when executed with the \"-s\" flag. paexec will copy itself to the \"c:\windows\\" directory with a different name. usually like this \"paexec-[xxxxx]-[computername]\"

t1202
windows
sigma

Techniques

t1202

Sample rules

Renamed PAExec Execution

source: sigma
technicques:
- t1202

Description

Detects execution of renamed version of PAExec. Often used by attackers

Detection logic

condition: selection and not filter
filter:
- Image|endswith: \paexec.exe
- Image|startswith: C:\Windows\PAExec-
selection:
- Description: PAExec Application
- OriginalFileName: PAExec.exe
- Product|contains: PAExec
- Imphash:
  - 11D40A7B7876288F919AB819CC2D9802
  - 6444f8a34e99b8f7d9647de66aabe516
  - dfd6aa3f7b2b1035b76b718f1ddc689f
  - 1a6cca4d5460b1710a12dea39e4a592c
- Hashes|contains:
  - IMPHASH=11D40A7B7876288F919AB819CC2D9802
  - IMPHASH=6444f8a34e99b8f7d9647de66aabe516
  - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f
  - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c