Metasploit Or Impacket Service Installation Via SMB PsExec

Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation

Sigma rule (View on GitHub)

 1title: Metasploit Or Impacket Service Installation Via SMB PsExec
 2id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442
 3related:
 4    - id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
 5      type: derived
 6status: test
 7description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
 8references:
 9    - https://bczyz1.github.io/2021/01/30/psexec.html
10author: Bartlomiej Czyz, Relativity
11date: 2021-01-21
12modified: 2022-10-05
13tags:
14    - attack.lateral-movement
15    - attack.t1021.002
16    - attack.t1570
17    - attack.execution
18    - attack.t1569.002
19logsource:
20    product: windows
21    service: security
22    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
23detection:
24    selection:
25        EventID: 4697
26        ServiceFileName|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$'
27        ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)'
28        ServiceStartType: 3  # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697
29        ServiceType: '0x10'
30    filter:
31        ServiceName: 'PSEXESVC'
32    condition: selection and not filter
33fields:
34    - ComputerName
35    - SubjectDomainName
36    - SubjectUserName
37    - ServiceName
38    - ServiceFileName
39falsepositives:
40    - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
41level: high

References

Related rules

to-top