Suspicious PsExec Execution - Zeek

calendar Aug 12, 2024 · attack.lateral-movement attack.t1021.002  ·
Share on: linkedin copy

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Sigma rule (View on GitHub)

 1title: Suspicious PsExec Execution - Zeek
 2id: f1b3a22a-45e6-4004-afb5-4291f9c21166
 3related:
 4    - id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
 5      type: derived
 6status: test
 7description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
 8references:
 9    - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
10author: Samir Bousseaden, @neu5ron, Tim Shelton
11date: 2020-04-02
12modified: 2022-12-27
13tags:
14    - attack.lateral-movement
15    - attack.t1021.002
16logsource:
17    product: zeek
18    service: smb_files
19detection:
20    selection:
21        path|contains|all:
22            - '\\'
23            - '\IPC$'
24        name|endswith:
25            - '-stdin'
26            - '-stdout'
27            - '-stderr'
28    filter:
29        name|startswith: 'PSEXESVC'
30    condition: selection and not filter
31falsepositives:
32    - Unknown
33level: high

References

Related rules

to-top