PsExec/PAExec Escalation to LOCAL SYSTEM
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "Process started" AND (COMMANDLINE contains " -s cmd, /s cmd, –s cmd, —s cmd, ―s cmd" OR COMMANDLINE contains " -s -i cmd, -s /i cmd, -s –i cmd, -s —i cmd, -s ―i cmd, /s -i cmd, /s /i cmd, /s –i cmd, /s —i cmd, /s ―i cmd, –s -i cmd, –s /i cmd, –s –i cmd, –s —i cmd, –s ―i cmd, —s -i cmd, —s /i cmd, —s –i cmd, —s —i cmd, —s ―i cmd, ―s -i cmd, ―s /i cmd, ―s –i cmd, ―s —i cmd, ―s ―i cmd" OR COMMANDLINE contains " -i -s cmd, -i /s cmd, -i –s cmd, -i —s cmd, -i ―s cmd, /i -s cmd, /i /s cmd, /i –s cmd, /i —s cmd, /i ―s cmd, –i -s cmd, –i /s cmd, –i –s cmd, –i —s cmd, –i ―s cmd, —i -s cmd, —i /s cmd, —i –s cmd, —i —s cmd, —i ―s cmd, ―i -s cmd, ―i /s cmd, ―i –s cmd, ―i —s cmd, ―i ―s cmd" OR COMMANDLINE contains " -s pwsh, /s pwsh, –s pwsh, —s pwsh, ―s pwsh" OR COMMANDLINE contains " -s -i pwsh, -s /i pwsh, -s –i pwsh, -s —i pwsh, -s ―i pwsh, /s -i pwsh, /s /i pwsh, /s –i pwsh, /s —i pwsh, /s ―i pwsh, –s -i pwsh, –s /i pwsh, –s –i pwsh, –s —i pwsh, –s ―i pwsh, —s -i pwsh, —s /i pwsh, —s –i pwsh, —s —i pwsh, —s ―i pwsh, ―s -i pwsh, ―s /i pwsh, ―s –i pwsh, ―s —i pwsh, ―s ―i pwsh" OR COMMANDLINE contains " -i -s pwsh, -i /s pwsh, -i –s pwsh, -i —s pwsh, -i ―s pwsh, /i -s pwsh, /i /s pwsh, /i –s pwsh, /i —s pwsh, /i ―s pwsh, –i -s pwsh, –i /s pwsh, –i –s pwsh, –i —s pwsh, –i ―s pwsh, —i -s pwsh, —i /s pwsh, —i –s pwsh, —i —s pwsh, —i ―s pwsh, ―i -s pwsh, ―i /s pwsh, ―i –s pwsh, ―i —s pwsh, ―i ―s pwsh" OR COMMANDLINE contains " -s powershell, /s powershell, –s powershell, —s powershell, ―s powershell" OR COMMANDLINE contains " -s -i powershell, -s /i powershell, -s –i powershell, -s —i powershell, -s ―i powershell, /s -i powershell, /s /i powershell, /s –i powershell, /s —i powershell, /s ―i powershell, –s -i powershell, –s /i powershell, –s –i powershell, –s —i powershell, –s ―i powershell, —s -i powershell, —s /i powershell, —s –i powershell, —s —i powershell, —s ―i powershell, ―s -i powershell, ―s /i powershell, ―s –i powershell, ―s —i powershell, ―s ―i powershell" OR COMMANDLINE contains " -i -s powershell, -i /s powershell, -i –s powershell, -i —s powershell, -i ―s powershell, /i -s powershell, /i /s powershell, /i –s powershell, /i —s powershell, /i ―s powershell, –i -s powershell, –i /s powershell, –i –s powershell, –i —s powershell, –i ―s powershell, —i -s powershell, —i /s powershell, —i –s powershell, —i —s powershell, —i ―s powershell, ―i -s powershell, ―i /s powershell, ―i –s powershell, ―i —s powershell, ―i ―s powershell") AND COMMANDLINE contains "psexec,paexec,accepteula" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
