PUA - CsExec Execution

Jan 1, 2024 · attack.resource_development attack.t1587.001 attack.execution attack.t1569.002 ·

Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative

Sigma rule (View on GitHub)

 1title: PUA - CsExec Execution
 2id: d08a2711-ee8b-4323-bdec-b7d85e892b31
 3status: test
 4description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
 5references:
 6    - https://github.com/malcomvetter/CSExec
 7    - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
 8author: Florian Roth (Nextron Systems)
 9date: 2022/08/22
10modified: 2023/02/21
11tags:
12    - attack.resource_development
13    - attack.t1587.001
14    - attack.execution
15    - attack.t1569.002
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        Image|endswith: '\csexec.exe'
22    selection_pe:
23        Description: 'csexec'
24    condition: 1 of selection*
25falsepositives:
26    - Unknown
27level: high

References

GitHub - malcomvetter/CSExec: An implementation of PSExec in C#

An implementation of PSExec in C#. Contribute to malcomvetter/CSExec development by creating an account on GitHub.

Read More
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

Read More

PUA - CsExec Execution

Sigma rule (View on GitHub)

References

GitHub - malcomvetter/CSExec: An implementation of PSExec in C#

https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

Related rules