Psexec Accepteula Condition

level
status test

Detect ed user accept agreement execution in psexec commandline

Known false-positives

  • Administrative scripts.

Raw rule (edit)

title: Psexec Accepteula Condition
id: 730fc21b-eaff-474b-ad23-90fd265d4988
status: test
description: Detect ed user accept agreement execution in psexec commandline
author: omkar72 - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
date: 2020/10/30
modified: 2021/11/27
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\psexec.exe'
    CommandLine|contains: 'accepteula'
  condition: selection
fields:
  - ComputerName
  - User
  - CommandLine
falsepositives:
  - Administrative scripts.
level: medium
tags:
  - attack.execution
  - attack.t1569
  - attack.t1021

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.