CSExec Service Installation
Detects CSExec service installation and execution events
Sigma rule (View on GitHub)
1title: CSExec Service Installation
2id: a27e5fa9-c35e-4e3d-b7e0-1ce2af66ad12
3status: test
4description: Detects CSExec service installation and execution events
5references:
6 - https://github.com/malcomvetter/CSExec
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-08-07
9tags:
10 - attack.execution
11 - attack.t1569.002
12logsource:
13 product: windows
14 service: system
15detection:
16 selection_eid:
17 Provider_Name: 'Service Control Manager'
18 EventID: 7045
19 selection_service:
20 - ServiceName: 'csexecsvc'
21 - ImagePath|endswith: '\csexecsvc.exe'
22 condition: all of selection_*
23falsepositives:
24 - Unknown
25level: medium
References
-
An implementation of PSExec in C#. Contribute to malcomvetter/CSExec development by creating an account on GitHub.
Read More
Related rules
- CSExec Service File Creation
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- Credential Dumping Tools Service Execution - Security
- Credential Dumping Tools Service Execution - System