2020-01-30 16:26:09 +00:00
title : Suspicious PsExec Execution
2019-11-12 22:12:27 +00:00
id : c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
2020-06-16 20:46:08 +00:00
description : detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
2019-04-03 13:59:46 +00:00
author : Samir Bousseaden
2020-01-30 15:07:37 +00:00
date : 2019 /04/03
2019-04-03 13:59:46 +00:00
references :
- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
tags :
- attack.lateral_movement
2020-08-24 23:09:17 +00:00
- attack.t1077 # an old one
2020-06-16 20:46:08 +00:00
- attack.t1021.002
2019-04-03 13:59:46 +00:00
logsource :
product : windows
service : security
2020-07-13 21:02:17 +00:00
definition : 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
2019-04-03 13:59:46 +00:00
detection :
selection1 :
EventID : 5145
ShareName : \\*\IPC$
RelativeTargetName :
2020-06-16 20:46:08 +00:00
- '*-stdin'
- '*-stdout'
- '*-stderr'
2019-04-03 13:59:46 +00:00
selection2 :
EventID : 5145
ShareName : \\*\IPC$
RelativeTargetName : 'PSEXESVC*'
condition : selection1 and not selection2
2020-01-30 15:07:37 +00:00
falsepositives :
2019-04-03 13:59:46 +00:00
- nothing observed so far
level : high