Video Screencast Help

Application and Device Control for PSKILL and PSKLLSVC

Created: 08 Mar 2013 • Updated: 08 Mar 2013 | 3 comments
This issue has been solved. See solution.

I am using SEPM and clients on version 12.1.2015.2015.  I am trying to create an application & device rule to monitor PSEXEC and PSKILL on both the source PC and the target PC.

PSEXEC, I had no trouble with.  I can monitor both the source computer's launching of PSEXEC and the remote PC's execution of PSEXESVC to launch the process.  I'd like to do the same with PSKILL and PSKLLSVC.  My rules works like this...

I created a two separate rule that monitors the launching of PSEXEC.EXE and PSKILL.EXE.  This works perfectly for detecting when a PC runs these two apps.

I then created a third rule that monitors for the PSEXESVC.EXE and PSKLLSVC.EXE to run.

  1. Apply the rule to the following processes:  *.\psexecsvc.exe & *\pskllsvc.exe
  2. Sub-processes inherit conditions.
  3. I created a condition for launch process attempts applied to the following processes:  *
  4. I created a condition for terminate process attempts applied to the following processes:  *

This works perfectly for the PSEXESVC but not for the PSKLLSVC.  I am not sure why.  The PSEXESVC will log the name of the process was launched on the remote PC.  I would like for the PSKLLSVC to log the name of the process that was terminated on the remote.

Has anyone tried to do this with any success?

Here is a sample of log output for the PSEXESVC showing that CALC.EXE was launched using PSEXESVC.

3/8/2013 10:54 User Event 8 Allow Production A remote client used PsExec.exe to start the named process. Create Process 0 3/8/2013 10:54 3/8/2013 10:54 PsExeSvc Monitoring | PsExeSvc Launched an Appllication x.x.x.x <IP> 6360 C:\Windows\PSEXESVC.EXE IDE\DiskWD... <hardware ID removed> C:\Windows\SysWOW64\calc.exe 776192 Bytes Default SYSTEM Domain

Alert

 

Operating Systems:

Comments 3 CommentsJump to latest comment

Chetan Savade's picture

Hi,

Could you try by creating separate rule for PSKLLSVC?

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Wright1968's picture

Sorry.  I should have mentioned that I had already tried that.  In fact i have tried breaking them out several different ways.

The scenario in my original post is how I have it now.

I can probably get it to work when if I monitor for * processes and then detect the launch of the PSKLLSVC.EXE, but that won't tell me what process is being killed which is vital to determine if the PSKILL is being issued with malicious intent.

Wright1968's picture

I finally got it to work.  I am not sure what I was doing wrong.  May have been a combination of things, but ultimately, it works as I posted above.  I deleted the policy and recreated it, and now it is working fine.  Maybe I had an extra space in there or some other weird typo.  At any rate, thanks for your help.

 

SOLUTION