The detection of a default CSExec service filename indicates potential adversary installation and execution of the CSExec tool, a common component in Cobalt Strike deployments. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage adversary activity and prevent further compromise.
Detection Rule
title: CSExec Service File Creation
id: f0e2b768-5220-47dd-b891-d57b96fc0ec1
status: test
description: Detects default CSExec service filename which indicates CSExec service installation and execution
references:
- https://github.com/malcomvetter/CSExec
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-04
tags:
- attack.execution
- attack.t1569.002
- attack.s0029
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\csexecsvc.exe'
condition: selection
falsepositives:
- Unknown
level: medium
imFileEvent
| where TargetFileName endswith "\\csexecsvc.exe"Scenario: A system administrator is manually creating the CSExec service file as part of a legitimate configuration or troubleshooting task.
Filter/Exclusion: Exclude files created by known admin tools like sc.exe or services.msc, or files with a creation timestamp matching known administrative activity.
Scenario: A scheduled job (e.g., via Task Scheduler or PowerShell) is configured to generate a temporary CSExec service file for testing or automation purposes.
Filter/Exclusion: Exclude files created by scheduled tasks with known job names or by processes like schtasks.exe or TaskScheduler.
Scenario: A legitimate security tool (e.g., CrowdStrike Falcon or another endpoint protection platform) is generating a CSExec-like file as part of its own service or integration.
Filter/Exclusion: Exclude files created by known security tools or processes associated with those tools (e.g., falcon.exe, crowdstrike.exe).
Scenario: A developer is using a custom script or tool that dynamically generates a CSExec service file for internal testing or development.
Filter/Exclusion: Exclude files created by scripts or tools with known names or execution contexts (e.g., powershell.exe with a specific script path).
Scenario: A system update or patching tool (e.g., Windows Update, SCCM, or third-party patch management software) creates a temporary CSExec service file during installation.
Filter/Exclusion: Exclude files created by known patching tools or during specific update windows (e.g., wuauclt.exe, ccmexec.exe).