Psexec Execution
Detects user accept agreement execution in psexec commandline
Sigma rule (View on GitHub)
1title: Psexec Execution
2id: 730fc21b-eaff-474b-ad23-90fd265d4988
3status: test
4description: Detects user accept agreement execution in psexec commandline
5references:
6 - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
7author: omkar72
8date: 2020/10/30
9modified: 2023/02/28
10tags:
11 - attack.execution
12 - attack.t1569
13 - attack.t1021
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 - Image|endswith: '\psexec.exe'
20 - OriginalFileName: 'psexec.c'
21 condition: selection
22falsepositives:
23 - Administrative scripts.
24level: medium
References
-
First SeenServerSubjectMD512/12/19140.82.60.155:443CN=updatemanagir[.]usec16be328c09473d5e5c07310583d85a12/21/1996.30.192.141:443CN=cmdupdatewin[.]com3d4de17df25412bb714fda069f6eb27e1/6/2045.76.49....
Read More
Related rules
- T1047 Wmiprvse Wbemcomn DLL Hijack
- MSHTA Suspicious Execution 01
- HackTool - Covenant PowerShell Launcher
- HackTool - Empire PowerShell Launch Parameters
- HackTool - Potential Impacket Lateral Movement Activity