Skip to content

Hide Navigation Hide TOC

Suspicious PsExec Execution - Zeek (f1b3a22a-45e6-4004-afb5-4291f9c21166)

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Cluster A Galaxy A Cluster B Galaxy B Level
Suspicious PsExec Execution - Zeek (f1b3a22a-45e6-4004-afb5-4291f9c21166) Sigma-Rules SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2