Impacket PsExec Execution
Detects execution of Impacket's psexec.py.
Sigma rule (View on GitHub)
1title: Impacket PsExec Execution
2id: 32d56ea1-417f-44ff-822b-882873f5f43b
3status: test
4description: Detects execution of Impacket's psexec.py.
5references:
6 - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
7author: Bhabesh Raj
8date: 2020-12-14
9modified: 2022-09-22
10tags:
11 - attack.lateral-movement
12 - attack.t1021.002
13logsource:
14 product: windows
15 service: security
16 definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
17detection:
18 selection1:
19 EventID: 5145
20 ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
21 RelativeTargetName|contains:
22 - 'RemCom_stdin'
23 - 'RemCom_stdout'
24 - 'RemCom_stderr'
25 condition: selection1
26falsepositives:
27 - Unknown
28level: high
References
-
PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console a...
Read More
Related rules
- Access To ADMIN$ Network Share
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- Copy From Or To Admin Share Or Sysvol Folder
- DCERPC SMB Spoolss Named Pipe