Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious PsExec Execution - Zeek

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Samir Bousseaden, Tim SheltonCreated Thu Apr 02Updated Tue Dec 27f1b3a22a-45e6-4004-afb5-4291f9c21166network
Log Source
Zeek (Bro)smb_files
ProductZeek (Bro)← raw: zeek
Servicesmb_files← raw: smb_files
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        path|contains|all:
            - '\\'
            - '\IPC$'
        name|endswith:
            - '-stdin'
            - '-stdout'
            - '-stderr'
    filter:
        name|startswith: 'PSEXESVC'
    condition: selection and not filter
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
web.archive.org
MITRE ATT&CK
Related Rules
DerivedDetectionhigh

Suspicious PsExec Execution

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
f1b3a22a-45e6-4004-afb5-4291f9c21166
Status
test
Level
high
Type
Detection
Created
Thu Apr 02
Modified
Tue Dec 27
Author
Samir Bousseaden, Tim Shelton
Path
rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml
Raw Tags
attack.lateral-movementattack.t1021.002
View on GitHub