PSEXEC Remote Execution File Artefact
Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
Sigma rule (View on GitHub)
1title: PSEXEC Remote Execution File Artefact
2id: 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4
3status: test
4description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
5references:
6 - https://aboutdfir.com/the-key-to-identify-psexec/
7 - https://twitter.com/davisrichardg/status/1616518800584704028
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023/01/21
10modified: 2023/02/23
11tags:
12 - attack.lateral_movement
13 - attack.privilege_escalation
14 - attack.execution
15 - attack.persistence
16 - attack.t1136.002
17 - attack.t1543.003
18 - attack.t1570
19 - attack.s0029
20logsource:
21 category: file_event
22 product: windows
23detection:
24 selection:
25 TargetFilename|startswith: 'C:\Windows\PSEXEC-'
26 TargetFilename|endswith: '.key'
27 condition: selection
28falsepositives:
29 - Unlikely
30level: high
References
Related rules
- Remote Service Creation
- CobaltStrike Service Installations - System
- CobaltStrike Service Installations - Security
- ProcessHacker Privilege Elevation
- Uncommon One Time Only Scheduled Task At 00:00