdStrike’s solutions (I assume your organization uses Falcon), we have observed cases where EDR products flag Auditor’s legitimate remote operations as PsExec-like behavior. This can occur because Auditor’s secure use of RPC and LDAP may superficially resemble the remote execution patterns that some security tools associate with PsExec.
To prevent false positives or interference with Auditor’s functionality, I recommend reviewing the following resources:
Implementing the documented exclusions and verifying that the necessary ports are open helps ensure that CrowdStrike and Netwrix Auditor operate as harmoniously as possible — avoiding blocked connections, quarantined binaries, or incomplete data collection.
I hope that this clarifies the situation for you. Please let us know if you have any other questions!
Thank you very much for the clarification. I had suspected as much as this particular machine and its installed programs (being pretty much only Netwrix Auditor) were too new for them to reasonably be infected on a network that is otherwise secure.