Suspicious PsExec Execution
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Sigma rule (View on GitHub)
1title: Suspicious PsExec Execution
2id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
3status: test
4description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
5references:
6 - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
7author: Samir Bousseaden
8date: 2019/04/03
9modified: 2022/08/11
10tags:
11 - attack.lateral_movement
12 - attack.t1021.002
13logsource:
14 product: windows
15 service: security
16 definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
17detection:
18 selection1:
19 EventID: 5145
20 ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
21 RelativeTargetName|endswith:
22 - '-stdin'
23 - '-stdout'
24 - '-stderr'
25 filter:
26 RelativeTargetName|startswith: 'PSEXESVC'
27 condition: selection1 and not filter
28falsepositives:
29 - Unknown
30level: high
References
Related rules
- DCERPC SMB Spoolss Named Pipe
- Impacket PsExec Execution
- Remote Service Activity via SVCCTL Named Pipe
- SMB Spoolss Name Piped Usage
- Denied Access To Remote Desktop