Potential Privilege Escalation To LOCAL SYSTEM

calendar Oct 23, 2023 · attack.resource_development attack.t1587.001  ·
Share on: linkedin copy

Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges

Sigma rule (View on GitHub)

 1title: Potential Privilege Escalation To LOCAL SYSTEM
 2id: 207b0396-3689-42d9-8399-4222658efc99
 3related:
 4    - id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 # PsExec specific rule
 5      type: similar
 6status: experimental
 7description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
 8references:
 9    - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
10    - https://www.poweradmin.com/paexec/
11    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
12author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
13date: 2021/05/22
14modified: 2023/02/27
15tags:
16    - attack.resource_development
17    - attack.t1587.001
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_flags_1:
23        # Escalation to LOCAL_SYSTEM
24        CommandLine|contains:
25            # Note that you don't need to add the ".exe" part when using psexec/paexec
26            # The "-" can also be replaced with "/"
27            # The order of args isn't important
28            # "cmd" can be replaced by "powershell", "pwsh" or any other console like software
29            - ' -s cmd'
30            - ' /s cmd'
31            - ' -s -i cmd'
32            - ' /s /i cmd'
33            - ' /s -i cmd'
34            - ' -s /i cmd'
35            - ' -i -s cmd'
36            - ' /i /s cmd'
37            - ' -i /s cmd'
38            - ' /i -s cmd'
39            # Pwsh (For PowerShell 7)
40            - ' -s pwsh'
41            - ' /s pwsh'
42            - ' -s -i pwsh'
43            - ' /s /i pwsh'
44            - ' /s -i pwsh'
45            - ' -s /i pwsh'
46            - ' -i -s pwsh'
47            - ' /i /s pwsh'
48            - ' -i /s pwsh'
49            - ' /i -s pwsh'
50            # PowerShell (For PowerShell 5)
51            - ' -s powershell'
52            - ' /s powershell'
53            - ' -s -i powershell'
54            - ' /s /i powershell'
55            - ' /s -i powershell'
56            - ' -s /i powershell'
57            - ' -i -s powershell'
58            - ' /i /s powershell'
59            - ' -i /s powershell'
60            - ' /i -s powershell'
61    filter:
62        # This filter exclude strings covered by 8834e2f7-6b4b-4f09-8906-d2276470ee23
63        CommandLine|contains:
64            - 'paexec'
65            - 'PsExec'
66            - 'accepteula'
67    condition: 1 of selection_flags_* and not filter
68falsepositives:
69    - Weird admins that rename their tools
70    - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing
71level: high

References

Related rules

to-top