Skip to content

Hide Navigation Hide TOC

PsExec Tool Execution From Suspicious Locations - PipeName (41504465-5e3a-4a5b-a5b4-2a0baadd4463)

Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack

Cluster A Galaxy A Cluster B Galaxy B Level
PsExec Tool Execution From Suspicious Locations - PipeName (41504465-5e3a-4a5b-a5b4-2a0baadd4463) Sigma-Rules Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 1
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2