detection.wiki

Detection rules › Sigma

PsExec Tool Execution From Suspicious Locations - PipeName

Severity
medium
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1569.002 System Services: Service Execution

Event coverage

ProviderEvent IDTitle
Sysmon17PipeEvent (Pipe Created)
Sysmon18PipeEvent (Pipe Connected)

Stages and Predicates

Stage 1: selection

or:
Image|contains: ':\Users\Public\'
Image|contains: ':\Windows\Temp\'
Image|contains: '\AppData\Local\Temp\'
Image|contains: '\Desktop\'
Image|contains: '\Downloads\'
PipeName: '\PSEXESVC'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imagematch
  • :\Users\Public\ corpus 14 (sigma 14)
  • :\Windows\Temp\ corpus 9 (sigma 9)
  • \AppData\Local\Temp\ corpus 9 (sigma 9)
  • \Desktop\ corpus 6 (sigma 6)
  • \Downloads\ corpus 8 (sigma 8)
PipeNameeq
  • \PSEXESVC