Techniques
Sample rules
Detect Renamed PSExec
- source: splunk
- technicques:
- T1569
- T1569.002
Description
The following analytic identifies renamed instances of PsExec.exe being utilized on an endpoint. Most instances, it is highly probable to capture Psexec.exe or other SysInternal utility usage with the command-line argument of -accepteula. During triage, validate this is the legitimate version of PsExec by reviewing the PE metadata. In addition, review parallel processes for further suspicious behavior.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name!=psexec.exe OR Processes.process_name!=psexec64.exe) AND Processes.original_file_name=psexec.c by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_renamed_psexec_filter`