Suspicious Impacket PSExec Temp Executable File Creation

Apr 16, 2023 · attack.s0357 attack.execution attack.t1569 attack.t1569.002 ·

Detects PSExec.py (Impacket) suspicious .exe file creation in Windows directory.

Sigma rule (View on GitHub)

 1title: Suspicious Impacket PSExec Temp Executable File Creation
 2id: b0ceadcb-ebc8-455e-9541-19d90ad4502c
 3status: experimental
 4description: Detects PSExec.py (Impacket) suspicious .exe file creation in Windows directory.
 5references:
 6    - https://github.com/fortra/impacket/blob/impacket_0_9_24/examples/psexec.py
 7    - https://www.13cubed.com/downloads/impacket_exec_commands_cheat_sheet.pdf
 8author: Micah Babinski
 9date: 2023/01/08
10tags:
11    - attack.s0357
12    - attack.execution
13    - attack.t1569
14    - attack.t1569.002
15logsource:
16    product: windows
17    category: file_event
18detection:
19    selection:
20        Image|endswith: 'system'
21        TargetFilename|re: '^C:\\Windows\\[A-Za-z]{8}\.exe$'
22    condition: selection
23falsepositives:
24    - Unknown
25level: medium```

References

impacket/examples/psexec.py at impacket_0_9_24 · fortra/impacket

Impacket is a collection of Python classes for working with network protocols. - fortra/impacket

Read More
Downloads

13Cubed Downloads

Read More

Suspicious Impacket PSExec Temp Executable File Creation

Sigma rule (View on GitHub)

References

impacket/examples/psexec.py at impacket_0_9_24 · fortra/impacket

Downloads

Related rules