PsExec/PAExec Escalation to LOCAL SYSTEM

Severity: high
Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights

MITRE ATT&CK coverage

Tactic	Techniques
Resource Development	`T1587.001` Develop Capabilities: Malware

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation
Security-Auditing	4688	A new process has been created.

Stages and Predicates

Stage 1: `all of selection_sys`

or:
CommandLine|contains: ' -i -s cmd'
CommandLine|contains: ' -i -s powershell'
CommandLine|contains: ' -i -s pwsh'
CommandLine|contains: ' -s -i cmd'
CommandLine|contains: ' -s -i powershell'
CommandLine|contains: ' -s -i pwsh'
CommandLine|contains: ' -s cmd'
CommandLine|contains: ' -s powershell'
CommandLine|contains: ' -s pwsh'

Stage 2: `all of selection_other`

or:
CommandLine|contains: accepteula
CommandLine|contains: paexec
CommandLine|contains: psexec

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`-i -s cmd` corpus 2 (sigma 2) `-i -s powershell` corpus 2 (sigma 2) `-i -s pwsh` corpus 2 (sigma 2) `-s -i cmd` corpus 2 (sigma 2) `-s -i powershell` corpus 2 (sigma 2) `-s -i pwsh` corpus 2 (sigma 2) `-s cmd` corpus 2 (sigma 2) `-s powershell` corpus 2 (sigma 2) `-s pwsh` corpus 2 (sigma 2) `accepteula` corpus 3 (sigma 3) `paexec` corpus 2 (sigma 2) `psexec`