LoFP / admins that use psexec or paexec to escalate to the system account for maintenance purposes (rare)

Techniques

Sample rules

PsExec/PAExec Escalation to LOCAL SYSTEM

source: sigma
technicques:
- t1587
- t1587.001

Description

Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights

Detection logic

condition: all of selection_*
selection_other:
  CommandLine|contains:
  - psexec
  - paexec
  - accepteula
selection_sys:
  CommandLine|contains|windash:
  - ' -s cmd'
  - ' -s -i cmd'
  - ' -i -s cmd'
  - ' -s pwsh'
  - ' -s -i pwsh'
  - ' -i -s pwsh'
  - ' -s powershell'
  - ' -s -i powershell'
  - ' -i -s powershell'