← Library
sigmaDRL-1.1from SigmaHQ/sigma

PSEXEC Remote Execution File Artefact

Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1136.002T1543.003T1570
Rule sourcerules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml
title: PSEXEC Remote Execution File Artefact
id: 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4
status: test
description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
references:
    - https://aboutdfir.com/the-key-to-identify-psexec/
    - https://twitter.com/davisrichardg/status/1616518800584704028
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-21
modified: 2023-02-23
tags:
    - attack.lateral-movement
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1136.002
    - attack.t1543.003
    - attack.t1570
    - attack.s0029
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\PSEXEC-'
        TargetFilename|endswith: '.key'
    condition: selection
falsepositives:
    - Unlikely
level: high