heroui logo

Suspicious PsExec Execution - Zeek

Sigma Rules

View Source
Summary
This detection rule is designed to identify potentially malicious execution of PsExec or a similar tool utilized in lateral movement across a network. The rule specifically looks for suspicious instances where executable files are run from SMB files associated with the PsExec service, particularly when the service name has been renamed to avoid detection. It is an effective measure to distinguish between legitimate uses of PsExec in administrative tasks and instances of exploitation by attackers who may repurpose this tool under different aliases. The detection logic utilizes a selection criteria that checks for paths that include special SMB shares, such as '\IPC$', and executable names that correspond with process input/output handling. Additionally, it filters out known legitimate processes related to the renamed PsExec service (PSEXESVC) to reduce false positives. This serves as a high-level alert in a security system when conditions for suspicious activity are met, thus empowering security teams to pivot and investigate potentially malicious lateral movements in their environment.
Categories
  • Network
  • Windows
  • Endpoint
Data Sources
  • Process
  • Network Traffic
  • Application Log
Created: 2020-04-02