PsExec/PAExec Escalation to LOCAL SYSTEM

Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights

Sigma rule (View on GitHub)

 1title: PsExec/PAExec Escalation to LOCAL SYSTEM
 2id: 8834e2f7-6b4b-4f09-8906-d2276470ee23
 3related:
 4    - id: 207b0396-3689-42d9-8399-4222658efc99 # Generic rule based on similar cli flags
 5      type: similar
 6status: test
 7description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
 8references:
 9    - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
10    - https://www.poweradmin.com/paexec/
11    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
12author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
13date: 2021/11/23
14modified: 2023/02/28
15tags:
16    - attack.resource_development
17    - attack.t1587.001
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_sys: # Escalation to LOCAL_SYSTEM
23        CommandLine|contains:
24            # Note that you don't need to add the ".exe" part when using psexec/paexec
25            # The "-" can also be replaced with "/"
26            # The order of args isn't important
27            # "cmd" can be replaced by "powershell", "pwsh" or any other console like software
28            - ' -s cmd'
29            - ' /s cmd'
30            - ' -s -i cmd'
31            - ' /s /i cmd'
32            - ' /s -i cmd'
33            - ' -s /i cmd'
34            - ' -i -s cmd'
35            - ' /i /s cmd'
36            - ' -i /s cmd'
37            - ' /i -s cmd'
38            # Pwsh (For PowerShell 7)
39            - ' -s pwsh'
40            - ' /s pwsh'
41            - ' -s -i pwsh'
42            - ' /s /i pwsh'
43            - ' /s -i pwsh'
44            - ' -s /i pwsh'
45            - ' -i -s pwsh'
46            - ' /i /s pwsh'
47            - ' -i /s pwsh'
48            - ' /i -s pwsh'
49            # PowerShell (For PowerShell 5)
50            - ' -s powershell'
51            - ' /s powershell'
52            - ' -s -i powershell'
53            - ' /s /i powershell'
54            - ' /s -i powershell'
55            - ' -s /i powershell'
56            - ' -i -s powershell'
57            - ' /i /s powershell'
58            - ' -i /s powershell'
59            - ' /i -s powershell'
60    selection_other:
61        CommandLine|contains:
62            - 'psexec'
63            - 'paexec'
64            - 'accepteula'
65    condition: all of selection_*
66falsepositives:
67    - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)
68    - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
69level: high

References

Related rules

to-top