Suspicious PsExec Execution

calendar Oct 25, 2022 · attack.lateral_movement attack.t1021.002  ·
Share on: linkedin copy

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Sigma rule (View on GitHub)

 1title: Suspicious PsExec Execution
 2id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
 3status: test
 4description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
 5references:
 6    - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
 7author: Samir Bousseaden
 8date: 2019/04/03
 9modified: 2022/08/11
10tags:
11    - attack.lateral_movement
12    - attack.t1021.002
13logsource:
14    product: windows
15    service: security
16    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
17detection:
18    selection1:
19        EventID: 5145
20        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
21        RelativeTargetName|endswith:
22            - '-stdin'
23            - '-stdout'
24            - '-stderr'
25    filter:
26        RelativeTargetName|startswith: 'PSEXESVC'
27    condition: selection1 and not filter
28falsepositives:
29    - Unknown
30level: high

References

Related rules

to-top