PUA - CsExec Execution

Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative

Sigma rule (View on GitHub)

 1title: PUA - CsExec Execution
 2id: d08a2711-ee8b-4323-bdec-b7d85e892b31
 3status: test
 4description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
 5references:
 6    - https://github.com/malcomvetter/CSExec
 7    - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
 8author: Florian Roth (Nextron Systems)
 9date: 2022-08-22
10modified: 2023-02-21
11tags:
12    - attack.resource-development
13    - attack.t1587.001
14    - attack.execution
15    - attack.t1569.002
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        Image|endswith: '\csexec.exe'
22    selection_pe:
23        Description: 'csexec'
24    condition: 1 of selection*
25falsepositives:
26    - Unknown
27level: high

References

Related rules

to-top