PsExec Service File Creation
Detects default PsExec service filename which indicates PsExec service installation and execution
Sigma rule (View on GitHub)
1title: PsExec Service File Creation
2id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d
3related:
4 - id: 42c575ea-e41e-41f1-b248-8093c3e82a28
5 type: derived
6status: test
7description: Detects default PsExec service filename which indicates PsExec service installation and execution
8references:
9 - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
10 - https://jpcertcc.github.io/ToolAnalysisResultSheet
11author: Thomas Patzke
12date: 2017-06-12
13modified: 2022-10-26
14tags:
15 - attack.execution
16 - attack.t1569.002
17 - attack.s0029
18logsource:
19 category: file_event
20 product: windows
21detection:
22 selection:
23 TargetFilename|endswith: '\PSEXESVC.exe'
24 condition: selection
25falsepositives:
26 - Unknown
27level: low
References
-
Detecting Lateral Movement through Tracking Event Logs Many recent cyberattacks have been confirmed in which malware infects a host and in turn spreads to other hosts and internal servers, resultin...
Read More -
About this site Command Execution PsExec wmic schtasks wmiexec.vbs BeginX WinRM WinRS BITS Password and Hash Dump PWDump7 PWDumpX Quarks PwDump Mimikatz (Password and Hash Dump lsadump::sam) Mimika...
Read More
Related rules
- CSExec Service File Creation
- HackTool Service Registration or Execution
- PUA - NSudo Execution
- PUA - NirCmd Execution
- PUA - NirCmd Execution As LOCAL SYSTEM