{ "id": "98763f77-2b7a-467d-b3cf-4de97328ffda", "created_at": "2026-04-06T00:18:34.211427Z", "updated_at": "2026-04-10T13:12:38.500756Z", "deleted_at": null, "sha1_hash": "ee7f161407af863c89f3e5cc6f4ce52266155d7c", "title": "Detection: Detect Renamed PSExec", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 78959, "plain_text": "Detection: Detect Renamed PSExec\r\nBy Author: Michael Haag, Splunk, Alex Oberkircher, Github Community\r\nPublished: 2026-02-25 ยท Archived: 2026-04-05 16:44:47 UTC\r\nDescription\r\nThe following analytic identifies instances where PsExec.exe has been renamed and executed on an endpoint. It\r\nleverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file\r\nnames. This activity is significant because renaming PsExec.exe is a common tactic to evade detection. If\r\nconfirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to\r\nunauthorized access, lateral movement, or further compromise of the network.\r\nSearch\r\n 1\r\n 2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=\r\n 3 WHERE (\r\n 4 Processes.process_name!=psexec.exe\r\n 5 AND\r\n 6 Processes.process_name!=psexec64.exe\r\n 7 )\r\n 8 AND Processes.original_file_name=psexec.c\r\n 9 BY Processes.action Processes.dest Processes.original_file_name\r\n10 Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid\r\n11 Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path\r\n12 Processes.process Processes.process_exec Processes.process_guid\r\n13 Processes.process_hash Processes.process_id Processes.process_integrity_level\r\n14 Processes.process_name Processes.process_path Processes.user\r\n15 Processes.user_id Processes.vendor_product\r\n16\r\n17| `drop_dm_object_name(Processes)`\r\n18\r\n19| `security_content_ctime(firstTime)`\r\n20\r\n21| `security_content_ctime(lastTime)`\r\n22\r\n23| `detect_renamed_psexec_filter`\r\n...\r\nspl\r\nhttps://research.splunk.com/endpoint/683e6196-b8e8-11eb-9a79-acde48001122/\r\nPage 1 of 4\n\nData Source\r\nName Platform Sourcetype Source\r\nCrowdStrike\r\nProcessRollup2\r\nOther 'crowdstrike:events:sensor' 'crowdstrike'\r\nSysmon EventID\r\n1\r\nWindows\r\n'XmlWinEventLog'\r\n'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'\r\nWindows Event\r\nLog Security\r\n4688\r\nWindows\r\n'XmlWinEventLog' 'XmlWinEventLog:Security'\r\nMacros Used\r\nName Value\r\nsecurity_content_ctime convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)\r\ndetect_renamed_psexec_filter search *\r\ndetect_renamed_psexec_filter is an empty macro by default. It allows the user to filter out any results (false\r\npositives) without editing the SPL.\r\nAnnotations\r\nID Technique Tactic\r\nT1569.002 Service Execution Execution\r\nDefault Configuration\r\nThis detection is configured by default in Splunk Enterprise Security to run with the following settings:\r\nSetting Value\r\nDisabled true\r\nCron Schedule 0 * * * *\r\nhttps://research.splunk.com/endpoint/683e6196-b8e8-11eb-9a79-acde48001122/\r\nPage 2 of 4\n\nSetting Value\r\nEarliest Time -70m@m\r\nLatest Time -10m@m\r\nSchedule Window auto\r\nCreates Risk Event False\r\nThis configuration file applies to all detections of type hunting.\r\nImplementation\r\nThe detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents\r\nare designed to provide security-related telemetry from the endpoints where the agent is installed. To implement\r\nthis search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally,\r\nyou must ingest complete command-line executions. These logs must be processed using the appropriate Splunk\r\nTechnology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes node\r\nof the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names\r\nand speed up the data modeling process.\r\nKnown False Positives\r\nLimited false positives should be present. It is possible some third party applications may use older versions of\r\nPsExec, filter as needed.\r\nAssociated Analytic Story\r\nActive Directory Lateral Movement\r\nBlackByte Ransomware\r\nCISA AA22-320A\r\nCactus Ransomware\r\nChina-Nexus Threat Activity\r\nDHS Report TA18-074A\r\nDarkGate Malware\r\nDarkSide Ransomware\r\nHAFNIUM Group\r\nMedusa Ransomware\r\nhttps://research.splunk.com/endpoint/683e6196-b8e8-11eb-9a79-acde48001122/\r\nPage 3 of 4\n\nRhysida Ransomware\r\nSalt Typhoon\r\nSamSam Ransomware\r\nSandworm Tools\r\nVanHelsing Ransomware\r\nReferences\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.yaml\r\nhttps://redcanary.com/blog/threat-hunting-psexec-lateral-movement/\r\nDetection Testing\r\nTest Type Status Dataset Source Sourcetype\r\nValidation โœ…\r\nPassing\r\nN/A N/A N/A\r\nUnit โœ…\r\nPassing\r\nDataset\r\nXmlWinEventLog:Microsoft-Windows-Sysmon/Operational\r\nXmlWinEventLog\r\nIntegration โœ…\r\nPassing\r\nDataset\r\nXmlWinEventLog:Microsoft-Windows-Sysmon/Operational\r\nXmlWinEventLog\r\nReplay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a\r\ndataset into a Splunk Attack Range\r\nSource: GitHub | Version: 16\r\nSource: https://research.splunk.com/endpoint/683e6196-b8e8-11eb-9a79-acde48001122/\r\nhttps://research.splunk.com/endpoint/683e6196-b8e8-11eb-9a79-acde48001122/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://research.splunk.com/endpoint/683e6196-b8e8-11eb-9a79-acde48001122/" ], "report_names": [ "683e6196-b8e8-11eb-9a79-acde48001122" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434714, "ts_updated_at": 1775826758, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ee7f161407af863c89f3e5cc6f4ce52266155d7c.pdf", "text": "https://archive.orkl.eu/ee7f161407af863c89f3e5cc6f4ce52266155d7c.txt", "img": "https://archive.orkl.eu/ee7f161407af863c89f3e5cc6f4ce52266155d7c.jpg" } }