LoFP / possible, different agents with a 8 character binary and a 4, 8 or 16 character service name

Techniques

• t1021
• t1021.002
• t1569
• t1569.002
• t1570

Sample rules

Metasploit Or Impacket Service Installation Via SMB PsExec

• source: sigma
• technicques:
  • t1021
  • t1021.002
  • t1569
  • t1569.002
  • t1570

Description

Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation

Detection logic

condition: selection and not filter
filter:
  ServiceName: PSEXESVC
selection:
  EventID: 4697
  ServiceFileName|re: ^%systemroot%\\[a-zA-Z]{8}\.exe$
  ServiceName|re: (^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)
  ServiceStartType: 3
  ServiceType: '0x10'