Potential PsExec Remote Execution

Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility

Sigma rule (View on GitHub)

 1title: Potential PsExec Remote Execution
 2id: ea011323-7045-460b-b2d7-0f7442ea6b38
 3status: test
 4description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
 5references:
 6    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
 7    - https://www.poweradmin.com/paexec/
 8    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
 9author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
10date: 2023-02-28
11tags:
12    - attack.resource-development
13    - attack.t1587.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        # Accepting EULA in commandline - often used in automated attacks
20        CommandLine|contains|all:
21            - 'accepteula'
22            - ' -u '
23            - ' -p '
24            - ' \\\\'
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

Related rules

to-top