PsExec Service Execution

Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution

Sigma rule (View on GitHub)

 1title: PsExec Service Execution
 2id: fdfcbd78-48f1-4a4b-90ac-d82241e368c5
 3related:
 4    - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
 5      type: obsolete
 6status: test
 7description: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution
 8references:
 9    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
10    - https://www.youtube.com/watch?v=ro2QuZTIMBM
11author: Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)
12date: 2017-06-12
13modified: 2023-02-28
14tags:
15    - attack.execution
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        - Image: 'C:\Windows\PSEXESVC.exe'
22        - OriginalFileName: 'psexesvc.exe'
23    condition: selection
24falsepositives:
25    - Legitimate administrative tasks
26level: medium

References

Related rules

to-top