Potential Privilege Escalation To LOCAL SYSTEM

 1title: Potential Privilege Escalation To LOCAL SYSTEM
 2id: 207b0396-3689-42d9-8399-4222658efc99
 3related:
 4    - id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 # PsExec specific rule
 5      type: similar
 6status: test
 7description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
 8references:
 9    - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
10    - https://www.poweradmin.com/paexec/
11    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
12author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
13date: 2021/05/22
14modified: 2024/03/05
15tags:
16    - attack.resource_development
17    - attack.t1587.001
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        # Escalation to LOCAL_SYSTEM
24        CommandLine|contains|windash:
25            # Note that you don't need to add the ".exe" part when using psexec/paexec
26            # The "-" can also be replaced with "/"
27            # The order of args isn't important
28            # "cmd" can be replaced by "powershell", "pwsh" or any other console like software
29            - ' -s cmd'
30            - ' -s -i cmd'
31            - ' -i -s cmd'
32            # Pwsh (For PowerShell 7)
33            - ' -s pwsh'
34            - ' -s -i pwsh'
35            - ' -i -s pwsh'
36            # PowerShell (For PowerShell 5)
37            - ' -s powershell'
38            - ' -s -i powershell'
39            - ' -i -s powershell'
40    filter_main_exclude_coverage:
41        # This filter exclude strings covered by 8834e2f7-6b4b-4f09-8906-d2276470ee23
42        CommandLine|contains:
43            - 'paexec'
44            - 'PsExec'
45            - 'accepteula'
46    condition: selection and not 1 of filter_main_*
47falsepositives:
48    - Weird admins that rename their tools
49    - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing
50level: high

References

• PsExec - Sysinternals

  

  Execute processes on remote systems.

  
  Read More

• PAExec | Server Monitoring Software | Monitor Storage - Power Admin

  Looking for a reliable server or storage monitoring service? Power Admin's server monitor software can help improve your business. Get free PAExec today.

  
  Read More

• Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser | Mandiant

  

  First SeenServerSubjectMD512/12/19140.82.60.155:443CN=updatemanagir[.]usec16be328c09473d5e5c07310583d85a12/21/1996.30.192.141:443CN=cmdupdatewin[.]com3d4de17df25412bb714fda069f6eb27e1/6/2045.76.49....

  
  Read More

Related rules

• PsExec/PAExec Escalation to LOCAL SYSTEM
• PUA - CsExec Execution
• Potential PsExec Remote Execution
• Uncommon File Created In Office Startup Folder
• Formbook Process Creation