LoFP / users that debug microsoft intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension

Techniques

• t1587
• t1587.001

Sample rules

PsExec Service Child Process Execution as LOCAL SYSTEM

• source: sigma
• technicques:

Description

Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)

Detection logic

condition: selection
selection:
  ParentImage: C:\Windows\PSEXESVC.exe
  User|contains:
  - AUTHORI
  - AUTORI

PsExec/PAExec Escalation to LOCAL SYSTEM

• source: sigma
• technicques:
  • t1587
  • t1587.001

Description

Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights

Detection logic

condition: all of selection_*
selection_other:
  CommandLine|contains:
  - psexec
  - paexec
  - accepteula
selection_sys:
  CommandLine|contains|windash:
  - ' -s cmd'
  - ' -s -i cmd'
  - ' -i -s cmd'
  - ' -s pwsh'
  - ' -s -i pwsh'
  - ' -i -s pwsh'
  - ' -s powershell'
  - ' -s -i powershell'
  - ' -i -s powershell'