PsExec/PAExec Escalation to LOCAL SYSTEM

 1title: PsExec/PAExec Escalation to LOCAL SYSTEM
 2id: 8834e2f7-6b4b-4f09-8906-d2276470ee23
 3related:
 4    - id: 207b0396-3689-42d9-8399-4222658efc99 # Generic rule based on similar cli flags
 5      type: similar
 6status: test
 7description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
 8references:
 9    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
10    - https://www.poweradmin.com/paexec/
11    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
12author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
13date: 2021-11-23
14modified: 2024-03-05
15tags:
16    - attack.resource-development
17    - attack.t1587.001
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_sys: # Escalation to LOCAL_SYSTEM
23        CommandLine|contains|windash:
24            # Note that you don't need to add the ".exe" part when using psexec/paexec
25            # The "-" can also be replaced with "/"
26            # The order of args isn't important
27            # "cmd" can be replaced by "powershell", "pwsh" or any other console like software
28            - ' -s cmd'
29            - ' -s -i cmd'
30            - ' -i -s cmd'
31            # Pwsh (For PowerShell 7)
32            - ' -s pwsh'
33            - ' -s -i pwsh'
34            - ' -i -s pwsh'
35            # PowerShell (For PowerShell 5)
36            - ' -s powershell'
37            - ' -s -i powershell'
38            - ' -i -s powershell'
39    selection_other:
40        CommandLine|contains:
41            - 'psexec'
42            - 'paexec'
43            - 'accepteula'
44    condition: all of selection_*
45falsepositives:
46    - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)
47    - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
48level: high

References

• PsExec - Sysinternals

  

  Execute processes on remote systems.

  
  Read More

• PAExec | Server Monitoring Software | Monitor Storage - Power Admin

  Looking for a reliable server or storage monitoring service? Power Admin's server monitor software can help improve your business. Get free PAExec today.

  
  Read More

• Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser | Mandiant | Google Cloud Blog

  

  First Seen Server Subject MD5 12/12/19 140.82.60.155:443 CN=updatemanagir[.]us ec16be328c09473d5e5c07310583d85a 12/21/19 96.30.192.141:443 CN=cmdupdatewin[.]com 3d4de17df25412bb714fda069f6eb27e 1/6...

  
  Read More

Related rules

• Conti Volume Shadow Listing
• Formbook Process Creation
• Mustang Panda Dropper
• PUA - CsExec Execution
• Potential Privilege Escalation To LOCAL SYSTEM