PsExec Service Installation
Detects PsExec service installation and execution events
Sigma rule (View on GitHub)
1title: PsExec Service Installation
2id: 42c575ea-e41e-41f1-b248-8093c3e82a28
3status: test
4description: Detects PsExec service installation and execution events
5references:
6 - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
7 - https://jpcertcc.github.io/ToolAnalysisResultSheet
8author: Thomas Patzke
9date: 2017-06-12
10modified: 2023-08-04
11tags:
12 - attack.execution
13 - attack.t1569.002
14 - attack.s0029
15logsource:
16 product: windows
17 service: system
18detection:
19 selection_eid:
20 Provider_Name: 'Service Control Manager'
21 EventID: 7045
22 selection_service:
23 - ServiceName: 'PSEXESVC'
24 - ImagePath|endswith: '\PSEXESVC.exe'
25 condition: all of selection_*
26falsepositives:
27 - Unknown
28level: medium
References
-
Detecting Lateral Movement through Tracking Event Logs Many recent cyberattacks have been confirmed in which malware infects a host and in turn spreads to other hosts and internal servers, resultin...
Read More -
About this site Command Execution PsExec wmic schtasks wmiexec.vbs BeginX WinRM WinRS BITS Password and Hash Dump PWDump7 PWDumpX Quarks PwDump Mimikatz (Password and Hash Dump lsadump::sam) Mimika...
Read More
Related rules
- CSExec Service File Creation
- HackTool Service Registration or Execution
- PUA - NSudo Execution
- PUA - NirCmd Execution
- PUA - NirCmd Execution As LOCAL SYSTEM