Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system

Detects PsExec service installation and execution events (service and Sysmon)

Detects PsExec service installation and execution events (service and Sysmon)

Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts

Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity

Detects the use of NirCmd tool for command execution as SYSTEM user

Detects the use of NSudo tool for command execution

Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack

Detects PsExec service installation and execution events (service and Sysmon)

Detects default PsExec service filename which indicates PsExec service installation and execution