PsExec is another powerful tool created by Windows Sysinternal. It was created to allow Administrators to remotely connect to and manage Windows systems. Because of the power of PsExec, many different malware actors have used it in various forms of malware as well as a part of pass-the-hash attacks. PsExec has been used in Mitre ATT&CK techniques T1569.002 (System Services: Service Execution), T1021.002 (Remote Services: SMB/Windows Admin Shares), and T1570 (Lateral Tool Transfer).
PsExec allows members of a computer’s Local Administrator group to connect to and have an interactive command line interface with remote computers. It is a major vector of lateral movement in an environment, and because of that, is a very important tool to be able to detect. In this blog I will go through the basics of how PsExec works, the three current primary ways it is used, and how to detect its usage with Sysmon.
PsExec is a rather simple tool, but one that has a lot of power. The tool copies a service executable to the hidden Admin$ share, and then uses the Windows Service Control Manager API to start the service. The service uses named pipes, which connect back to the psexec tool. The tool can be run on the local machine or remote machines, and it can allow a user to act as the NT Authority\System account.
The log examples shown below are with the default Modular Sysmon configuration file, and I tested the detections by using the various methods of PsExec to run the command “cmd /c time /T”. Each example will have screenshots of the usage of the tool and select fields from the logs generated by Sysmon.
Sysinternal’s PsExec starts by setting registries on the remote machine to run %SystemRoot%\PSEXESVC.exe when the service PSEXESVC starts. It writes the file to disk and starts the process in a new thread. PSEXESVC then creates a new process to run the commands it was sent from PsExec, cleaning up after itself by closing all the processes and deleting the registry key it created once finished.