Skip to content

Hide Navigation Hide TOC

Suspicious PsExec Execution (c462f537-a1e3-41a6-b5fc-b2c2cef9bf82)

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Cluster A Galaxy A Cluster B Galaxy B Level
Suspicious PsExec Execution (c462f537-a1e3-41a6-b5fc-b2c2cef9bf82) Sigma-Rules SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2