Suspicious Impacket PSExec Temp Executable File Creation
Detects PSExec.py (Impacket) suspicious .exe file creation in Windows directory.
Sigma rule (View on GitHub)
1title: Suspicious Impacket PSExec Temp Executable File Creation
2id: b0ceadcb-ebc8-455e-9541-19d90ad4502c
3status: experimental
4description: Detects PSExec.py (Impacket) suspicious .exe file creation in Windows directory.
5references:
6 - https://github.com/fortra/impacket/blob/impacket_0_9_24/examples/psexec.py
7 - https://www.13cubed.com/downloads/impacket_exec_commands_cheat_sheet.pdf
8author: Micah Babinski
9date: 2023/01/08
10tags:
11 - attack.s0357
12 - attack.execution
13 - attack.t1569
14 - attack.t1569.002
15logsource:
16 product: windows
17 category: file_event
18detection:
19 selection:
20 Image|endswith: 'system'
21 TargetFilename|re: '^C:\\Windows\\[A-Za-z]{8}\.exe$'
22 condition: selection
23falsepositives:
24 - Unknown
25level: medium```
References
-
Impacket is a collection of Python classes for working with network protocols. - fortra/impacket
Read More
Related rules
- Suspicious Impacket Pipe Creation - Psexec
- Impacket AtExec Process Activity
- CobaltStrike Service Installations - System
- PowerShell Scripts Installed as Services
- Rundll32 Execution Without Parameters