Metasploit Or Impacket Service Installation Via SMB PsExec

Apr 21, 2023 · attack.lateral_movement attack.t1021.002 attack.t1570 attack.execution attack.t1569.002 ·

Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation

Sigma rule (View on GitHub)

 1title: Metasploit Or Impacket Service Installation Via SMB PsExec
 2id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
 3description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
 4author: Bartlomiej Czyz, Relativity
 5date: 2021/01/21
 6modified: 2022/03/21
 7references:
 8    - https://bczyz1.github.io/2021/01/30/psexec.html
 9tags:
10    - attack.lateral_movement
11    - attack.t1021.002
12    - attack.t1570
13    - attack.execution
14    - attack.t1569.002
15logsource:
16    product: windows
17    service: system
18detection:
19    selection:
20        Provider_Name: 'Service Control Manager'
21        EventID: 7045
22    selection_1:
23        ImagePath|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$'
24        ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)'
25        StartType: '3'  # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697
26        ServiceType: '0x10'
27    filter:
28        ServiceName: 'PSEXESVC'
29    condition: selection and selection_1 and not filter
30fields:
31    - ComputerName
32    - SubjectDomainName
33    - SubjectUserName
34    - ServiceName
35    - ServiceFileName
36falsepositives:
37    - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
38level: high
39status: unsupported```

References

Detecting Impacket’s and Metasploit’s PsExec

Table of contents

Read More

Metasploit Or Impacket Service Installation Via SMB PsExec

Sigma rule (View on GitHub)

References

Detecting Impacket’s and Metasploit’s PsExec

Related rules