Techniques
Sample rules
PsExec Tool Execution From Suspicious Locations - PipeName
- source: sigma
- technicques:
- t1569
- t1569.002
Description
Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack
Detection logic
condition: selection
selection:
Image|contains:
- :\Users\Public\
- :\Windows\Temp\
- \AppData\Local\Temp\
- \Desktop\
- \Downloads\
PipeName: \PSEXESVC