Sysinternals PsService Execution
Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
Sigma rule (View on GitHub)
1title: Sysinternals PsService Execution
2id: 3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f
3status: test
4description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
5references:
6 - https://learn.microsoft.com/en-us/sysinternals/downloads/psservice
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-06-16
9modified: 2023-02-24
10tags:
11 - attack.discovery
12 - attack.persistence
13 - attack.t1543.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 - OriginalFileName: 'psservice.exe'
20 - Image|endswith:
21 - '\PsService.exe'
22 - '\PsService64.exe'
23 condition: selection
24falsepositives:
25 - Legitimate use of PsService by an administrator
26level: medium
References
Related rules
- Sysinternals PsSuspend Execution
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- CosmicDuke Service Installation
- Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
- Driver Load From A Temporary Directory