Impacket PsExec Execution

calendar Oct 25, 2022 · attack.lateral_movement attack.t1021.002  ·
Share on: linkedin copy

Detects execution of Impacket's psexec.py.

Sigma rule (View on GitHub)

 1title: Impacket PsExec Execution
 2id: 32d56ea1-417f-44ff-822b-882873f5f43b
 3status: test
 4description: Detects execution of Impacket's psexec.py.
 5references:
 6    - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
 7author: Bhabesh Raj
 8date: 2020/12/14
 9modified: 2022/09/22
10tags:
11    - attack.lateral_movement
12    - attack.t1021.002
13logsource:
14    product: windows
15    service: security
16    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
17detection:
18    selection1:
19        EventID: 5145
20        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
21        RelativeTargetName|contains:
22            - 'RemCom_stdin'
23            - 'RemCom_stdout'
24            - 'RemCom_stderr'
25    condition: selection1
26falsepositives:
27    - Unknown
28level: high

References

Related rules

to-top