Psexec Execution
Detects user accept agreement execution in psexec commandline
Sigma rule (View on GitHub)
1title: Psexec Execution
2id: 730fc21b-eaff-474b-ad23-90fd265d4988
3status: test
4description: Detects user accept agreement execution in psexec commandline
5references:
6 - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
7author: omkar72
8date: 2020-10-30
9modified: 2023-02-28
10tags:
11 - attack.execution
12 - attack.lateral-movement
13 - attack.t1569
14 - attack.t1021
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 - Image|endswith: '\psexec.exe'
21 - OriginalFileName: 'psexec.c'
22 condition: selection
23falsepositives:
24 - Administrative scripts.
25level: medium
References
-
First Seen Server Subject MD5 12/12/19 140.82.60.155:443 CN=updatemanagir[.]us ec16be328c09473d5e5c07310583d85a 12/21/19 96.30.192.141:443 CN=cmdupdatewin[.]com 3d4de17df25412bb714fda069f6eb27e 1/6...
Read More
Related rules
- Cicada Ransomware PSExec File Creation
- SMBexec.py Execution
- MMC20 Lateral Movement
- OpenCanary - FTP Login Attempt
- Remote DCOM/WMI Lateral Movement