T1543.003 LOLBins Potential PSExec.exe abuse

T1543.003 - LOLBins - Potential PSExec.exe abuse

DESCRIPTION

Detects when PSExec.exe is used to leverage Windows services to escalate privileges from administrator to SYSTEM with the -s argument.

Example:

psexec.exe -s net localgroup Administrators username /add
C:\pstools\psexec.exe" {REDACTED} -s cmd /c "cmd.exe /c netsh
interface portproxy delete v4tov4 listenaddress=0.0.0.0
listenport=9999

Related

Living on the Land Binaries

Reference:

https://www.cyber.gov.au/sites/default/files/2024-02/joint-guidance-identifying-and-mitigating-lotl_v3508c.pdf
https://attack.mitre.org/software/S0029/

ATT&CK TACTICS

T1543.003 - Create or Modify System Process: Windows Service
T1569.002 - System Services: Service Execution

Data Source(s): Command, Process

SENTINEL RULE QUERY

let line=dynamic(["-s","psexec.exe"]);
DeviceProcessEvents
| where InitiatingProcessCommandLine has_all (line) or ProcessCommandLine has_all (line)
//|summarize count(), set_ProcessCMD=make_set(ProcessCommandLine), set_InitiatingProcessCMD=make_set(InitiatingProcessCommandLine) by InitiatingProcessFolderPath, InitiatingProcessFileName, FolderPath, FileName, AccountName, TenantId 

Triage

1. Determine if PSExec is expected/approved in your environment, use the provided summarize statement to remove duplicated information.
2. Investigate the activity executed by PSExec.
3. Investigate activity for the executing account to determine if it has been compromised.
4. Investigate activity for the device to determine if it has been compromised.

FalsePositive

Legitimate admin activity.

VERSION

Version 1.0 (date: 15/03/2024)