LoFP LoFP / software companies that bundle paexec with their software and rename it, so that it is less embarrassing

Techniques

Sample rules

Renamed PAExec Execution

Description

Detects execution of renamed version of PAExec. Often used by attackers

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_known_location:
- Image|endswith: \paexec.exe
- Image|startswith: C:\Windows\PAExec-
selection:
- Description: PAExec Application
- OriginalFileName: PAExec.exe
- Product|contains: PAExec
- Hashes|contains:
  - IMPHASH=11D40A7B7876288F919AB819CC2D9802
  - IMPHASH=6444f8a34e99b8f7d9647de66aabe516
  - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f
  - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c