SigmaHQ/rules/windows/process_creation/win_susp_psexec_eula.yml

title: Psexec Accepteula Condition
id: 730fc21b-eaff-474b-ad23-90fd265d4988
description: Detect ed user accept agreement execution in psexec commandline
status: experimental
author: omkar72
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
date: 2020/10/30
tags:
    - attack.execution
    - attack.t1569
    - attack.t1021
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\psexec.exe'
        CommandLine|contains: 'accepteula'
    condition: selection
fields:
    - ComputerName
    - User
    - CommandLine
falsepositives:
    - Administrative scripts.
level: medium
ryuk changes 2020-10-30 07:45:11 +00:00			`title: Psexec Accepteula Condition`
			`id: 730fc21b-eaff-474b-ad23-90fd265d4988`
Update win_susp_psexec_eula.yml 2020-11-29 12:15:29 +00:00			`description: Detect ed user accept agreement execution in psexec commandline`
ryuk changes 2020-10-30 07:45:11 +00:00			`status: experimental`
			`author: omkar72`
			`- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html`
			`date: 2020/10/30`
			`tags:`
			`- attack.execution`
			`- attack.t1569`
updated mitre tag 2020-10-30 08:05:40 +00:00			`- attack.t1021`
ryuk changes 2020-10-30 07:45:11 +00:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
			`Image\|endswith: '\psexec.exe'`
			`CommandLine\|contains: 'accepteula'`
			`condition: selection`
			`fields:`
			`- ComputerName`
			`- User`
			`- CommandLine`
			`falsepositives:`
			`- Administrative scripts.`
updated mitre tag 2020-10-30 08:05:40 +00:00			`level: medium`