PSEXEC Custom Named Service Binary

Jan 8, 2023 ·

PSEXEC execututed with non default service binary name

Sigma rule (View on GitHub)

 1title: PSEXEC Custom Named Service Binary
 2id: 752956d6-cf16-43f5-a8ca-b82f968e458d
 3status: experimental
 4description: PSEXEC execututed with non default service binary name
 5references:
 6    - thedfirreport.com
 7author: 'TheDFIRReport'
 8date: 2022/04/24
 9modified: 2023/01/08
10logsource:
11    product: windows
12    category: process_creation
13detection:
14    selection: 
15        Image|endswith: '\psexec.exe'
16        CommandLine|contains: ' -r '
17    condition: selection
18falsepositives:
19    - Unknown
20level: medium

References

thedfirreport.com

Read More