From 56efceb779e12d4a6ac2950f8827b47c43459e25 Mon Sep 17 00:00:00 2001
From: SOCFortress <95670863+socfortress@users.noreply.github.com>
Date: Wed, 17 Aug 2022 21:41:08 -0500
Subject: [PATCH] Update MITRE_TECHNIQUES_FROM_SYSMON_EVENT13.xml

---
 .../MITRE_TECHNIQUES_FROM_SYSMON_EVENT13.xml          | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/Windows_Sysmon/MITRE_TECHNIQUES_FROM_SYSMON_EVENT13.xml b/Windows_Sysmon/MITRE_TECHNIQUES_FROM_SYSMON_EVENT13.xml
index 64dbbb6..afce66a 100644
--- a/Windows_Sysmon/MITRE_TECHNIQUES_FROM_SYSMON_EVENT13.xml
+++ b/Windows_Sysmon/MITRE_TECHNIQUES_FROM_SYSMON_EVENT13.xml
@@ -438,5 +438,16 @@
 </mitre>
 <options>no_full_log</options>
 <group>sysmon_event_13,</group>
+</rule>
+  <!-- Sysmon - Event 13: PsExec Detection -->
+<rule id="112141" level="13">
+<if_sid>61615</if_sid>
+<field name="win.eventdata.TargetObject">\\\\PsExec\\\\EulaAccepted$</field>
+<description>Sysmon - Event 13: RegistryEvent PsExec EulaAccepted Detected</description>
+<mitre>
+<id>T1047</id>
+</mitre>
+<options>no_full_log</options>
+<group>sysmon_event_13,</group>
 </rule>
 </group>