Query Details
Psexec1
Query
// Detetect PSEXECSVC File Events to catch PSEXEC DeviceFileEvents | where Timestamp > ago(1d) | where FileName == "PSEXESVC.exe" or InitiatingProcessVersionInfoOriginalFileName == @"psexec.c" // thanks tay | sort by Timestamp desc
Explanation
This query is looking for file events related to a file called PSEXESVC.exe or a file with the original file name "psexec.c". It filters the events based on a timestamp within the last day and sorts them in descending order.
Details
Daniel Card
Released: September 4, 2023
Tables
DeviceFileEvents
Keywords
DeviceFileEvents,Timestamp,FileName,InitiatingProcessVersionInfoOriginalFileName,sort
Operators
where|>ago()==orsort by