Suspicious PsExec Execution
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Sigma rule (View on GitHub)
1title: Suspicious PsExec Execution
2id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
3status: test
4description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
5references:
6 - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
7author: Samir Bousseaden
8date: 2019-04-03
9modified: 2022-08-11
10tags:
11 - attack.lateral-movement
12 - attack.t1021.002
13logsource:
14 product: windows
15 service: security
16 definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
17detection:
18 selection1:
19 EventID: 5145
20 ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
21 RelativeTargetName|endswith:
22 - '-stdin'
23 - '-stdout'
24 - '-stderr'
25 filter:
26 RelativeTargetName|startswith: 'PSEXESVC'
27 condition: selection1 and not filter
28falsepositives:
29 - Unknown
30level: high
References
-
PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console a...
Read More
Related rules
- Access To ADMIN$ Network Share
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- Copy From Or To Admin Share Or Sysvol Folder
- DCERPC SMB Spoolss Named Pipe