PsExec Service Child Process Execution as LOCAL SYSTEM

Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)

Sigma rule (View on GitHub)

 1title: PsExec Service Child Process Execution as LOCAL SYSTEM
 2id: 7c0dcd3d-acf8-4f71-9570-f448b0034f94
 3related:
 4    - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
 5      type: similar
 6status: test
 7description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)
 8references:
 9    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
10author: Florian Roth (Nextron Systems)
11date: 2022-07-21
12modified: 2023-02-28
13tags:
14    - attack.execution
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        ParentImage: 'C:\Windows\PSEXESVC.exe'
21        User|contains: # covers many language settings
22            - 'AUTHORI'
23            - 'AUTORI'
24    condition: selection
25falsepositives:
26    - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
27level: high

References

Related rules

to-top