← Back to Explore
sigmahighHunting
PUA - CsExec Execution
Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
Detection Query
selection:
Image|endswith: \csexec.exe
selection_pe:
Description: csexec
condition: 1 of selection*
Author
Florian Roth (Nextron Systems)
Created
2022-08-22
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.resource-developmentattack.t1587.001attack.executionattack.t1569.002
Raw Content
title: PUA - CsExec Execution
id: d08a2711-ee8b-4323-bdec-b7d85e892b31
status: test
description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
references:
- https://github.com/malcomvetter/CSExec
- https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
author: Florian Roth (Nextron Systems)
date: 2022-08-22
modified: 2023-02-21
tags:
- attack.resource-development
- attack.t1587.001
- attack.execution
- attack.t1569.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\csexec.exe'
selection_pe:
Description: 'csexec'
condition: 1 of selection*
falsepositives:
- Unknown
level: high