Sysinternals PsService Execution
Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
Sigma rule (View on GitHub)
1title: Sysinternals PsService Execution
2id: 3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f
3status: test
4description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
5references:
6 - https://learn.microsoft.com/en-us/sysinternals/downloads/psservice
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-06-16
9modified: 2023-02-24
10tags:
11 - attack.privilege-escalation
12 - attack.discovery
13 - attack.persistence
14 - attack.t1543.003
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 - OriginalFileName: 'psservice.exe'
21 - Image|endswith:
22 - '\PsService.exe'
23 - '\PsService64.exe'
24 condition: selection
25falsepositives:
26 - Legitimate use of PsService by an administrator
27level: medium
References
Related rules
- Sysinternals PsSuspend Execution
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System
- CosmicDuke Service Installation