sigma |
zeek_smb_converted_win_susp_psexec.yml |
title: Suspicious PsExec Execution - Zeek |
DRL 1.0 |
sigma |
zeek_smb_converted_win_susp_psexec.yml |
description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one |
DRL 1.0 |
sigma |
win_hack_smbexec.yml |
- https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/ |
DRL 1.0 |
sigma |
win_impacket_psexec.yml |
title: Impacket PsExec Execution |
DRL 1.0 |
sigma |
win_impacket_psexec.yml |
description: Detects execution of Impacket's psexec.py. |
DRL 1.0 |
sigma |
win_impacket_psexec.yml |
- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html |
DRL 1.0 |
sigma |
win_susp_psexec.yml |
title: Suspicious PsExec Execution |
DRL 1.0 |
sigma |
win_susp_psexec.yml |
description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one |
DRL 1.0 |
sigma |
win_susp_psexec.yml |
- https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html |
DRL 1.0 |
sigma |
sysmon_powershell_exploit_scripts.yml |
- '*\Invoke-PsExec.ps1' |
DRL 1.0 |
sigma |
win_defender_psexec_wmi_asr.yml |
title: PSExec and WMI Process Creations Block |
DRL 1.0 |
sigma |
win_defender_psexec_wmi_asr.yml |
description: Detects blocking of process creations originating from PSExec and WMI commands |
DRL 1.0 |
sigma |
win_defender_psexec_wmi_asr.yml |
- https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands |
DRL 1.0 |
sigma |
win_defender_psexec_wmi_asr.yml |
definition: 'Requirements:Enabled Block process creations originating from PSExec and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)' |
DRL 1.0 |
sigma |
win_tool_psexec.yml |
title: PsExec Tool Execution |
DRL 1.0 |
sigma |
win_tool_psexec.yml |
description: Detects PsExec service installation and execution events (service and Sysmon) |
DRL 1.0 |
sigma |
powershell_malicious_commandlets.yml |
- "*Invoke-PsExec*" |
DRL 1.0 |
sigma |
win_multiple_suspicious_cli.yml |
- psexec.exe |
DRL 1.0 |
sigma |
win_psexesvc_start.yml |
title: PsExec Service Start |
DRL 1.0 |
sigma |
win_psexesvc_start.yml |
description: Detects a PsExec service start |
DRL 1.0 |
sigma |
win_renamed_binary.yml |
- 'psexec.exe' |
DRL 1.0 |
sigma |
win_renamed_binary.yml |
- 'psexec.c' # old versions of psexec (2016 seen) |
DRL 1.0 |
sigma |
win_renamed_binary.yml |
- '\psexec.exe' |
DRL 1.0 |
sigma |
win_renamed_binary_highly_relevant.yml |
- "psexec.exe" |
DRL 1.0 |
sigma |
win_renamed_binary_highly_relevant.yml |
- "psexec.c" # old versions of psexec (2016 seen) |
DRL 1.0 |
sigma |
win_renamed_binary_highly_relevant.yml |
- '*\psexec.exe' |
DRL 1.0 |
sigma |
win_renamed_psexec.yml |
title: Renamed PsExec |
DRL 1.0 |
sigma |
win_renamed_psexec.yml |
description: Detects the execution of a renamed PsExec often used by attackers or malware |
DRL 1.0 |
sigma |
win_renamed_psexec.yml |
Product: 'Sysinternals PsExec' |
DRL 1.0 |
sigma |
win_renamed_psexec.yml |
- '*\PsExec.exe' |
DRL 1.0 |
sigma |
win_renamed_psexec.yml |
- Software that illegaly integrates PsExec in a renamed form |
DRL 1.0 |
sigma |
win_renamed_psexec.yml |
- Administrators that have renamed PsExec and no one knows why |
DRL 1.0 |
sigma |
win_rundll32_without_parameters.yml |
description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module |
DRL 1.0 |
sigma |
win_rundll32_without_parameters.yml |
- https://bczyz1.github.io/2021/01/30/psexec.html |
DRL 1.0 |
sigma |
win_susp_psexec_eula.yml |
title: Psexec Accepteula Condition |
DRL 1.0 |
sigma |
win_susp_psexec_eula.yml |
description: Detect ed user accept agreement execution in psexec commandline |
DRL 1.0 |
sigma |
win_susp_psexec_eula.yml |
Image\|endswith: '\psexec.exe' |
DRL 1.0 |
malware-ioc |
misp_invisimole.json |
"http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass", |
© ESET 2014-2018 |
malware-ioc |
oceanlotus-rtf_ocx_campaigns.misp.event.json |
"description": "Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.\n\nDetection: Changes to service Registry entries and command-line invocation of tools capable of modifying services that do not correlate with known software, patch cycles, etc., may be suspicious. If a service is used only to execute a binary or script and not to persist, then it will likely be changed back to its original form shortly after the service is restarted so the service is not left broken, as is the case with the common administrator tool PsExec.\n\nPlatforms: Windows\n\nData Sources: Windows Registry, Process command-line parameters, Process monitoring\n\nPermissions Required: Administrator, SYSTEM\n\nRemote Support: Yes", |
© ESET 2014-2018 |
atomic-red-team |
index.md |
- Atomic Test #2: Use PsExec to execute a command on a remote host [windows] |
MIT License. © 2018 Red Canary |
atomic-red-team |
index.md |
- Atomic Test #3: Copy and Execute File with PsExec [windows] |
MIT License. © 2018 Red Canary |
atomic-red-team |
windows-index.md |
- Atomic Test #2: Use PsExec to execute a command on a remote host [windows] |
MIT License. © 2018 Red Canary |
atomic-red-team |
windows-index.md |
- Atomic Test #3: Copy and Execute File with PsExec [windows] |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1003.004.md |
| psexec_exe | Path to PsExec executable | Path | PathToAtomicsFolder\T1003.004\bin\PsExec.exe| |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1003.004.md |
##### Description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe}) |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1003.004.md |
Copy-Item $env:TEMP\PSTools\PsExec.exe #{psexec_exe} -Force |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1021.002.md |
- Atomic Test #3 - Copy and Execute File with PsExec |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1021.002.md |
## Atomic Test #3 - Copy and Execute File with PsExec |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1021.002.md |
Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from https://docs.microsoft.com/en-us/sysinternals/downloads/psexec. |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1021.002.md |
psexec.exe #{remote_host} -accepteula -c #{command_path} |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1055.md |
Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1055.md |
| machine | machine to target (via psexec) | string | DC1| |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1055.md |
| psexec_path | Path to PsExec | string | C:\PSTools\PsExec.exe| |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1055.md |
##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1055.md |
Copy-Item $env:TEMP\PsTools\PsExec.exe “#{psexec_path}” -Force |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1207.md |
Need SYSTEM privileges locally (automatically obtained via PsExec, so running as admin is sufficient), and Domain Admin remotely. |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1207.md |
| psexec_path | Path to PsExec | string | C:\PSTools\PsExec.exe| |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1207.md |
##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1207.md |
Copy-Item $env:TEMP\PsTools\PsExec.exe “#{psexec_path}” -Force |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1569.002.md |
PsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1569.002.md |
- Atomic Test #2 - Use PsExec to execute a command on a remote host |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1569.002.md |
## Atomic Test #2 - Use PsExec to execute a command on a remote host |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1569.002.md |
Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a remote endpoint (default:localhost). |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1569.002.md |
| psexec_exe | Path to PsExec | string | C:\PSTools\PsExec.exe| |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1569.002.md |
##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) |
MIT License. © 2018 Red Canary |
atomic-red-team |
T1569.002.md |
Copy-Item $env:TEMP\PsTools\PsExec.exe “#{psexec_exe}” -Force |
MIT License. © 2018 Red Canary |
signature-base |
gen_empire.yar |
description = “Detects Empire component - file Invoke-PsExec.ps1” |
CC BY-NC 4.0 |
signature-base |
gen_mimikatz.yar |
$x14 = “Clear screen (doesn’t work with redirections, like PsExec)” fullword wide |
CC BY-NC 4.0 |
signature-base |
thor_inverse_matches.yar |
description = “Looks like a cloaked PsExec. May be APT group activity.” |
CC BY-NC 4.0 |
signature-base |
thor_inverse_matches.yar |
$s1 = “Sysinternals PsExec” wide fullword |
CC BY-NC 4.0 |
signature-base |
thor_inverse_matches.yar |
and not filename matches /(psexec.exe|PSEXESVC.EXE|PsExec64.exe)$/is |
CC BY-NC 4.0 |
stockpile |
620b674a-7655-436c-b645-bc3e8ea51abd.yml |
description: Copy Sandcat file using PsExec on CMD |
Apache-2.0 |
stockpile |
620b674a-7655-436c-b645-bc3e8ea51abd.yml |
name: Copy Sandcat File using PsExec on CMD |
Apache-2.0 |
stockpile |
620b674a-7655-436c-b645-bc3e8ea51abd.yml |
\\#{remote.host.name}\Users\Public & #{psexec.path} -accepteula \\#{remote.host.name} |
Apache-2.0 |