title: Suspicious PsExec Execution
description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker
uses a different psexec client other than sysinternal one
author: Samir Bousseaden
description: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
condition: selection1 and not selection2
- nothing observed so far