Suspicious RunAs-Like Flag Combination

Rule Info

Id
50d66fb0-03f8-4da0-8add-84e77d12a020
Author
Florian Roth
Name
Suspicious RunAs-Like Flag Combination
Tags
DEMO
Date
2022-11-11 00:00:00
Modified
None
Description
Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
Type
Community Rule

Rule History

Author
Date
Commit
Title
Florian Roth
2022-11-14
fix: condition
Florian Roth
2022-11-12
rule: suspicious command line flags