diff --git a/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml b/rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml similarity index 85% rename from rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml rename to rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml index 6b61aec6..2c386e11 100644 --- a/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml +++ b/rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml @@ -1,9 +1,9 @@ -action: global title: Metasploit Or Impacket Service Installation Via SMB PsExec +id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation author: Bartlomiej Czyz, Relativity date: 2021/01/21 -modified: 2021/07/23 +modified: 2021/09/21 references: - https://bczyz1.github.io/2021/01/30/psexec.html tags: @@ -12,7 +12,12 @@ tags: - attack.t1570 - attack.execution - attack.t1569.002 +logsource: + product: windows + service: system detection: + selection: + EventID: 7045 selection_1: ServiceFileName|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$' ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' @@ -29,21 +34,4 @@ fields: - ServiceFileName falsepositives: - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name -level: high ---- -id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 -logsource: - product: windows - service: system -detection: - selection: - EventID: 7045 ---- -id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442 -logsource: - product: windows - service: security -detection: - selection: - EventID: 4697 - +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml new file mode 100644 index 00000000..8ad72acf --- /dev/null +++ b/rules/windows/builtin/win_security_metasploit_or_impacket_smb_psexec_service_install.yml @@ -0,0 +1,40 @@ +title: Metasploit Or Impacket Service Installation Via SMB PsExec +id: 6fb63b40-e02a-403e-9ffd-3bcc1d7494425 +related: + - id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 + type: derived +description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation +author: Bartlomiej Czyz, Relativity +date: 2021/01/21 +modified: 2021/07/23 +references: + - https://bczyz1.github.io/2021/01/30/psexec.html +tags: + - attack.lateral_movement + - attack.t1021.002 + - attack.t1570 + - attack.execution + - attack.t1569.002 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4697 + selection_1: + ServiceFileName|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$' + ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' + ServiceStartType: '3' # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697 + ServiceType: '0x10' + filter: + ServiceName: 'PSEXESVC' + condition: selection and selection_1 and not filter +fields: + - ComputerName + - SubjectDomainName + - SubjectUserName + - ServiceName + - ServiceFileName +falsepositives: + - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name +level: high \ No newline at end of file