PSExec works by installing a new service in the system. The service can be renamed using the -r flag and therefore it is not enough to just watch for a new service called psexecsvc.exe. This artifact improves on this by scanning the service binary to detect the original psexec binary.
NOTE that if the service is very quick we are unable to examine the service binary in time and will miss it.
name: Windows.Detection.PsexecService
description: |
PSExec works by installing a new service in the system. The service
can be renamed using the -r flag and therefore it is not enough to
just watch for a new service called psexecsvc.exe. This artifact
improves on this by scanning the service binary to detect the
original psexec binary.
NOTE that if the service is very quick we are unable to examine
the service binary in time and will miss it.
type: CLIENT_EVENT
parameters:
- name: yaraRule
type: yara
default: |
rule Hit {
strings:
$a = "psexec" nocase wide ascii
condition:
any of them
}
sources:
- query: |
LET file_scan = SELECT Name AS ServiceName,
PathName, File.ModTime AS Modified,
File.Size AS FileSize,
String.Offset AS StringOffset,
String.HexData AS StringContext,
now() AS Timestamp,
ServiceType, PID,
{
SELECT Name, Exe, CommandLine
FROM pslist() WHERE Ppid = PID
LIMIT 2
} AS ChildProcess
FROM yara(rules=yaraRule, files=PathName)
WHERE Rule
LET service_creation = SELECT Parse,
Parse.TargetInstance.Name AS Name,
Parse.TargetInstance.PathName As PathName,
Parse.TargetInstance.ServiceType As ServiceType,
Parse.TargetInstance.ProcessId AS PID
FROM wmi_events(
query="SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Service'",
wait=5000000,
namespace="ROOT/CIMV2")
SELECT * FROM foreach(
row=service_creation,
query=file_scan)