title: PsExec Service Start
author: Florian Roth
date: 2018/03/13
description: Detects a PsExec service start
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine: C:\Windows\PSEXESVC.exe
  condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Administrative activity
id: 3ede524d-21cc-472d-a3ce-d21b568d8db7
level: low
logsource:
  category: process_creation
  product: windows
modified: 2012/12/11
status: experimental
tags:
- attack.execution
- attack.t1035
- attack.s0029
- attack.t1569.002
ruletype: SIGMA