Potential PSEXEC Remote Execution - FileCreation

Rule Info

Name
Potential PSEXEC Remote Execution - FileCreation
Description
Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed and gets written to the file system and will be recorded in the USN Journal on the target system
Modified
None
Date
2023-01-21 00:00:00
Author
Nasreddine Bencherchali (Nextron Systems)
Tags
attack.t1543.003 attack.lateral_movement attack.s0029 attack.execution attack.t1136.002 attack.t1570 attack.privilege_escalation DEMO attack.persistence
Id
304afd73-55a5-4bb9-8c21-0b1fc84ea9e4
Type
Community Rule

Rule History

Author
Commit
Title
Date
Nasreddine Bencherchali
chore: add nextron authors tag
2023-02-01
Nasreddine Bencherchali
feat: new rule related to psexec key file
2023-01-21