PsExec Service Installation

Severity: medium
Author: Thomas Patzke
Source: upstream

Detects PsExec service installation and execution events

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1569.002` System Services: Service Execution

Event coverage

Provider	Event ID	Title
Service-Control-Manager	7045

Stages and Predicates

Stage 1: `all of selection_eid`

Provider_Name: 'Service Control Manager'

Stage 2: `all of selection_service`

or:
ImagePath|endswith: '\PSEXESVC.exe'
ServiceName: PSEXESVC

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`ImagePath`	ends_with	`\PSEXESVC.exe`
`Provider_Name`	eq	`Service Control Manager` corpus 43 (sigma 43)
`ServiceName`	eq	`PSEXESVC` corpus 2 (sigma 2)

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Invoke-Obfuscation Via Use Rundll32 - System [sigma] (adds 5 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System [sigma] (adds 5 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation VAR+ Launcher - System [sigma] (adds 4 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation COMPRESS OBFUSCATION - System [sigma] (adds 4 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation RUNDLL LAUNCHER - System [sigma] (adds 4 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation CLIP+ Launcher - System [sigma] (adds 3 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation STDIN+ Launcher - System [sigma] (adds 3 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Via Stdin - System [sigma] (adds 3 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Via Use MSHTA - System [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)
ProcessHacker Privilege Elevation [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Via Use Clip - System [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Credential Dumping Tools Service Execution - System [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Moriya Rootkit - System [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell Scripts Installed as Services [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Service Installed By Unusual Client - System [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious Service Installation [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Tap Driver Installation [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
RTCore Suspicious Service Installation [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Service Installation in Suspicious Folder [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.

Invoke-Obfuscation Obfuscated IEX Invocation - System [sigma] (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)