Potential PsExec Remote Execution
Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
Sigma rule (View on GitHub)
1title: Potential PsExec Remote Execution
2id: ea011323-7045-460b-b2d7-0f7442ea6b38
3status: test
4description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
5references:
6 - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
7 - https://www.poweradmin.com/paexec/
8 - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
9author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
10date: 2023-02-28
11modified: 2025-09-01
12tags:
13 - attack.resource-development
14 - attack.t1587.001
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 # Accepting EULA in commandline - often used in automated attacks
21 CommandLine|contains|all:
22 - 'accepteula'
23 - ' -u '
24 - ' -p '
25 - ' \\\\'
26 filter_main_localhost:
27 CommandLine|contains:
28 - '\\\\localhost'
29 - '\\\\127.'
30 condition: selection and not 1 of filter_main_*
31falsepositives:
32 - Unknown
33level: high
References
-
-
Looking for a reliable server or storage monitoring service? Power Admin's server monitor software can help improve your business. Get free PAExec today.
Read More -
First Seen Server Subject MD5 12/12/19 140.82.60.155:443 CN=updatemanagir[.]us ec16be328c09473d5e5c07310583d85a 12/21/19 96.30.192.141:443 CN=cmdupdatewin[.]com 3d4de17df25412bb714fda069f6eb27e 1/6...
Read More
Related rules
- Potential Privilege Escalation To LOCAL SYSTEM
- PsExec/PAExec Escalation to LOCAL SYSTEM
- Uncommon File Created In Office Startup Folder
- Conti Volume Shadow Listing
- Formbook Process Creation