Detectionhightest
PsExec/PAExec Escalation to LOCAL SYSTEM
Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)Created Tue Nov 23Updated Tue Mar 058834e2f7-6b4b-4f09-8906-d2276470ee23windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_sys: # Escalation to LOCAL_SYSTEM
CommandLine|contains|windash:
# Note that you don't need to add the ".exe" part when using psexec/paexec
# The "-" can also be replaced with "/"
# The order of args isn't important
# "cmd" can be replaced by "powershell", "pwsh" or any other console like software
- ' -s cmd'
- ' -s -i cmd'
- ' -i -s cmd'
# Pwsh (For PowerShell 7)
- ' -s pwsh'
- ' -s -i pwsh'
- ' -i -s pwsh'
# PowerShell (For PowerShell 5)
- ' -s powershell'
- ' -s -i powershell'
- ' -i -s powershell'
selection_other:
CommandLine|contains:
- 'psexec'
- 'paexec'
- 'accepteula'
condition: all of selection_*False Positives
Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)
Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
8834e2f7-6b4b-4f09-8906-d2276470ee23
Status
test
Level
high
Type
Detection
Created
Tue Nov 23
Modified
Tue Mar 05
Path
rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml
Raw Tags
attack.resource-developmentattack.t1587.001