SigmaHQ/rules/windows/builtin/win_susp_psexec.yml

32 lines
1.1 KiB
YAML
Raw Normal View History

2020-01-30 16:26:09 +00:00
title: Suspicious PsExec Execution
2019-11-12 22:12:27 +00:00
id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
2020-06-16 20:46:08 +00:00
description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
2019-04-03 13:59:46 +00:00
author: Samir Bousseaden
date: 2019/04/03
2019-04-03 13:59:46 +00:00
references:
- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
tags:
- attack.lateral_movement
- attack.t1077 # an old one
2020-06-16 20:46:08 +00:00
- attack.t1021.002
2019-04-03 13:59:46 +00:00
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
2019-04-03 13:59:46 +00:00
detection:
selection1:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName:
2020-06-16 20:46:08 +00:00
- '*-stdin'
- '*-stdout'
- '*-stderr'
2019-04-03 13:59:46 +00:00
selection2:
EventID: 5145
ShareName: \\*\IPC$
RelativeTargetName: 'PSEXESVC*'
condition: selection1 and not selection2
falsepositives:
2019-04-03 13:59:46 +00:00
- nothing observed so far
level: high