valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9fb589201e
SigmaHQ/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml
Florian Roth 4c281d117c fix: bug in rule syntax
2021-05-22 15:31:23 +02:00

35 lines
1.2 KiB
YAML
Raw Blame History

title: PsExec/PAExec Flags
id: 207b0396-3689-42d9-8399-4222658efc99
status: experimental
description: Detects suspicious flags used by PsExec and PAExec but no usual program name in command line
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.poweradmin.com/paexec/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth
date: 2021/05/22
logsource:
category: process_creation
product: windows
detection:
selection_flags_1: # Escalation to LOCAL_SYSTEM
CommandLine|contains|all:
- '\\127.0.0.1'
- ' -s '
- 'cmd.exe'
selection_flags_2:
CommandLine|contains|all: # Accepting EULA in commandline - often used in automated attacks
- ' /accepteula '
- 'cmd /c '
- ' -u '
- ' -p '
filter:
CommandLine|contains:
- 'paexec'
- 'PsExec'
condition: ( selection_flags_1 or selection_flags_2 ) and not filter
falsepositives:
- Weird admins that rename their tools
- Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing
level: high
Reference in New Issue View Git Blame Copy Permalink