Renamed PsExec Service Execution

Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators

Sigma rule (View on GitHub)

 1title: Renamed PsExec Service Execution
 2id: 51ae86a2-e2e1-4097-ad85-c46cb6851de4
 3status: test
 4description: Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators
 5references:
 6    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
 7    - https://www.youtube.com/watch?v=ro2QuZTIMBM
 8author: Florian Roth (Nextron Systems)
 9date: 2022/07/21
10tags:
11    - attack.execution
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        OriginalFileName: 'psexesvc.exe'
18    filter:
19        Image: 'C:\Windows\PSEXESVC.exe'
20    condition: selection and not filter
21falsepositives:
22    - Legitimate administrative tasks
23level: high

References

Related rules

to-top