Detects creation of a lightly-renamed PSExec file in C:\Users\Public, as observed in the Cicada3301 Ransomware report from MorphiSec.

Read More

Detects the use of a potentially-renamed psexec to run the Cicada3301 ransomware tool.

Read More

Detects default CSExec service filename which indicates CSExec service installation and execution

Read More

Detects installation or execution of services

Read More

Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system

Read More

Detects default PsExec service filename which indicates PsExec service installation and execution

Read More

Detects PsExec service installation and execution events

Read More

Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack

Read More

Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity

Read More

Detects the use of NirCmd tool for command execution as SYSTEM user

Read More

Detects the use of NSudo tool for command execution

Read More

Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts

Read More

Detects default RemCom service filename which indicates RemCom service installation and execution

Read More