Suspicious PsExec Execution - Zeek
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Sigma rule (View on GitHub)
1title: Suspicious PsExec Execution - Zeek
2id: f1b3a22a-45e6-4004-afb5-4291f9c21166
3related:
4 - id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
5 type: derived
6status: test
7description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
8references:
9 - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
10author: Samir Bousseaden, @neu5ron, Tim Shelton
11date: 2020/04/02
12modified: 2022/12/27
13tags:
14 - attack.lateral_movement
15 - attack.t1021.002
16logsource:
17 product: zeek
18 service: smb_files
19detection:
20 selection:
21 path|contains|all:
22 - '\\'
23 - '\IPC$'
24 name|endswith:
25 - '-stdin'
26 - '-stdout'
27 - '-stderr'
28 filter:
29 name|startswith: 'PSEXESVC'
30 condition: selection and not filter
31falsepositives:
32 - Unknown
33level: high
References
Related rules
- First Time Seen Remote Named Pipe - Zeek
- Potential DCOM InternetExplorer.Application DLL Hijack
- DCERPC SMB Spoolss Named Pipe
- Impacket PsExec Execution
- Remote Service Activity via SVCCTL Named Pipe