Metasploit Or Impacket Service Installation Via SMB PsExec
Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
Sigma rule (View on GitHub)
1title: Metasploit Or Impacket Service Installation Via SMB PsExec
2id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442
3related:
4 - id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
5 type: derived
6status: test
7description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
8references:
9 - https://bczyz1.github.io/2021/01/30/psexec.html
10author: Bartlomiej Czyz, Relativity
11date: 2021-01-21
12modified: 2022-10-05
13tags:
14 - attack.lateral-movement
15 - attack.t1021.002
16 - attack.t1570
17 - attack.execution
18 - attack.t1569.002
19logsource:
20 product: windows
21 service: security
22 definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
23detection:
24 selection:
25 EventID: 4697
26 ServiceFileName|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$'
27 ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)'
28 ServiceStartType: 3 # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697
29 ServiceType: '0x10'
30 filter:
31 ServiceName: 'PSEXESVC'
32 condition: selection and not filter
33fields:
34 - ComputerName
35 - SubjectDomainName
36 - SubjectUserName
37 - ServiceName
38 - ServiceFileName
39falsepositives:
40 - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
41level: high
References
Related rules
- Rundll32 Execution Without Parameters
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- PUA - CSExec Default Named Pipe
- PUA - RemCom Default Named Pipe