Application and Device Control for PSKILL and PSKLLSVC
I am using SEPM and clients on version 12.1.2015.2015. I am trying to create an application & device rule to monitor PSEXEC and PSKILL on both the source PC and the target PC.
PSEXEC, I had no trouble with. I can monitor both the source computer's launching of PSEXEC and the remote PC's execution of PSEXESVC to launch the process. I'd like to do the same with PSKILL and PSKLLSVC. My rules works like this...
I created a two separate rule that monitors the launching of PSEXEC.EXE and PSKILL.EXE. This works perfectly for detecting when a PC runs these two apps.
I then created a third rule that monitors for the PSEXESVC.EXE and PSKLLSVC.EXE to run.
- Apply the rule to the following processes: *.\psexecsvc.exe & *\pskllsvc.exe
- Sub-processes inherit conditions.
- I created a condition for launch process attempts applied to the following processes: *
- I created a condition for terminate process attempts applied to the following processes: *
This works perfectly for the PSEXESVC but not for the PSKLLSVC. I am not sure why. The PSEXESVC will log the name of the process was launched on the remote PC. I would like for the PSKLLSVC to log the name of the process that was terminated on the remote.
Has anyone tried to do this with any success?
Here is a sample of log output for the PSEXESVC showing that CALC.EXE was launched using PSEXESVC.
|width:73pt" width="97">3/8/2013 10:54||User Event||8||Allow||Production||A remote client used PsExec.exe to start the named process.||Create Process||0||3/8/2013 10:54||3/8/2013 10:54||PsExeSvc Monitoring | PsExeSvc Launched an Appllication||x.x.x.x <IP>||6360||C:\Windows\PSEXESVC.EXE||IDE\DiskWD... <hardware ID removed>||C:\Windows\SysWOW64\calc.exe||776192 Bytes||Default||SYSTEM||Domain||