CSExec Service File Creation
Detects default CSExec service filename which indicates CSExec service installation and execution
Sigma rule (View on GitHub)
1title: CSExec Service File Creation
2id: f0e2b768-5220-47dd-b891-d57b96fc0ec1
3status: test
4description: Detects default CSExec service filename which indicates CSExec service installation and execution
5references:
6 - https://github.com/malcomvetter/CSExec
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-08-04
9tags:
10 - attack.execution
11 - attack.t1569.002
12 - attack.s0029
13logsource:
14 category: file_event
15 product: windows
16detection:
17 selection:
18 TargetFilename|endswith: '\csexecsvc.exe'
19 condition: selection
20falsepositives:
21 - Unknown
22level: medium
References
-
An implementation of PSExec in C#. Contribute to malcomvetter/CSExec development by creating an account on GitHub.
Read More
Related rules
- HackTool Service Registration or Execution
- PUA - NSudo Execution
- PUA - NirCmd Execution
- PUA - NirCmd Execution As LOCAL SYSTEM
- PUA - RunXCmd Execution