Techniques
Sample rules
PsExec Service Execution
- source: sigma
- technicques:
Description
Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution
Detection logic
condition: selection
selection:
- Image: C:\Windows\PSEXESVC.exe
- OriginalFileName: psexesvc.exe
Renamed PsExec Service Execution
- source: sigma
- technicques:
Description
Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators
Detection logic
condition: selection and not filter
filter:
Image: C:\Windows\PSEXESVC.exe
selection:
OriginalFileName: psexesvc.exe
Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
- source: sigma
- technicques:
- t1003
- t1003.005
Description
Detects usage of cmdkey to look for cached credentials on the system
Detection logic
condition: all of selection*
selection_cli:
CommandLine|contains|windash: ' -l'
selection_img:
- Image|endswith: \cmdkey.exe
- OriginalFileName: cmdkey.exe