atomic-threat-coverage/detection_rules/win_psexesvc_start.yml
2019-02-12 04:55:11 +01:00

20 lines
568 B
YAML
Executable File

title: PsExec Service Start
description: Detects a PsExec service start
author: Florian Roth
date: 2018/03/13
tags:
- attack.execution
- attack.t1035
- attack.s0029
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
CommandLine: 'C:\Windows\PSEXESVC.exe'
condition: 1 of them
falsepositives:
- Administrative activity
level: low