Potential PSEXEC Remote Execution - FileCreation

Rule Info

Name
Potential PSEXEC Remote Execution - FileCreation
Description
Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed and gets written to the file system and will be recorded in the USN Journal on the target system
Reference
https://aboutdfir.com/the-key-to-identify-psexec/
Modified
None
Date
2023-01-21 00:00:00
Author
Nasreddine Bencherchali (Nextron Systems)
Tags
attack.t1543.003 attack.lateral_movement attack.s0029 attack.execution attack.t1136.002 attack.t1570 attack.privilege_escalation DEMO attack.persistence
Id
304afd73-55a5-4bb9-8c21-0b1fc84ea9e4
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=304afd73-55a5-4bb9-8c21-0b1fc84ea9e4

Rule History

Author
Commit
Title
Date
Nasreddine Bencherchali
7c38a5c49
chore: add nextron authors tag
2023-02-01
Nasreddine Bencherchali
928e77881
feat: new rule related to psexec key file
2023-01-21
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022