Psexec Execution

 1title: Psexec Execution
 2id: 730fc21b-eaff-474b-ad23-90fd265d4988
 3status: test
 4description: Detects user accept agreement execution in psexec commandline
 5references:
 6    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
 7author: omkar72
 8date: 2020-10-30
 9modified: 2023-02-28
10tags:
11    - attack.execution
12    - attack.t1569
13    - attack.t1021
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        - Image|endswith: '\psexec.exe'
20        - OriginalFileName: 'psexec.c'
21    condition: selection
22falsepositives:
23    - Administrative scripts.
24level: medium

References

• Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser | Mandiant | Google Cloud Blog

  

  First Seen Server Subject MD5 12/12/19 140.82.60.155:443 CN=updatemanagir[.]us ec16be328c09473d5e5c07310583d85a 12/21/19 96.30.192.141:443 CN=cmdupdatewin[.]com 3d4de17df25412bb714fda069f6eb27e 1/6...

  
  Read More

Related rules

• SMBexec.py Execution
• CVE-2021-1675 Print Spooler Exploitation
• CVE-2021-1675 Print Spooler Exploitation IPC Access
• Service Control Manager Spawning Command Shell with Suspect Strings
• Wmiexec.py Execution