Create win_susp_psexec.yml
This commit is contained in:
sbousseaden
@@ -0,0 +1,28 @@
|
||||
title: Suspicious PsExec execution
|
||||
description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
|
||||
author: Samir Bousseaden
|
||||
references:
|
||||
- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
|
||||
tags:
|
||||
- attack.lateral_movement
|
||||
- attack.T1077
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
|
||||
detection:
|
||||
selection1:
|
||||
EventID: 5145
|
||||
ShareName: \\*\IPC$
|
||||
RelativeTargetName:
|
||||
- '*-stdin'
|
||||
- '*-stdout'
|
||||
- '*-stderr'
|
||||
selection2:
|
||||
EventID: 5145
|
||||
ShareName: \\*\IPC$
|
||||
RelativeTargetName: 'PSEXESVC*'
|
||||
condition: selection1 and not selection2
|
||||
falsepositives:
|
||||
- nothing observed so far
|
||||
level: high
|
||||
Reference in New Issue
Block a user