sigmahighHunting

Suspicious PsExec Execution

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

MITRE ATT&CK

T1021.002

lateral-movement

Detection Query

selection1:
  EventID: 5145
  ShareName: \\\\\*\\IPC$
  RelativeTargetName|endswith:
    - -stdin
    - -stdout
    - -stderr
filter:
  RelativeTargetName|startswith: PSEXESVC
condition: selection1 and not filter

Author

Samir Bousseaden

Created

2019-04-03

Data Sources

windowssecurity

Platforms

windows

References

https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html

Tags

attack.lateral-movementattack.t1021.002

Raw Content

title: Suspicious PsExec Execution
id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
status: test
description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
references:
    - https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2022-08-11
tags:
    - attack.lateral-movement
    - attack.t1021.002
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
    selection1:
        EventID: 5145
        ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
        RelativeTargetName|endswith:
            - '-stdin'
            - '-stdout'
            - '-stderr'
    filter:
        RelativeTargetName|startswith: 'PSEXESVC'
    condition: selection1 and not filter
falsepositives:
    - Unknown
level: high