LoFP
/
t1202
t1202
Title
Tags
automation and orchestration scripts may use this method to execute scripts etc.
t1202
t1218
windows
sigma
in development environment where vscode is used heavily. false positives may occur when developers use task to compile or execute different types of code. remove or add processes accordingly
t1202
t1218
windows
sigma
legitimate usage for administration purposes
t1003
t1003.005
t1202
windows
sigma
legitimate usage of \".diagcab\" files
t1202
windows
sigma
legitimate usage of \"troubleshootingpack\" cmdlet for troubleshooting purposes
t1202
windows
sigma
legitimate usage of setres
t1202
t1218
windows
sigma
legitimate use by windows to kill processes opened via wsl (example vscode wsl server)
t1202
t1218
windows
sigma
possible but rare
t1202
windows
sigma
software companies that bundle paexec with their software and rename it, so that it is less embarrassing
t1202
windows
sigma
some legacy applications may be run using pcalua.exe. filter these results as needed.
t1202
endpoint
splunk
some legacy applications may be run using pcalua.exe. similarly, forfiles.exe may be used in legitimate batch scripts. filter these results as needed.
t1202
endpoint
splunk
this search encompasses many commands.
t1202
t1548
splunk server
splunk
very likely, including launching cmd.exe via run as administrator
t1202
windows
sigma
weird admins that rename their tools
t1202
t1587
t1587.001
windows
sigma
when executed with the \"-s\" flag. paexec will copy itself to the \"c:\windows\\" directory with a different name. usually like this \"paexec-[xxxxx]-[computername]\"
t1202
windows
sigma