PsExec (Sysinternals tool)(S0029)

MITRE ATT&CK

PsExec is a Sysinternals tool developed by Microsoft for remote code execution and lateral movement. It enables administrators to execute commands on remote systems by connecting to the hidden ADMIN$ share and leveraging the Service Control Manager. Because it’s digitally signed and commonly used by system administrators, attackers often abuse PsExec to stealthily copy and execute malicious binaries on target systems.

How Attackers Use It

Remote Execution & Lateral Movement:

Attackers use PsExec to remotely copy malicious executables (e.g., malware.exe) from a compromised host to a target system over the ADMIN$ share. They then create and start a service (typically named PSEXESVC) on the target to execute the malicious binary.
Blending with Legitimate Activity:

Since PsExec is a legitimate administration tool, its usage can blend with normal operations. Attackers leverage its trusted status to avoid detection while performing actions like transferring files and spawning remote processes (e.g., Python.exe launched from PSEXESVC.exe).

Detection

Screenshot 2025-03-02 053254.png

⭐ Important Windows Event Logs

Event ID 4688: Logs execution of psexec.exe on the source system, including command-line arguments revealing target host details.
Event ID 4624: On the target system, records successful authentications when accessing the ADMIN$ share.
Event IDs 5140 & 5145: On the target system, log network share access events indicating that files (like the malicious binary) were copied to ADMIN$.
Event ID 7045 & 4697: Records creation of new services like PSEXESVCon the target system.

⭐ Important Sysmon Event IDs

Event ID 1 (Process Creation): Captures execution of psexec.exe and subsequent spawning of PSEXESVC.exe or other processes.

Threat Hunting

Correlate Logs: Link process execution events (4688) on the source with authentication (4624) and share access events (5140/5145) on the target, followed by service creation events (7045/4697).
Analyze Command-Line Arguments:

Look for the -c flag or target host identifiers indicating binary copying and execution.