Renamed PsExec Service Execution
Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators
Sigma rule (View on GitHub)
1title: Renamed PsExec Service Execution
2id: 51ae86a2-e2e1-4097-ad85-c46cb6851de4
3status: test
4description: Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators
5references:
6 - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
7 - https://www.youtube.com/watch?v=ro2QuZTIMBM
8author: Florian Roth (Nextron Systems)
9date: 2022-07-21
10tags:
11 - attack.execution
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 OriginalFileName: 'psexesvc.exe'
18 filter:
19 Image: 'C:\Windows\PSEXESVC.exe'
20 condition: selection and not filter
21falsepositives:
22 - Legitimate administrative tasks
23level: high
References
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change