security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

refactor: reworked psexec / paexec rules

Browse Source
This commit is contained in:
Florian Roth
2021-11-23 16:34:31 +01:00
parent 75663ceb46
commit 99fc5fc3cc
2 changed files with 33 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_susp_psexex_paexec_escalate_system.yml
+29
View File
@@ -0,0 +1,29 @@
title: PsExec/PAExec Escalation to LOCAL SYSTEM
id: 8834e2f7-6b4b-4f09-8906-d2276470ee23
status: experimental
description: Detects suspicious flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
- https://www.poweradmin.com/paexec/
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth
date: 2021/11/23
logsource:
category: process_creation
product: windows
detection:
selection_cmd_to_system: # Escalation to LOCAL_SYSTEM
CommandLine|endswith: ' -s cmd.exe'
selection_supporting_flags:
CommandLine|contains:
- 'PsExec'
- 'PAExec'
- 'accepteula'
- 'cmd /c '
condition: selection_supporting_flags and selection_cmd_to_system
falsepositives:
- Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)
level: high
tags:
- attack.develop_capabilities
- attack.t1587.001
rules/windows/process_creation/win_susp_psexex_paexec_flags.yml
+4 -6
View File
@@ -8,21 +8,19 @@ references:
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth
date: 2021/05/22
modified: 2021/11/23
logsource:
category: process_creation
product: windows
detection:
selection_flags_1: # Escalation to LOCAL_SYSTEM
CommandLine|contains|all:
- '\\127.0.0.1'
- ' -s '
- 'cmd.exe'
CommandLine|endswith: ' -s cmd.exe'
selection_flags_2:
CommandLine|contains|all: # Accepting EULA in commandline - often used in automated attacks
- ' /accepteula '
- 'cmd /c '
- 'accepteula'
- ' -u '
- ' -p '
- ' \\'
filter:
CommandLine|contains:
- 'paexec'