Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
Read MoreDetects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts
Read MoreDetects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
Read MoreDetects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack
Read MoreDetects default PsExec service filename which indicates PsExec service installation and execution
Read More