Detectionmediumtest

Psexec Execution

Detects user accept agreement execution in psexec commandline

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

omkar72Created Fri Oct 30Updated Tue Feb 28730fc21b-eaff-474b-ad23-90fd265d4988windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        - Image|endswith: '\psexec.exe'
        - OriginalFileName: 'psexec.c'
    condition: selection

False Positives

Administrative scripts.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

730fc21b-eaff-474b-ad23-90fd265d4988

Status

test

Level

medium

Type

Detection

Created

Fri Oct 30

Modified

Tue Feb 28

Author

Path

rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml

Raw Tags

attack.executionattack.lateral-movementattack.t1569attack.t1021