LoFP / software companies that bundle psexec/paexec with their software and rename it, so that it is less embarrassing

Techniques

Sample rules

Potential Privilege Escalation To LOCAL SYSTEM

source: sigma
technicques:
- t1587
- t1587.001

Description

Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_exclude_coverage:
  CommandLine|contains:
  - paexec
  - PsExec
  - accepteula
selection:
  CommandLine|contains|windash:
  - ' -s cmd'
  - ' -s -i cmd'
  - ' -i -s cmd'
  - ' -s pwsh'
  - ' -s -i pwsh'
  - ' -i -s pwsh'
  - ' -s powershell'
  - ' -s -i powershell'
  - ' -i -s powershell'