Added rule for Impacket's PsExec execution

rules/windows/builtin/win_impacket_psexec.yml

@@ -0,0 +1,26 @@
+title: Impacket PsExec Execution
+id: 32d56ea1-417f-44ff-822b-882873f5f43b
+description: Detects execution of Impacket's psexec.py.
+author: Bhabesh Raj
+date: 2020/12/14
+references:
+    - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
+tags:
+    - attack.lateral_movement
+    - attack.t1021.002
+logsource:
+    product: windows
+    service: security
+    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
+detection:
+    selection1:
+        EventID: 5145
+        ShareName: \\*\IPC$
+        RelativeTargetName|contains|or:
+            - 'RemCom_stdint'
+            - 'RemCom_stdoutt'
+            - 'RemCom_stderrt'
+    condition: selection1
+falsepositives:
+    - nothing observed so far
+level: high