Techniques
Sample rules
Potential Privilege Escalation To LOCAL SYSTEM
- source: sigma
- technicques:
- t1587
- t1587.001
Description
Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_exclude_coverage:
CommandLine|contains:
- paexec
- PsExec
- accepteula
selection:
CommandLine|contains|windash:
- ' -s cmd'
- ' -s -i cmd'
- ' -i -s cmd'
- ' -s pwsh'
- ' -s -i pwsh'
- ' -i -s pwsh'
- ' -s powershell'
- ' -s -i powershell'
- ' -i -s powershell'
Renamed PAExec Execution
- source: sigma
- technicques:
- t1202
Description
Detects execution of renamed version of PAExec. Often used by attackers
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_known_location:
- Image|endswith: \paexec.exe
- Image|startswith: C:\Windows\PAExec-
selection:
- Description: PAExec Application
- OriginalFileName: PAExec.exe
- Product|contains: PAExec
- Hashes|contains:
- IMPHASH=11D40A7B7876288F919AB819CC2D9802
- IMPHASH=6444f8a34e99b8f7d9647de66aabe516
- IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f
- IMPHASH=1a6cca4d5460b1710a12dea39e4a592c