From 74ca0eeb881440de2356bd1ccb6044c4ca4b0440 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Tue, 21 May 2019 09:49:34 +0200
Subject: [PATCH] Rule: Renamed PsExec

---
 .../windows/sysmon/sysmon_renamed_psexec.yml  | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_renamed_psexec.yml

diff --git a/rules/windows/sysmon/sysmon_renamed_psexec.yml b/rules/windows/sysmon/sysmon_renamed_psexec.yml
new file mode 100644
index 00000000000..5e0e44a447a
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_renamed_psexec.yml
@@ -0,0 +1,21 @@
+title: Renamed PsExec
+status: experimental
+description: Detects the execution of a renamed PsExec often used by attackers or malware 
+references:
+    - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
+author: Florian Roth
+date: 2019/05/21
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        Description: 'Execute processes remotely'
+        Product: 'Sysinternals PsExec'
+    filter:
+        Image: '*\PsExec.exe'
+    condition: selection and not filter
+falsepositives:
+    - Software that illegaly integrates PsExec in a renamed form
+    - Administrators that have renamed PsExec and no one knows why
+level: high