diff --git a/rules/web/web_win_webshells_in_access_logs.yml b/rules/web/web_win_webshells_in_access_logs.yml index 64a04a2fd..86aa21bc3 100644 --- a/rules/web/web_win_webshells_in_access_logs.yml +++ b/rules/web/web_win_webshells_in_access_logs.yml @@ -4,32 +4,52 @@ status: test description: Detects Windows Webshells that use GET requests via access logs references: - https://bad-jubies.github.io/RCE-NOW-WHAT/ + - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ author: Florian Roth, Nasreddine Bencherchali date: 2017/02/19 -modified: 2022/06/14 +modified: 2022/10/26 tags: - attack.persistence - attack.t1505.003 logsource: category: webserver detection: - select_method: + selection_method: cs-method: 'GET' - keywords: - - =whoami - - =net%20user - - =cmd%20/c%20 - - =powershell%20 - - =tasklist%20 - - =wmic%20 - - =ssh%20 #available on windows - - =python%20 - - =ipconfig - - =wget%20 #available on windows - - =curl%20 #available on windows - - =certutil - - =copy%20%5C%5C - condition: select_method and keywords + selection_keywords: + # The "%20" is URL encoded version of the space + # The "%2B" is URL encoded version of the "+" + - '=whoami' + - '=net%20user' + - '=net+user' + - '=net%2Buser' + - '=cmd%20/c%' + - '=cmd+/c+' + - '=cmd%2B/c%' + - '=powershell%' + - '=powershell+' + - '=tasklist%' + - '=tasklist+' + - '=wmic%' + - '=wmic+' + - '=ssh%' + - '=ssh+' + - '=python%' + - '=python+' + - '=python3%' + - '=python3+' + - '=ipconfig' + - '=wget%' + - '=wget+' + - '=curl%' + - '=curl+' + - '=certutil' + - '=copy%20%5C%5C' + - '=dsquery%' + - '=dsquery+' + - '=nltest%' + - '=nltest+' + condition: all of selection_* fields: - client_ip - vhost diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml index 2e4a19e15..bdd232104 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml @@ -6,7 +6,7 @@ references: - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html author: Florian Roth, Rich Warren, Christian Burkard date: 2021/08/09 -modified: 2022/02/01 +modified: 2022/10/26 tags: - attack.persistence - attack.t1505.003 @@ -18,14 +18,13 @@ detection: - 'New-MailboxExportRequest' - ' -Mailbox ' export_params: - - '-FilePath "\\\\localhost\\C$' - - '-FilePath "\\\\127.0.0.1\\C$' + - '-FilePath "\\\\' # We care about any share location - '.aspx' role_assignment: - 'New-ManagementRoleAssignment' - ' -Role "Mailbox Import Export"' - ' -User ' - condition: (all of export_command and export_params) or all of role_assignment + condition: all of export_* or role_assignment falsepositives: - Unlikely level: critical diff --git a/rules/windows/builtin/msexchange/win_set_oabvirtualdirectory_externalurl.yml b/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml similarity index 100% rename from rules/windows/builtin/msexchange/win_set_oabvirtualdirectory_externalurl.yml rename to rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml diff --git a/rules/windows/builtin/system/win_system_service_hacktools.yml b/rules/windows/builtin/system/win_system_service_install_hacktools.yml similarity index 100% rename from rules/windows/builtin/system/win_system_service_hacktools.yml rename to rules/windows/builtin/system/win_system_service_install_hacktools.yml diff --git a/rules/windows/builtin/system/win_system_service_install_paexec.yml b/rules/windows/builtin/system/win_system_service_install_paexec.yml new file mode 100644 index 000000000..6f779a865 --- /dev/null +++ b/rules/windows/builtin/system/win_system_service_install_paexec.yml @@ -0,0 +1,25 @@ +title: PAExec Service Installation +id: de7ce410-b3fb-4e8a-b38c-3b999e2c3420 +status: experimental +description: Detects PAExec service installation +references: + - https://www.poweradmin.com/paexec/ +author: Nasreddine Bencherchali +date: 2022/10/26 +tags: + - attack.execution + - attack.t1569.002 +logsource: + product: windows + service: system +detection: + selection_eid: + Provider_Name: 'Service Control Manager' + EventID: 7045 + selection_image: + - ServiceName|startswith: 'PAExec-' + - ImagePath|startswith: 'C:\WINDOWS\PAExec-' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/builtin/system/win_system_tool_psexec.yml b/rules/windows/builtin/system/win_system_service_install_psexec.yml similarity index 89% rename from rules/windows/builtin/system/win_system_tool_psexec.yml rename to rules/windows/builtin/system/win_system_service_install_psexec.yml index dae030e5f..887eabc37 100644 --- a/rules/windows/builtin/system/win_system_tool_psexec.yml +++ b/rules/windows/builtin/system/win_system_service_install_psexec.yml @@ -1,4 +1,4 @@ -title: PsExec Tool Execution +title: PsExec Service Installation id: 42c575ea-e41e-41f1-b248-8093c3e82a28 status: experimental description: Detects PsExec service installation and execution events (service and Sysmon) @@ -7,7 +7,7 @@ references: - https://jpcertcc.github.io/ToolAnalysisResultSheet author: Thomas Patzke date: 2017/06/12 -modified: 2022/03/21 +modified: 2022/10/26 tags: - attack.execution - attack.t1569.002 @@ -24,7 +24,7 @@ detection: service_execution: EventID: 7036 ServiceName: 'PSEXESVC' - condition: service_installation or service_execution + condition: 1 of service_* fields: - EventID - CommandLine diff --git a/rules/windows/builtin/system/win_system_sliver_service_installs.yml b/rules/windows/builtin/system/win_system_service_install_sliver.yml similarity index 100% rename from rules/windows/builtin/system/win_system_sliver_service_installs.yml rename to rules/windows/builtin/system/win_system_service_install_sliver.yml diff --git a/rules/windows/file/file_delete/file_delete_win_exchange_powershell_logs.yml b/rules/windows/file/file_delete/file_delete_win_exchange_powershell_logs.yml new file mode 100644 index 000000000..1f9d079e1 --- /dev/null +++ b/rules/windows/file/file_delete/file_delete_win_exchange_powershell_logs.yml @@ -0,0 +1,22 @@ +title: Exchange PowerShell Cmdlet History Deleted +id: a55349d8-9588-4c5a-8e3b-1925fe2a4ffe +status: experimental +description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence +references: + - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ +author: Nasreddine Bencherchali +date: 2022/10/26 +tags: + - attack.defense_evasion + - attack.t1070 +logsource: + category: file_delete + product: windows +detection: + selection: + FileName|startswith: '\Logging\CmdletInfra\LocalPowerShell\Cmdlet\' + FileName|contains: '_Cmdlet_' + condition: selection +falsepositives: + - Possible FP during log rotation +level: high diff --git a/rules/windows/file/file_event/file_event_win_tool_psexec.yml b/rules/windows/file/file_event/file_event_win_tool_psexec.yml index 10f71ef15..09dc46ef3 100644 --- a/rules/windows/file/file_event/file_event_win_tool_psexec.yml +++ b/rules/windows/file/file_event/file_event_win_tool_psexec.yml @@ -1,16 +1,16 @@ -title: PsExec Tool Execution +title: PsExec Service File Creation id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d related: - id: 42c575ea-e41e-41f1-b248-8093c3e82a28 type: derived status: test -description: Detects PsExec service installation and execution events (service and Sysmon) +description: Detects default PsExec service filename which indicates PsExec service installation and execution references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet author: Thomas Patzke date: 2017/06/12 -modified: 2022/10/09 +modified: 2022/10/26 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml b/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml index a5e2b7c44..452bdbb65 100755 --- a/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml +++ b/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml @@ -20,10 +20,10 @@ detection: selection: PipeName: - '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection - - '\userpipe' # ruag apt case - - '\iehelper' # ruag apt case - - '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra - - '\comnap' # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra + - '\userpipe' # ruag apt case + - '\iehelper' # ruag apt case + - '\sdlrpc' # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra + - '\comnap' # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra # - '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483 condition: selection falsepositives: diff --git a/rules/windows/pipe_created/pipe_created_paexec_default_pipe.yml b/rules/windows/pipe_created/pipe_created_paexec_default_pipe.yml new file mode 100644 index 000000000..afd3675e3 --- /dev/null +++ b/rules/windows/pipe_created/pipe_created_paexec_default_pipe.yml @@ -0,0 +1,22 @@ +title: PAExec Default Named Pipe +id: f6451de4-df0a-41fa-8d72-b39f54a08db5 +status: test +description: Detects PAExec default named pipe +references: + - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md +author: Nasreddine Bencherchali +date: 2022/10/26 +tags: + - attack.execution + - attack.t1569.002 +logsource: + category: pipe_created + product: windows + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575' +detection: + selection: + PipeName|startswith: '\PAExec' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml b/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml index cec8dc439..2fbbeba1d 100644 --- a/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml @@ -1,4 +1,4 @@ -title: PsExec Tool Execution +title: PsExec Default Named Pipe id: f3f3a972-f982-40ad-b63c-bca6afdfad7c related: - id: 42c575ea-e41e-41f1-b248-8093c3e82a28 diff --git a/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml new file mode 100644 index 000000000..e7bd9b6f4 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml @@ -0,0 +1,24 @@ +title: Suspicious PowerShell Mailbox SMTP Forward Rule +id: 15b7abbb-8b40-4d01-9ee2-b51994b1d474 +status: experimental +description: Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule. +references: + - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ +author: Nasreddine Bencherchali +date: 2022/10/26 +tags: + - attack.exfiltration +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - 'Set-Mailbox ' + - ' -DeliverToMailboxAndForward ' + - ' -ForwardingSmtpAddress ' + condition: selection +falsepositives: + - Legitimate usage of the cmdlet to forward emails +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml b/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml new file mode 100644 index 000000000..7825d3345 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml @@ -0,0 +1,33 @@ +title: Suspicious PowerShell Mailbox Export to Share - PS +id: 4a241dea-235b-4a7e-8d76-50d817b146c4 +related: + - id: 889719ef-dd62-43df-86c3-768fb08dc7c0 + type: derived +status: experimental +description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations +references: + - https://youtu.be/5mqid-7zp8k?t=2481 + - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html + - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 + - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ +author: Nasreddine Bencherchali +date: 2022/10/26 +tags: + - attack.exfiltration +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - 'New-MailboxExportRequest' + - ' -Mailbox ' + - ' -FilePath \\\\' + condition: selection +falsepositives: + - Unknown +level: critical +fields: + - CommandLine + - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml b/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml index 2241ded9a..1a0a2db2e 100644 --- a/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml +++ b/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml @@ -1,23 +1,26 @@ title: Suspicious PowerShell Mailbox Export to Share id: 889719ef-dd62-43df-86c3-768fb08dc7c0 status: experimental -description: Detects a PowerShell New-MailboxExportRequest that exports a mailbox to a local share, as used in ProxyShell exploitations +description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations references: - https://youtu.be/5mqid-7zp8k?t=2481 - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 + - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ author: Florian Roth date: 2021/08/07 -modified: 2022/02/01 +modified: 2022/10/26 +tags: + - attack.exfiltration logsource: category: process_creation product: windows detection: selection: CommandLine|contains|all: - - 'New-MailboxExport' + - 'New-MailboxExportRequest' - ' -Mailbox ' - - ' -FilePath \\\\127.0.0.1\\C$' + - ' -FilePath \\\\' condition: selection falsepositives: - Unknown @@ -25,8 +28,3 @@ level: critical fields: - CommandLine - ParentCommandLine -tags: - - attack.persistence - - attack.t1505.003 - - attack.resource_development - - attack.t1584.006 \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml b/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml index 7da441b61..b7cb54116 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml @@ -1,27 +1,67 @@ title: PsExec/PAExec Escalation to LOCAL SYSTEM id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 +related: + - id: 207b0396-3689-42d9-8399-4222658efc99 + type: similar status: experimental description: Detects suspicious flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.poweradmin.com/paexec/ - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html -author: Florian Roth +author: Florian Roth, Nasreddine Bencherchali date: 2021/11/23 -modified: 2022/08/24 +modified: 2022/10/26 logsource: category: process_creation product: windows detection: - selection: # Escalation to LOCAL_SYSTEM - CommandLine|endswith: ' -s cmd.exe' + selection_sys: # Escalation to LOCAL_SYSTEM CommandLine|contains: - - 'PsExec' - - 'PAExec' + # Note that you don't need to add the ".exe" part when using psexec/paexec + # The "-" can also be replaced with "/" + # The order of args isn't important + # "cmd" can be replaced by "powershell", "pwsh" or any other console like software + - ' -s cmd' + - ' /s cmd' + - ' -s -i cmd' + - ' /s /i cmd' + - ' /s -i cmd' + - ' -s /i cmd' + - ' -i -s cmd' + - ' /i /s cmd' + - ' -i /s cmd' + - ' /i -s cmd' + # Pwsh (For PowerShell 7) + - ' -s pwsh' + - ' /s pwsh' + - ' -s -i pwsh' + - ' /s /i pwsh' + - ' /s -i pwsh' + - ' -s /i pwsh' + - ' -i -s pwsh' + - ' /i /s pwsh' + - ' -i /s pwsh' + - ' /i -s pwsh' + # PowerShell (For PowerShell 5) + - ' -s powershell' + - ' /s powershell' + - ' -s -i powershell' + - ' /s /i powershell' + - ' /s -i powershell' + - ' -s /i powershell' + - ' -i -s powershell' + - ' /i /s powershell' + - ' -i /s powershell' + - ' /i -s powershell' + selection_other: + CommandLine|contains: + - 'psexec' + - 'paexec' - 'accepteula' - 'cmd /c ' - 'cmd /k ' - condition: selection + condition: all of selection_* falsepositives: - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare) level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml b/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml index 36bed23c8..b783a344d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml @@ -1,12 +1,15 @@ title: PsExec/PAExec Flags id: 207b0396-3689-42d9-8399-4222658efc99 +related: + - id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 + type: similar status: experimental description: Detects suspicious flags used by PsExec and PAExec but no usual program name in command line references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.poweradmin.com/paexec/ - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html -author: Florian Roth +author: Florian Roth, Nasreddine Bencherchali date: 2021/05/22 modified: 2022/10/06 logsource: @@ -15,9 +18,43 @@ logsource: detection: selection_flags_1: # Escalation to LOCAL_SYSTEM - CommandLine|endswith: - - ' -s cmd.exe' - - ' -s -i cmd.exe' + CommandLine|contains: + # Note that you don't need to add the ".exe" part when using psexec/paexec + # The "-" can also be replaced with "/" + # The order of args isn't important + # "cmd" can be replaced by "powershell", "pwsh" or any other console like software + - ' -s cmd' + - ' /s cmd' + - ' -s -i cmd' + - ' /s /i cmd' + - ' /s -i cmd' + - ' -s /i cmd' + - ' -i -s cmd' + - ' /i /s cmd' + - ' -i /s cmd' + - ' /i -s cmd' + # Pwsh (For PowerShell 7) + - ' -s pwsh' + - ' /s pwsh' + - ' -s -i pwsh' + - ' /s /i pwsh' + - ' /s -i pwsh' + - ' -s /i pwsh' + - ' -i -s pwsh' + - ' /i /s pwsh' + - ' -i /s pwsh' + - ' /i -s pwsh' + # PowerShell (For PowerShell 5) + - ' -s powershell' + - ' /s powershell' + - ' -s -i powershell' + - ' /s /i powershell' + - ' /s -i powershell' + - ' -s /i powershell' + - ' -i -s powershell' + - ' /i /s powershell' + - ' -i /s powershell' + - ' /i -s powershell' selection_flags_2: # Accepting EULA in commandline - often used in automated attacks CommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml b/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml index 5481c15ad..8f13a3765 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml @@ -1,12 +1,12 @@ title: Renamed PAExec id: c4e49831-1496-40cf-8ce1-b53f942b02f9 status: test -description: Detects suspicious renamed PAExec execution as often used by attackers +description: Detects execution of renamed version of PAExec. Often used by attackers references: - https://www.poweradmin.com/paexec/ author: Florian Roth date: 2021/05/22 -modified: 2022/10/09 +modified: 2022/10/26 tags: - attack.defense_evasion - attack.t1202 @@ -14,16 +14,15 @@ logsource: category: process_creation product: windows detection: - selection1: - Description: 'PAExec Application' - selection2: - OriginalFileName: 'PAExec.exe' + selection: + - Description: 'PAExec Application' + - OriginalFileName: 'PAExec.exe' filter: - Image|endswith: - - '\PAexec.exe' - - '\paexec.exe' - condition: ( selection1 or selection2 ) and not filter + - Image|endswith: '\paexec.exe' + - Image|startswith: 'C:\Windows\PAExec-' + condition: selection and not filter falsepositives: - Weird admins that rename their tools - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing + - When executed with the "-s" flag. PAExec will copy itself to the "C:\Windows\" directory with a different name. Usually like this "PAExec-[XXXXX]-[ComputerName]" level: high diff --git a/rules/windows/process_creation/proc_creation_win_tool_psexec.yml b/rules/windows/process_creation/proc_creation_win_tool_psexec.yml index 194a60308..10c099b34 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_psexec.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_psexec.yml @@ -4,7 +4,7 @@ related: - id: 42c575ea-e41e-41f1-b248-8093c3e82a28 type: derived status: experimental -description: Detects PsExec service installation and execution events (service and Sysmon) +description: Detects PsExec service execution via default service image name author: Thomas Patzke date: 2017/06/12 modified: 2022/05/27