PsExec Service Child Process Execution as LOCAL SYSTEM
Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)
Sigma rule (View on GitHub)
1title: PsExec Service Child Process Execution as LOCAL SYSTEM
2id: 7c0dcd3d-acf8-4f71-9570-f448b0034f94
3related:
4 - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
5 type: similar
6status: test
7description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)
8references:
9 - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
10author: Florian Roth (Nextron Systems)
11date: 2022-07-21
12modified: 2023-02-28
13tags:
14 - attack.execution
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage: 'C:\Windows\PSEXESVC.exe'
21 User|contains: # covers many language settings
22 - 'AUTHORI'
23 - 'AUTORI'
24 condition: selection
25falsepositives:
26 - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
27level: high
References
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change