Sigma rules for PsExec
24 rules · scoped to tool · back to PsExec
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious PsExec Execution - Zeek
id: f1b3a22a-45e6-4004-afb5-4291f9c21166
related:
- id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
type: derived
status: test
description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
references:
- https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
author: Samir Bousseaden, @neu5ron, Tim Shelton
date: 2020-04-02
modified: 2022-12-27
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: zeek
service: smb_files
detection:
selection:
path|contains|all:
- '\\'
- '\IPC$'
name|endswith:
- '-stdin'
- '-stdout'
- '-stderr'
filter:
name|startswith: 'PSEXESVC'
condition: selection and not filter
falsepositives:
- Unknown
level: high
title: PSEXEC Remote Execution File Artefact
id: 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4
status: test
description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
references:
- https://aboutdfir.com/the-key-to-identify-psexec/
- https://twitter.com/davisrichardg/status/1616518800584704028
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-21
modified: 2023-02-23
tags:
- attack.lateral-movement
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1136.002
- attack.t1543.003
- attack.t1570
- attack.s0029
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Windows\PSEXEC-'
TargetFilename|endswith: '.key'
condition: selection
falsepositives:
- Unlikely
level: high
title: Potential PsExec Remote Execution
id: ea011323-7045-460b-b2d7-0f7442ea6b38
status: test
description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.poweradmin.com/paexec/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
modified: 2025-09-01
tags:
- attack.resource-development
- attack.t1587.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Accepting EULA in commandline - often used in automated attacks
CommandLine|contains|all:
- 'accepteula'
- ' -u '
- ' -p '
- ' \\\\'
filter_main_localhost:
CommandLine|contains:
- '\\\\localhost'
- '\\\\127.'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Rundll32 Execution Without Parameters
id: 5bb68627-3198-40ca-b458-49f973db8752
status: test
description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
references:
- https://bczyz1.github.io/2021/01/30/psexec.html
author: Bartlomiej Czyz, Relativity
date: 2021-01-31
modified: 2023-02-28
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1570
- attack.execution
- attack.t1569.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine:
- 'rundll32.exe'
- 'rundll32'
condition: selection
falsepositives:
- False positives may occur if a user called rundll32 from CLI with no options
level: high
title: HackTool - SharpImpersonation Execution
id: f89b08d0-77ad-4728-817b-9b16c5a69c7a
related:
- id: cf0c254b-22f1-4b2b-8221-e137b3c0af94
type: similar
status: test
description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
references:
- https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/
- https://github.com/S3cur3Th1sSh1t/SharpImpersonation
author: Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-27
modified: 2023-02-13
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.003
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\SharpImpersonation.exe'
- OriginalFileName: 'SharpImpersonation.exe'
selection_cli:
- CommandLine|contains|all:
- ' user:'
- ' binary:'
- CommandLine|contains|all:
- ' user:'
- ' shellcode:'
- CommandLine|contains:
- ' technique:CreateProcessAsUserW'
- ' technique:ImpersonateLoggedOnuser'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: PsExec/PAExec Escalation to LOCAL SYSTEM
id: 8834e2f7-6b4b-4f09-8906-d2276470ee23
related:
- id: 207b0396-3689-42d9-8399-4222658efc99 # Generic rule based on similar cli flags
type: similar
status: test
description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.poweradmin.com/paexec/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-23
modified: 2024-03-05
tags:
- attack.resource-development
- attack.t1587.001
logsource:
category: process_creation
product: windows
detection:
selection_sys: # Escalation to LOCAL_SYSTEM
CommandLine|contains|windash:
# Note that you don't need to add the ".exe" part when using psexec/paexec
# The "-" can also be replaced with "/"
# The order of args isn't important
# "cmd" can be replaced by "powershell", "pwsh" or any other console like software
- ' -s cmd'
- ' -s -i cmd'
- ' -i -s cmd'
# Pwsh (For PowerShell 7)
- ' -s pwsh'
- ' -s -i pwsh'
- ' -i -s pwsh'
# PowerShell (For PowerShell 5)
- ' -s powershell'
- ' -s -i powershell'
- ' -i -s powershell'
selection_other:
CommandLine|contains:
- 'psexec'
- 'paexec'
- 'accepteula'
condition: all of selection_*
falsepositives:
- Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)
- Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
level: high
title: Renamed PsExec Service Execution
id: 51ae86a2-e2e1-4097-ad85-c46cb6851de4
status: test
description: Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.youtube.com/watch?v=ro2QuZTIMBM
author: Florian Roth (Nextron Systems)
date: 2022-07-21
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
OriginalFileName: 'psexesvc.exe'
filter:
Image: 'C:\Windows\PSEXESVC.exe'
condition: selection and not filter
falsepositives:
- Legitimate administrative tasks
level: high
title: Potential Privilege Escalation To LOCAL SYSTEM
id: 207b0396-3689-42d9-8399-4222658efc99
related:
- id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 # PsExec specific rule
type: similar
status: test
description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.poweradmin.com/paexec/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-05-22
modified: 2024-03-05
tags:
- attack.resource-development
- attack.t1587.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Escalation to LOCAL_SYSTEM
CommandLine|contains|windash:
# Note that you don't need to add the ".exe" part when using psexec/paexec
# The "-" can also be replaced with "/"
# The order of args isn't important
# "cmd" can be replaced by "powershell", "pwsh" or any other console like software
- ' -s cmd'
- ' -s -i cmd'
- ' -i -s cmd'
# Pwsh (For PowerShell 7)
- ' -s pwsh'
- ' -s -i pwsh'
- ' -i -s pwsh'
# PowerShell (For PowerShell 5)
- ' -s powershell'
- ' -s -i powershell'
- ' -i -s powershell'
filter_main_exclude_coverage:
# This filter exclude strings covered by 8834e2f7-6b4b-4f09-8906-d2276470ee23
CommandLine|contains:
- 'paexec'
- 'PsExec'
- 'accepteula'
condition: selection and not 1 of filter_main_*
falsepositives:
- Weird admins that rename their tools
- Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing
level: high
title: PUA - CsExec Execution
id: d08a2711-ee8b-4323-bdec-b7d85e892b31
status: test
description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
references:
- https://github.com/malcomvetter/CSExec
- https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
author: Florian Roth (Nextron Systems)
date: 2022-08-22
modified: 2023-02-21
tags:
- attack.resource-development
- attack.t1587.001
- attack.execution
- attack.t1569.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\csexec.exe'
selection_pe:
Description: 'csexec'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
title: PsExec Service Child Process Execution as LOCAL SYSTEM
id: 7c0dcd3d-acf8-4f71-9570-f448b0034f94
related:
- id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
type: similar
status: test
description: Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
author: Florian Roth (Nextron Systems)
date: 2022-07-21
modified: 2023-02-28
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: 'C:\Windows\PSEXESVC.exe'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
condition: selection
falsepositives:
- Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
level: high
title: Suspicious PsExec Execution
id: c462f537-a1e3-41a6-b5fc-b2c2cef9bf82
status: test
description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
references:
- https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2022-08-11
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName|endswith:
- '-stdin'
- '-stdout'
- '-stderr'
filter:
RelativeTargetName|startswith: 'PSEXESVC'
condition: selection1 and not filter
falsepositives:
- Unknown
level: high
title: Metasploit Or Impacket Service Installation Via SMB PsExec
id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442
related:
- id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
type: derived
status: test
description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
references:
- https://bczyz1.github.io/2021/01/30/psexec.html
author: Bartlomiej Czyz, Relativity
date: 2021-01-21
modified: 2022-10-05
tags:
- attack.lateral-movement
- attack.t1021.002
- attack.t1570
- attack.execution
- attack.t1569.002
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$'
ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)'
ServiceStartType: 3 # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697
ServiceType: '0x10'
filter:
ServiceName: 'PSEXESVC'
condition: selection and not filter
falsepositives:
- Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
level: high
title: Impacket PsExec Execution
id: 32d56ea1-417f-44ff-822b-882873f5f43b
status: test
description: Detects execution of Impacket's psexec.py.
references:
- https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
author: Bhabesh Raj
date: 2020-12-14
modified: 2022-09-22
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName|contains:
- 'RemCom_stdin'
- 'RemCom_stdout'
- 'RemCom_stderr'
condition: selection1
falsepositives:
- Unknown
level: high
title: PSExec and WMI Process Creations Block
id: 97b9ce1e-c5ab-11ea-87d0-0242ac130003
status: test
description: Detects blocking of process creations originating from PSExec and WMI commands
references:
- https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands
- https://twitter.com/duff22b/status/1280166329660497920
author: Bhabesh Raj
date: 2020-07-14
modified: 2022-12-25
tags:
- attack.execution
- attack.lateral-movement
- attack.t1047
- attack.t1569.002
logsource:
product: windows
service: windefend
definition: 'Requirements:Enabled Block process creations originating from PSExec and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)'
detection:
selection:
EventID: 1121
ProcessName|endswith:
- '\wmiprvse.exe'
- '\psexesvc.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: Sliver C2 Default Service Installation
id: 31c51af6-e7aa-4da7-84d4-8f32cc580af2
status: test
description: Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands
references:
- https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231
- https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-25
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.t1543.003
- attack.t1569.002
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service_1:
ImagePath|re: '^[a-zA-Z]:\\windows\\temp\\[a-zA-Z0-9]{10}\.exe'
selection_service_2:
ServiceName:
- 'Sliver'
- 'Sliver implant'
condition: selection_eid and 1 of selection_service_*
falsepositives:
- Unknown
level: high
title: PsExec Tool Execution From Suspicious Locations - PipeName
id: 41504465-5e3a-4a5b-a5b4-2a0baadd4463
related:
- id: f3f3a972-f982-40ad-b63c-bca6afdfad7c
type: derived
status: test
description: Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-04
modified: 2023-09-20
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
category: pipe_created
product: windows
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName: '\PSEXESVC'
Image|contains: # Add or remove locations depending on how and if you execute Psexec in your env
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\Desktop\'
- '\Downloads\'
condition: selection
falsepositives:
- Rare legitimate use of psexec from the locations mentioned above. This will require initial tuning based on your environment.
level: medium
title: HackTool - Impersonate Execution
id: cf0c254b-22f1-4b2b-8221-e137b3c0af94
status: test
description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
references:
- https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/
- https://github.com/sensepost/impersonate
author: Sai Prashanth Pulisetti @pulisettis
date: 2022-12-21
modified: 2024-11-23
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1134.001
- attack.t1134.003
logsource:
product: windows
category: process_creation
detection:
selection_commandline_exe:
CommandLine|contains: 'impersonate.exe'
selection_commandline_opt:
CommandLine|contains:
- ' list '
- ' exec '
- ' adduser '
selection_hash:
Hashes|contains:
- 'MD5=9520714AB576B0ED01D1513691377D01'
- 'SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A'
- 'IMPHASH=0A358FFC1697B7A07D0E817AC740DF62'
condition: all of selection_commandline_* or selection_hash
falsepositives:
- Unknown
level: medium
title: Psexec Execution
id: 730fc21b-eaff-474b-ad23-90fd265d4988
status: test
description: Detects user accept agreement execution in psexec commandline
references:
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: omkar72
date: 2020-10-30
modified: 2023-02-28
tags:
- attack.execution
- attack.lateral-movement
- attack.t1569
- attack.t1021
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\psexec.exe'
- OriginalFileName: 'psexec.c'
condition: selection
falsepositives:
- Administrative scripts.
level: medium
title: PsExec Service Execution
id: fdfcbd78-48f1-4a4b-90ac-d82241e368c5
related:
- id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
type: obsolete
status: test
description: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.youtube.com/watch?v=ro2QuZTIMBM
author: Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)
date: 2017-06-12
modified: 2023-02-28
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
- Image: 'C:\Windows\PSEXESVC.exe'
- OriginalFileName: 'psexesvc.exe'
condition: selection
falsepositives:
- Legitimate administrative tasks
level: medium
title: Suspicious RunAs-Like Flag Combination
id: 50d66fb0-03f8-4da0-8add-84e77d12a020
status: test
description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
references:
- https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
author: Florian Roth (Nextron Systems)
date: 2022-11-11
tags:
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection_user:
CommandLine|contains:
- ' -u system '
- ' --user system '
- ' -u NT'
- ' -u "NT'
- " -u 'NT"
- ' --system '
- ' -u administrator '
selection_command:
CommandLine|contains:
- ' -c cmd'
- ' -c "cmd'
- ' -c powershell'
- ' -c "powershell'
- ' --command cmd'
- ' --command powershell'
- ' -c whoami'
- ' -c wscript'
- ' -c cscript'
condition: all of selection*
falsepositives:
- Unknown
level: medium
title: PsExec Service Installation
id: 42c575ea-e41e-41f1-b248-8093c3e82a28
status: test
description: Detects PsExec service installation and execution events
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-12
modified: 2023-08-04
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ServiceName: 'PSEXESVC'
- ImagePath|endswith: '\PSEXESVC.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: PUA - Sysinternals Tools Execution - Registry
id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
- id: 9841b233-8df8-4ad7-9133-b0b4402a9014
type: obsolete
status: test
description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
references:
- https://twitter.com/Moti_B/status/1008587936735035392
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2025-10-26
tags:
- attack.resource-development
- attack.t1588.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
- '\Active Directory Explorer'
- '\Handle'
- '\LiveKd'
- '\Process Explorer'
- '\ProcDump'
- '\PsExec'
- '\PsLoglist'
- '\PsPasswd'
- '\SDelete'
- '\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400
TargetObject|endswith: '\EulaAccepted'
condition: selection
falsepositives:
- Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/info.yml
title: PsExec Service File Creation
id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d
related:
- id: 42c575ea-e41e-41f1-b248-8093c3e82a28
type: derived
status: test
description: Detects default PsExec service filename which indicates PsExec service installation and execution
references:
- https://www.jpcert.or.jp/english/pub/sr/ir_research.html
- https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-12
modified: 2022-10-26
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\PSEXESVC.exe'
condition: selection
falsepositives:
- Unknown
level: low
title: Sysinternals Tools AppX Versions Execution
id: d29a20b2-be4b-4827-81f2-3d8a59eab5fc
status: test
description: |
Detects execution of Sysinternals tools via an AppX package.
Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/microsoft-store
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
modified: 2023-09-12
tags:
- attack.execution
- attack.stealth
logsource:
product: windows
service: appmodel-runtime
detection:
selection:
EventID: 201
ImageName:
- 'procdump.exe'
- 'psloglist.exe'
- 'psexec.exe'
- 'livekd.exe'
- 'ADExplorer.exe'
condition: selection
falsepositives:
- Legitimate usage of sysinternals applications from the Windows Store will trigger this. Apply exclusions as needed.
level: low