Detectionhightest
Potential Privilege Escalation To LOCAL SYSTEM
Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)Created Sat May 22Updated Tue Mar 05207b0396-3689-42d9-8399-4222658efc99windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection:
# Escalation to LOCAL_SYSTEM
CommandLine|contains|windash:
# Note that you don't need to add the ".exe" part when using psexec/paexec
# The "-" can also be replaced with "/"
# The order of args isn't important
# "cmd" can be replaced by "powershell", "pwsh" or any other console like software
- ' -s cmd'
- ' -s -i cmd'
- ' -i -s cmd'
# Pwsh (For PowerShell 7)
- ' -s pwsh'
- ' -s -i pwsh'
- ' -i -s pwsh'
# PowerShell (For PowerShell 5)
- ' -s powershell'
- ' -s -i powershell'
- ' -i -s powershell'
filter_main_exclude_coverage:
# This filter exclude strings covered by 8834e2f7-6b4b-4f09-8906-d2276470ee23
CommandLine|contains:
- 'paexec'
- 'PsExec'
- 'accepteula'
condition: selection and not 1 of filter_main_*False Positives
Weird admins that rename their tools
Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
207b0396-3689-42d9-8399-4222658efc99
Status
test
Level
high
Type
Detection
Created
Sat May 22
Modified
Tue Mar 05
Path
rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml
Raw Tags
attack.resource-developmentattack.t1587.001