2019-04-03 13:59:46 +00:00
title : Suspicious PsExec execution
description : detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
author : Samir Bousseaden
references :
- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
tags :
- attack.lateral_movement
2019-04-03 19:50:25 +00:00
- attack.t1077
2019-04-03 13:59:46 +00:00
logsource :
product : windows
service : security
description : 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection :
selection1 :
EventID : 5145
ShareName : \\*\IPC$
RelativeTargetName :
- '*-stdin'
- '*-stdout'
- '*-stderr'
selection2 :
EventID : 5145
ShareName : \\*\IPC$
RelativeTargetName : 'PSEXESVC*'
condition : selection1 and not selection2
falsepositives :
- nothing observed so far
level : high
