Sysinternals PsService Execution

Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering

Sigma rule (View on GitHub)

 1title: Sysinternals PsService Execution
 2id: 3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f
 3status: test
 4description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
 5references:
 6    - https://learn.microsoft.com/en-us/sysinternals/downloads/psservice
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-06-16
 9modified: 2023-02-24
10tags:
11    - attack.discovery
12    - attack.persistence
13    - attack.t1543.003
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        - OriginalFileName: 'psservice.exe'
20        - Image|endswith:
21              - '\PsService.exe'
22              - '\PsService64.exe'
23    condition: selection
24falsepositives:
25    - Legitimate use of PsService by an administrator
26level: medium

References

Related rules

to-top